def test_crate_bundle():
stix_splitter = OpenCTIStix2Splitter()
report = Report(
report_types=["campaign"],
name="Bad Cybercrime",
published="2016-04-06T20:03:00.000Z",
object_refs=["indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"],
).serialize()
observables = [report]
bundle = stix_splitter.stix2_create_bundle(observables,
use_json=False,
event_version=None)
for key in ["type", "id", "spec_version", "objects"]:
assert key in bundle
assert len(bundle.keys()) == 4
bundle = stix_splitter.stix2_create_bundle(observables,
use_json=False,
event_version=1)
for key in [
"type", "id", "spec_version", "objects", "x_opencti_event_version"
]:
assert key in bundle
assert len(bundle.keys()) == 5
def test_split_bundle():
stix_splitter = OpenCTIStix2Splitter()
with open("./tests/data/enterprise-attack.json") as file:
content = file.read()
bundles = stix_splitter.split_bundle(content)
assert len(bundles) == 7028
def test_split_bundle():
stix_splitter = OpenCTIStix2Splitter()
with open("./tests/data/enterprise-attack.json") as file:
content = file.read()
bundles = stix_splitter.split_bundle(content)
assert len(bundles) == 7028
with open("./tests/data/enterprise-attack-orphan.json") as file_orphan:
content_orphan = file_orphan.read()
# With orphan removal
stix_no_orphan_splitter = OpenCTIStix2Splitter(remove_orphan=False)
bundles_orphan = stix_no_orphan_splitter.split_bundle(content_orphan)
assert len(bundles_orphan) == 7029
# With orphan removal
stix_no_orphan_splitter = OpenCTIStix2Splitter(remove_orphan=True)
bundles_orphan = stix_no_orphan_splitter.split_bundle(content_orphan)
assert len(bundles_orphan) == 7021
def send_stix2_bundle(self, bundle, **kwargs) -> list:
"""send a stix2 bundle to the API
:param work_id: a valid work id
:param bundle: valid stix2 bundle
:type bundle:
:param entities_types: list of entities, defaults to None
:type entities_types: list, optional
:param update: whether to updated data in the database, defaults to False
:type update: bool, optional
:param split: whether to split the stix bundle before processing, defaults to True
:type split: bool, optional
:raises ValueError: if the bundle is empty
:return: list of bundles
:rtype: list
"""
work_id = kwargs.get("work_id", self.work_id)
entities_types = kwargs.get("entities_types", None)
update = kwargs.get("update", False)
split = kwargs.get("split", True)
if entities_types is None:
entities_types = []
if split:
stix2_splitter = OpenCTIStix2Splitter()
bundles = stix2_splitter.split_bundle(bundle)
if len(bundles) == 0:
raise ValueError("Nothing to import")
if work_id is not None:
self.api.work.add_expectations(work_id, len(bundles))
pika_connection = pika.BlockingConnection(
pika.URLParameters(self.config["uri"])
)
channel = pika_connection.channel()
for sequence, bundle in enumerate(bundles, start=1):
self._send_bundle(
channel,
bundle,
work_id=work_id,
entities_types=entities_types,
sequence=sequence,
update=update,
)
channel.close()
return bundles
else:
pika_connection = pika.BlockingConnection(
pika.URLParameters(self.config["uri"])
)
channel = pika_connection.channel()
self._send_bundle(
channel, bundle, entities_types=entities_types, update=update
)
channel.close()
return [bundle]
def send_stix2_bundle(self, bundle, **kwargs) -> list:
"""send a stix2 bundle to the API
:param work_id: a valid work id
:param bundle: valid stix2 bundle
:type bundle:
:param entities_types: list of entities, defaults to None
:type entities_types: list, optional
:param update: whether to updated data in the database, defaults to False
:type update: bool, optional
:raises ValueError: if the bundle is empty
:return: list of bundles
:rtype: list
"""
work_id = kwargs.get("work_id", self.work_id)
entities_types = kwargs.get("entities_types", None)
update = kwargs.get("update", False)
if entities_types is None:
entities_types = []
stix2_splitter = OpenCTIStix2Splitter()
bundles = stix2_splitter.split_bundle(bundle)
if len(bundles) == 0:
raise ValueError("Nothing to import")
if work_id is not None:
self.api.work.add_expectations(work_id, len(bundles))
pika_credentials = pika.PlainCredentials(
self.config["connection"]["user"], self.config["connection"]["pass"]
)
pika_parameters = pika.ConnectionParameters(
host=self.config["connection"]["host"],
port=self.config["connection"]["port"],
virtual_host="/",
credentials=pika_credentials,
ssl_options=pika.SSLOptions(
create_ssl_context(), self.config["connection"]["host"]
)
if self.config["connection"]["use_ssl"]
else None,
)
pika_connection = pika.BlockingConnection(pika_parameters)
channel = pika_connection.channel()
for sequence, bundle in enumerate(bundles, start=1):
self._send_bundle(
channel,
bundle,
work_id=work_id,
entities_types=entities_types,
sequence=sequence,
update=update,
)
channel.close()
return bundles
def send_stix2_bundle(self, bundle, **kwargs) -> list:
"""send a stix2 bundle to the API
:param work_id: a valid work id
:param bundle: valid stix2 bundle
:type bundle:
:param entities_types: list of entities, defaults to None
:type entities_types: list, optional
:param update: whether to updated data in the database, defaults to False
:type update: bool, optional
:raises ValueError: if the bundle is empty
:return: list of bundles
:rtype: list
"""
work_id = kwargs.get("work_id", self.work_id)
entities_types = kwargs.get("entities_types", None)
update = kwargs.get("update", False)
event_version = kwargs.get("event_version", None)
bypass_split = kwargs.get("bypass_split", False)
bypass_validation = kwargs.get("bypass_validation", False)
entity_id = kwargs.get("entity_id", None)
file_name = kwargs.get("file_name", None)
if not file_name and work_id:
file_name = f"{work_id}.json"
if self.connect_validate_before_import and not bypass_validation and file_name:
self.api.upload_pending_file(
file_name=file_name,
data=bundle,
mime_type="application/json",
entity_id=entity_id,
)
return []
if entities_types is None:
entities_types = []
if bypass_split:
bundles = [bundle]
else:
stix2_splitter = OpenCTIStix2Splitter()
bundles = stix2_splitter.split_bundle(bundle, True, event_version)
if len(bundles) == 0:
raise ValueError("Nothing to import")
if work_id:
self.api.work.add_expectations(work_id, len(bundles))
pika_credentials = pika.PlainCredentials(
self.config["connection"]["user"], self.config["connection"]["pass"]
)
pika_parameters = pika.ConnectionParameters(
host=self.config["connection"]["host"],
port=self.config["connection"]["port"],
virtual_host="/",
credentials=pika_credentials,
ssl_options=pika.SSLOptions(
create_ssl_context(), self.config["connection"]["host"]
)
if self.config["connection"]["use_ssl"]
else None,
)
pika_connection = pika.BlockingConnection(pika_parameters)
channel = pika_connection.channel()
for sequence, bundle in enumerate(bundles, start=1):
self._send_bundle(
channel,
bundle,
work_id=work_id,
entities_types=entities_types,
sequence=sequence,
update=update,
)
channel.close()
return bundles
