[client] Migrate incident to native STIX

Samuel Hassine · Samuel Hassine · commit 37fe03b2297e · 2021-04-25T19:27:06.000+02:00
diff --git a/pycti/__init__.py b/pycti/__init__.py
@@ -30,7 +30,7 @@
 from .entities.opencti_intrusion_set import IntrusionSet
 from .entities.opencti_infrastructure import Infrastructure
 from .entities.opencti_campaign import Campaign
-from .entities.opencti_x_opencti_incident import XOpenCTIIncident
+from .entities.opencti_incident import Incident
 from .entities.opencti_malware import Malware
 from .entities.opencti_tool import Tool
 from .entities.opencti_vulnerability import Vulnerability
@@ -48,7 +48,7 @@
 from .utils.opencti_stix2_utils import (
     OpenCTIStix2Utils,
     SimpleObservable,
-    StixXOpenCTIIncident,
+    StixIncident,
 )
 from .utils.constants import StixCyberObservableTypes
 
@@ -76,7 +76,7 @@
     "IntrusionSet",
     "Infrastructure",
     "Campaign",
-    "XOpenCTIIncident",
+    "Incident",
     "Malware",
     "Tool",
     "Vulnerability",
@@ -93,5 +93,5 @@
     "OpenCTIStix2Utils",
     "StixCyberObservableTypes",
     "SimpleObservable",
-    "StixXOpenCTIIncident",
+    "StixIncident",
 ]
diff --git a/pycti/api/opencti_api_client.py b/pycti/api/opencti_api_client.py
@@ -34,7 +34,7 @@
 from pycti.entities.opencti_intrusion_set import IntrusionSet
 from pycti.entities.opencti_infrastructure import Infrastructure
 from pycti.entities.opencti_campaign import Campaign
-from pycti.entities.opencti_x_opencti_incident import XOpenCTIIncident
+from pycti.entities.opencti_incident import Incident
 from pycti.entities.opencti_malware import Malware
 from pycti.entities.opencti_tool import Tool
 from pycti.entities.opencti_vulnerability import Vulnerability
@@ -127,7 +127,7 @@ def __init__(self, url, token, log_level="info", ssl_verify=False, proxies={}):
         self.intrusion_set = IntrusionSet(self)
         self.infrastructure = Infrastructure(self)
         self.campaign = Campaign(self)
-        self.x_opencti_incident = XOpenCTIIncident(self)
+        self.incident = Incident(self)
         self.malware = Malware(self)
         self.tool = Tool(self)
         self.vulnerability = Vulnerability(self)
diff --git a/pycti/entities/opencti_incident.py b/pycti/entities/opencti_incident.py
@@ -3,7 +3,7 @@
 import json
 
 
-class XOpenCTIIncident:
+class Incident:
     def __init__(self, opencti):
         self.opencti = opencti
         self.properties = """
@@ -127,8 +127,8 @@ def list(self, **kwargs):
         )
         query = (
             """
-            query XOpenCTIIncidents($filters: [XOpenCTIIncidentsFiltering], $search: String, $first: Int, $after: ID, $orderBy: XOpenCTIIncidentsOrdering, $orderMode: OrderingMode) {
-                xOpenCTIIncidents(filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {
+            query Incidents($filters: [IncidentsFiltering], $search: String, $first: Int, $after: ID, $orderBy: IncidentsOrdering, $orderMode: OrderingMode) {
+                incidents(filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {
                     edges {
                         node {
                             """
@@ -159,7 +159,7 @@ def list(self, **kwargs):
             },
         )
         return self.opencti.process_multiple(
-            result["data"]["xOpenCTIIncidents"], with_pagination
+            result["data"]["incidents"], with_pagination
         )
 
     """
@@ -178,8 +178,8 @@ def read(self, **kwargs):
             self.opencti.log("info", "Reading Incident {" + id + "}.")
             query = (
                 """
-                query XOpenCTIIncident($id: String!) {
-                    xOpenCTIIncident(id: $id) {
+                query Incident($id: String!) {
+                    incident(id: $id) {
                         """
                 + (
                     custom_attributes
@@ -192,9 +192,7 @@ def read(self, **kwargs):
              """
             )
             result = self.opencti.query(query, {"id": id})
-            return self.opencti.process_multiple_fields(
-                result["data"]["xOpenCTIIncident"]
-            )
+            return self.opencti.process_multiple_fields(result["data"]["incident"])
         elif filters is not None:
             result = self.list(filters=filters)
             if len(result) > 0:
@@ -236,8 +234,8 @@ def create(self, **kwargs):
         if name is not None and description is not None:
             self.opencti.log("info", "Creating Incident {" + name + "}.")
             query = """
-                mutation XOpenCTIIncidentAdd($input: XOpenCTIIncidentAddInput) {
-                    xOpenCTIIncidentAdd(input: $input) {
+                mutation IncidentAdd($input: IncidentAddInput) {
+                    incidentAdd(input: $input) {
                         id
                         standard_id
                         entity_type
@@ -269,9 +267,7 @@ def create(self, **kwargs):
                     }
                 },
             )
-            return self.opencti.process_multiple_fields(
-                result["data"]["xOpenCTIIncidentAdd"]
-            )
+            return self.opencti.process_multiple_fields(result["data"]["incidentAdd"])
         else:
             self.opencti.log("error", "Missing parameters: name and description")
 
diff --git a/pycti/entities/opencti_note.py b/pycti/entities/opencti_note.py
@@ -164,7 +164,7 @@ def __init__(self, opencti):
                         ... on Vulnerability {
                             name
                         }
-                        ... on XOpenCTIIncident {
+                        ... on Incident {
                             name
                         }                
                         ... on StixCoreRelationship {
diff --git a/pycti/entities/opencti_observed_data.py b/pycti/entities/opencti_observed_data.py
@@ -164,7 +164,7 @@ def __init__(self, opencti):
                         ... on Vulnerability {
                             name
                         }
-                        ... on XOpenCTIIncident {
+                        ... on Incident {
                             name
                         }                
                         ... on StixCoreRelationship {
diff --git a/pycti/entities/opencti_opinion.py b/pycti/entities/opencti_opinion.py
@@ -164,7 +164,7 @@ def __init__(self, opencti):
                         ... on Vulnerability {
                             name
                         }
-                        ... on XOpenCTIIncident {
+                        ... on Incident {
                             name
                         }                
                         ... on StixCoreRelationship {
diff --git a/pycti/entities/opencti_report.py b/pycti/entities/opencti_report.py
@@ -169,7 +169,7 @@ def __init__(self, opencti):
                         ... on Vulnerability {
                             name
                         }
-                        ... on XOpenCTIIncident {
+                        ... on Incident {
                             name
                         }                
                         ... on StixCoreRelationship {
diff --git a/pycti/entities/opencti_stix_core_relationship.py b/pycti/entities/opencti_stix_core_relationship.py
@@ -162,7 +162,7 @@ def __init__(self, opencti):
                 ... on Vulnerability {
                     name
                 }
-                ... on XOpenCTIIncident {
+                ... on Incident {
                     name
                 }         
                 ... on StixCyberObservable {
@@ -243,7 +243,7 @@ def __init__(self, opencti):
                 ... on Vulnerability {
                     name
                 }
-                ... on XOpenCTIIncident {
+                ... on Incident {
                     name
                 }
                 ... on StixCyberObservable {
diff --git a/pycti/entities/opencti_stix_domain_object.py b/pycti/entities/opencti_stix_domain_object.py
@@ -359,7 +359,7 @@ def __init__(self, opencti, file):
                 x_opencti_integrity_impact
                 x_opencti_availability_impact
             }
-            ... on XOpenCTIIncident {
+            ... on Incident {
                 name
                 description
                 aliases
diff --git a/pycti/entities/opencti_stix_object_or_stix_relationship.py b/pycti/entities/opencti_stix_object_or_stix_relationship.py
@@ -310,7 +310,7 @@ def __init__(self, opencti):
                 x_opencti_integrity_impact
                 x_opencti_availability_impact
             }
-            ... on XOpenCTIIncident {
+            ... on Incident {
                 name
                 description
                 aliases
diff --git a/pycti/entities/opencti_stix_sighting_relationship.py b/pycti/entities/opencti_stix_sighting_relationship.py
@@ -160,7 +160,7 @@ def __init__(self, opencti):
                 ... on Vulnerability {
                     name
                 }
-                ... on XOpenCTIIncident {
+                ... on Incident {
                     name
                 }           
                 ... on StixCyberObservable {
@@ -241,7 +241,7 @@ def __init__(self, opencti):
                 ... on Vulnerability {
                     name
                 }
-                ... on XOpenCTIIncident {
+                ... on Incident {
                     name
                 }
                 ... on StixCyberObservable {
diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py
@@ -524,7 +524,7 @@ def import_object(self, stix_object, update=False, types=None) -> list:
             "threat-actor": self.opencti.threat_actor.import_from_stix2,
             "tool": self.opencti.tool.import_from_stix2,
             "vulnerability": self.opencti.vulnerability.import_from_stix2,
-            "x-opencti-incident": self.opencti.x_opencti_incident.import_from_stix2,
+            "x-opencti-incident": self.opencti.incident.import_from_stix2,
         }
 
         # TODO: Remove this, compatibility with V3
@@ -1235,7 +1235,7 @@ def prepare_export(
                 "Threat-Actor": self.opencti.threat_actor.read,
                 "Tool": self.opencti.tool.read,
                 "Vulnerability": self.opencti.vulnerability.read,
-                "X-OpenCTI-Incident": self.opencti.x_opencti_incident.read,
+                "X-OpenCTI-Incident": self.opencti.incident.read,
                 "Stix-Cyber-Observable": self.opencti.stix_cyber_observable.read,
                 "stix_core_relationship": self.opencti.stix_core_relationship.read,
             }
@@ -1371,7 +1371,7 @@ def export_entity(
             "Threat-Actor": self.opencti.threat_actor.read,
             "Tool": self.opencti.tool.read,
             "Vulnerability": self.opencti.vulnerability.read,
-            "X-OpenCTI-Incident": self.opencti.x_opencti_incident.read,
+            "X-OpenCTI-Incident": self.opencti.incident.read,
         }
         do_read = reader.get(
             entity_type, lambda **kwargs: self.unknown_type({"type": entity_type})
@@ -1453,7 +1453,7 @@ def export_list(
             "Threat-Actor": self.opencti.threat_actor.list,
             "Tool": self.opencti.tool.list,
             "Vulnerability": self.opencti.vulnerability.list,
-            "X-OpenCTI-Incident": self.opencti.x_opencti_incident.list,
+            "X-OpenCTI-Incident": self.opencti.incident.list,
             "Stix-Cyber-Observable": self.opencti.stix_cyber_observable.list,
         }
         do_list = lister.get(
diff --git a/pycti/utils/opencti_stix2_utils.py b/pycti/utils/opencti_stix2_utils.py
@@ -32,6 +32,7 @@
     "User-Account": ["acount_login"],
     "Windows-Registry-Key": ["key"],
     "Windows-Registry-Value-Type": ["name"],
+    "X-OpenCTI-Hostname": ["value"],
 }
 
 
@@ -93,7 +94,7 @@ class SimpleObservable:
 
 
 @CustomObject(
-    "x-opencti-incident",
+    "incident",
     [
         ("name", properties.StringProperty(required=True)),
         ("description", properties.StringProperty()),
@@ -117,5 +118,5 @@ class SimpleObservable:
         ),
     ],
 )
-class StixXOpenCTIIncident:
+class StixIncident:
     pass

Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ def __init__(self, opencti):`
`164`	`164`	`... on Vulnerability {`
`165`	`165`	`name`
`166`	`166`	`}`
`167`		`- ... on XOpenCTIIncident {`
	`167`	`+ ... on Incident {`
`168`	`168`	`name`
`169`	`169`	`}`
`170`	`170`	`... on StixCoreRelationship {`
Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ def __init__(self, opencti):`
`169`	`169`	`... on Vulnerability {`
`170`	`170`	`name`
`171`	`171`	`}`
`172`		`- ... on XOpenCTIIncident {`
	`172`	`+ ... on Incident {`
`173`	`173`	`name`
`174`	`174`	`}`
`175`	`175`	`... on StixCoreRelationship {`
Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ def __init__(self, opencti):`
`162`	`162`	`... on Vulnerability {`
`163`	`163`	`name`
`164`	`164`	`}`
`165`		`- ... on XOpenCTIIncident {`
	`165`	`+ ... on Incident {`
`166`	`166`	`name`
`167`	`167`	`}`
`168`	`168`	`... on StixCyberObservable {`
`@@ -243,7 +243,7 @@ def __init__(self, opencti):`
`243`	`243`	`... on Vulnerability {`
`244`	`244`	`name`
`245`	`245`	`}`
`246`		`- ... on XOpenCTIIncident {`
	`246`	`+ ... on Incident {`
`247`	`247`	`name`
`248`	`248`	`}`
`249`	`249`	`... on StixCyberObservable {`
Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ def __init__(self, opencti, file):`
`359`	`359`	`x_opencti_integrity_impact`
`360`	`360`	`x_opencti_availability_impact`
`361`	`361`	`}`
`362`		`- ... on XOpenCTIIncident {`
	`362`	`+ ... on Incident {`
`363`	`363`	`name`
`364`	`364`	`description`
`365`	`365`	`aliases`
Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ def __init__(self, opencti):`
`310`	`310`	`x_opencti_integrity_impact`
`311`	`311`	`x_opencti_availability_impact`
`312`	`312`	`}`
`313`		`- ... on XOpenCTIIncident {`
	`313`	`+ ... on Incident {`
`314`	`314`	`name`
`315`	`315`	`description`
`316`	`316`	`aliases`