[client] Enhance observable export, artifact payload

Author: Samuel Hassine

pycti/api/opencti_api_client.py

@@ -3,6 +3,7 @@
 import io
 import json
 import logging
+import base64
 from typing import Union
 
 import magic
@@ -319,7 +320,7 @@ def query(self, query, variables={}):
             logging.info(r.text)
             raise ValueError(r.text)
 
-    def fetch_opencti_file(self, fetch_uri, binary=False):
+    def fetch_opencti_file(self, fetch_uri, binary=False, serialize=False):
         """get file from the OpenCTI API
 
         :param fetch_uri: download URI to use
@@ -332,7 +333,11 @@ def fetch_opencti_file(self, fetch_uri, binary=False):
 
         r = self.session.get(fetch_uri, headers=self.request_headers)
         if binary:
+            if serialize:
+                return base64.b64encode(r.content).decode("utf-8")
             return r.content
+        if serialize:
+            return base64.b64encode(r.text).decode("utf-8")
         return r.text
 
     def log(self, level, message):

pycti/utils/opencti_stix2.py

@@ -1165,6 +1165,15 @@ def prepare_export(
         if "attribute_date" in entity:
             entity["date"] = entity["attribute_date"]
             del entity["attribute_date"]
+        # Artifact
+        if entity["type"] == "artifact" and "importFiles" in entity:
+            first_file = entity["importFiles"][0]["id"]
+            url = self.opencti.api_url.replace("graphql", "storage/get/") + first_file
+            file = self.opencti.fetch_opencti_file(url, binary=True, serialize=True)
+            if file:
+                entity["payload_bin"] = file
+            del entity["importFiles"]
+            del entity["importFilesIds"]
 
         result.append(entity)
 
@@ -1400,7 +1409,10 @@ def export_entity(
             "Tool": self.opencti.tool.read,
             "Vulnerability": self.opencti.vulnerability.read,
             "Incident": self.opencti.incident.read,
+            "Stix-Cyber-Observable": self.opencti.stix_cyber_observable.read,
         }
+        if StixCyberObservableTypes.has_value(entity_type):
+            entity_type = "Stix-Cyber-Observable"
         do_read = reader.get(
             entity_type, lambda **kwargs: self.unknown_type({"type": entity_type})
         )