def test_for_enum_has_value_functionality():
# Test if the has_value function works as intended
assert StixCyberObservableTypes.has_value("url") is True
assert StixCyberObservableTypes.has_value("LRU") is False
assert LocationTypes.has_value("CITY") is True
assert LocationTypes.has_value("YTIC") is False
assert IdentityTypes.has_value("SECTOR") is True
assert IdentityTypes.has_value("RECTOS") is False
assert ContainerTypes.has_value("Note") is True
assert ContainerTypes.has_value("ETON") is False
def searchAndAddEntity(opencti_api_client, response, stix_entity, output=None):
types = [
STIX2toOpenCTItype(stix_entity["type"])
if "type" in stix_entity else None
]
stix_id = stix_entity["id"] if "id" in stix_entity else None
stix_name = stix_entity["name"] if "name" in stix_entity else None
stix_type = stix_entity["type"] if "type" in stix_entity else None
opencti_entity = None
maltego_entity = None
# Enrich API answer with more attributes
custom_attributes = re.sub(
r"\.\.\. on Basic(Object|Relationship) {\n(\s+)id\n(\s+)}",
r"... on Basic\g<1> {\n\g<2>id\n\g<2>standard_id\n\g<2>entity_type\n\g<2>parent_types\n\g<3>}",
opencti_api_client.stix_domain_object.properties,
)
if (not output or STIX2toOpenCTItype(output) == stix_type
or (output == "identity" and IdentityTypes.has_value(stix_type))):
# Search for entity in OpenCTI based on STIX id or (type, name)
opencti_entity = opencti_api_client.stix_domain_object.get_by_stix_id_or_name(
types=types,
stix_id=stix_id,
name=stix_name,
customAttributes=custom_attributes,
)
if opencti_entity:
maltego_entity = addStixEntity(opencti_api_client, response,
opencti_entity)
else:
# Search for entity in OpenCTI based on STIX id
opencti_entity = opencti_api_client.stix_domain_object.get_by_stix_id_or_name(
stix_id=stix_id,
customAttributes=custom_attributes,
)
# Then filter on type
if opencti_entity and opencti_entity[
"entity_type"] == STIX2toOpenCTItype(output):
maltego_entity = addStixEntity(opencti_api_client, response,
opencti_entity)
return {"opencti_entity": opencti_entity, "maltego_entity": maltego_entity}
def _process_message(self, data):
entity_id = data['entity_id']
entity_type = data['entity_type']
file_name = data['file_name']
file_context = data['file_context']
export_type = data['export_type']
list_args = data['list_args']
max_marking_definition = data['max_marking_definition']
if entity_id is not None:
self.helper.log_info('Exporting: ' + entity_type + '/' +
export_type + '(' + entity_id + ') to ' +
file_name)
entity_data = self.helper.api.stix_domain_entity.read(id=entity_id)
entities_list = [entity_data]
if 'objectRefsIds' in entity_data:
for id in entity_data['objectRefsIds']:
entity = self.helper.api.stix_domain_entity.read(id=id)
entities_list.append(entity)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info('Uploading: ' + entity_type + '/' +
export_type + '(' + entity_id + ') to ' +
file_name)
self.helper.api.stix_domain_entity.push_entity_export(
entity_id, file_name, csv_data)
self.helper.log_info('Export done: ' + entity_type + '/' +
export_type + '(' + entity_id + ') to ' +
file_name)
else:
self.helper.log_info('Exporting list: ' + entity_type + '/' +
export_type + ' to ' + file_name)
max_marking_definition_entity = self.helper.api.marking_definition.read(
id=max_marking_definition
) if max_marking_definition is not None else None
if IdentityTypes.has_value(entity_type):
if list_args['filters'] is not None:
list_args['filters'].append({
'key': 'entity_type',
'values': [entity_type]
})
else:
list_args['filters'] = [{
'key': 'entity_type',
'values': [entity_type]
}]
entity_type = 'identity'
# List
lister = {
'identity': self.helper.api.identity.list,
'threat-actor': self.helper.api.threat_actor.list,
'intrusion-set': self.helper.api.intrusion_set.list,
'campaign': self.helper.api.campaign.list,
'incident': self.helper.api.incident.list,
'malware': self.helper.api.malware.list,
'tool': self.helper.api.tool.list,
'vulnerability': self.helper.api.vulnerability.list,
'attack-pattern': self.helper.api.attack_pattern.list,
'course-of-action': self.helper.api.course_of_action.list,
'report': self.helper.api.report.list,
'indicator': self.helper.api.indicator.list
}
do_list = lister.get(
entity_type.lower(), lambda **kwargs: self.helper.
log_error('Unknown object type "' + entity_type +
'", doing nothing...'))
entities_list = do_list(search=list_args['search'],
filters=list_args['filters'],
orderBy=list_args['orderBy'],
orderMode=list_args['orderMode'],
getAll=True)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info('Uploading: ' + entity_type + '/' +
export_type + ' to ' + file_name)
self.helper.api.stix_domain_entity.push_list_export(
entity_type, file_name, csv_data, file_context,
json.dumps(list_args))
self.helper.log_info('Export done: ' + entity_type + '/' +
export_type + ' to ' + file_name)
return ['Export done']
def _process_message(self, data):
entity_id = data["entity_id"]
entity_type = data["entity_type"]
file_name = data["file_name"]
file_context = data["file_context"]
export_type = data["export_type"]
list_args = data["list_args"]
if entity_id is not None:
self.helper.log_info("Exporting: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
entity_data = self.helper.api.stix_domain_entity.read(id=entity_id)
entities_list = [entity_data]
if "objectRefsIds" in entity_data:
for id in entity_data["objectRefsIds"]:
entity = self.helper.api.stix_domain_entity.read(id=id)
entities_list.append(entity)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info("Uploading: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
self.helper.api.stix_domain_entity.push_entity_export(
entity_id, file_name, csv_data)
self.helper.log_info("Export done: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
else:
self.helper.log_info("Exporting list: " + entity_type + "/" +
export_type + " to " + file_name)
if IdentityTypes.has_value(entity_type):
if list_args["filters"] is not None:
list_args["filters"].append({
"key": "entity_type",
"values": [entity_type]
})
else:
list_args["filters"] = [{
"key": "entity_type",
"values": [entity_type]
}]
entity_type = "identity"
# List
lister = {
"identity": self.helper.api.identity.list,
"threat-actor": self.helper.api.threat_actor.list,
"intrusion-set": self.helper.api.intrusion_set.list,
"campaign": self.helper.api.campaign.list,
"incident": self.helper.api.incident.list,
"malware": self.helper.api.malware.list,
"tool": self.helper.api.tool.list,
"vulnerability": self.helper.api.vulnerability.list,
"attack-pattern": self.helper.api.attack_pattern.list,
"course-of-action": self.helper.api.course_of_action.list,
"report": self.helper.api.report.list,
"indicator": self.helper.api.indicator.list,
}
do_list = lister.get(
entity_type.lower(),
lambda **kwargs: self.helper.
log_error('Unknown object type "' + entity_type +
'", doing nothing...'),
)
entities_list = do_list(
search=list_args["search"],
filters=list_args["filters"],
orderBy=list_args["orderBy"],
orderMode=list_args["orderMode"],
getAll=True,
)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info("Uploading: " + entity_type + "/" +
export_type + " to " + file_name)
self.helper.api.stix_domain_entity.push_list_export(
entity_type, file_name, csv_data, file_context,
json.dumps(list_args))
self.helper.log_info("Export done: " + entity_type + "/" +
export_type + " to " + file_name)
return ["Export done"]
def _process_message(self, data):
file_name = data["file_name"]
export_scope = data["export_scope"] # single or list
export_type = data["export_type"] # Simple or Full
# max_marking = data["max_marking"] # TODO Implement marking restriction
entity_type = data["entity_type"]
if export_scope == "single":
entity_id = data["entity_id"]
self.helper.log_info("Exporting: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
entity_data = self.helper.api.stix_domain_object.read(id=entity_id)
entities_list = []
if "objectsIds" in entity_data:
for id in entity_data["objectsIds"]:
entity = self.helper.api.stix_domain_object.read(id=id)
if entity is None:
entity = self.helper.api.stix_cyber_observable.read(
id=id)
if entity is not None:
del entity["objectLabelIds"]
entities_list.append(entity)
del entity_data["objectLabelIds"]
del entity_data["objectsIds"]
entities_list.append(entity_data)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info("Uploading: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
self.helper.api.stix_domain_object.push_entity_export(
entity_id, file_name, csv_data)
self.helper.log_info("Export done: " + entity_type + "/" +
export_type + "(" + entity_id + ") to " +
file_name)
else:
list_params = data["list_params"]
self.helper.log_info("Exporting list: " + entity_type + "/" +
export_type + " to " + file_name)
final_entity_type = entity_type
if IdentityTypes.has_value(entity_type):
if list_params["filters"] is not None:
list_params["filters"].append({
"key": "entity_type",
"values": [entity_type]
})
else:
list_params["filters"] = [{
"key": "entity_type",
"values": [entity_type]
}]
final_entity_type = "Identity"
if LocationTypes.has_value(entity_type):
if list_params["filters"] is not None:
list_params["filters"].append({
"key": "entity_type",
"values": [entity_type]
})
else:
list_params["filters"] = [{
"key": "entity_type",
"values": [entity_type]
}]
final_entity_type = "Location"
if StixCyberObservableTypes.has_value(entity_type):
if list_params["filters"] is not None:
list_params["filters"].append({
"key": "entity_type",
"values": [entity_type]
})
else:
list_params["filters"] = [{
"key": "entity_type",
"values": [entity_type]
}]
final_entity_type = "Stix-Cyber-Observable"
# List
lister = {
"Attack-Pattern":
self.helper.api.attack_pattern.list,
"Campaign":
self.helper.api.campaign.list,
"Note":
self.helper.api.note.list,
"Observed-Data":
self.helper.api.observed_data.list,
"Opinion":
self.helper.api.opinion.list,
"Report":
self.helper.api.report.list,
"Course-Of-Action":
self.helper.api.course_of_action.list,
"Identity":
self.helper.api.identity.list,
"Indicator":
self.helper.api.indicator.list,
"Infrastructure":
self.helper.api.infrastructure.list,
"Intrusion-Set":
self.helper.api.intrusion_set.list,
"Location":
self.helper.api.location.list,
"Malware":
self.helper.api.malware.list,
"Threat-Actor":
self.helper.api.threat_actor.list,
"Tool":
self.helper.api.tool.list,
"Vulnerability":
self.helper.api.vulnerability.list,
"X-OpenCTI-Incident":
self.helper.api.x_opencti_incident.list,
"Stix-Cyber-Observable":
self.helper.api.stix_cyber_observable.list,
}
do_list = lister.get(
final_entity_type,
lambda **kwargs: self.helper.
log_error('Unknown object type "' + final_entity_type +
'", doing nothing...'),
)
entities_list = do_list(
search=list_params["search"],
filters=list_params["filters"],
orderBy=list_params["orderBy"],
orderMode=list_params["orderMode"],
types=list_params["types"] if "types" in list_params else None,
getAll=True,
)
csv_data = self.export_dict_list_to_csv(entities_list)
self.helper.log_info("Uploading: " + entity_type + "/" +
export_type + " to " + file_name)
if entity_type != "Stix-Cyber-Observable":
self.helper.api.stix_domain_object.push_list_export(
entity_type, file_name, csv_data, json.dumps(list_params))
else:
self.helper.api.stix_cyber_observable.push_list_export(
file_name, csv_data, json.dumps(list_params))
self.helper.log_info("Export done: " + entity_type + "/" +
export_type + " to " + file_name)
return "Export done"