#1 Add method to select observable and relations, with example

Author: Samuel Hassine

examples/stix2/config.yml.sample examples/config.yml.sampleexamples/stix2/config.yml.sample renamed to examples/config.yml.sample

@@ -0,0 +1,25 @@
+# coding: utf-8
+
+import os
+import yaml
+
+from pycti.opencti import OpenCTI
+
+# Load configuration
+config = yaml.load(open(os.path.dirname(__file__) + '/../config.yml'))
+
+# File to import
+file_to_import = config['mitre']['repository_path_cti'] + '/enterprise-attack/enterprise-attack.json'
+
+# OpenCTI initialization
+opencti = OpenCTI(config['opencti']['api_url'], config['opencti']['api_key'], config['opencti']['log_file'], config['opencti']['verbose'])
+
+# Get observables and their context
+observables = opencti.get_stix_observables(10)
+
+for observable in observables:
+    observable_value = observable['observable_value']
+    for relation in observable['stixRelations']:
+        first_seen = relation['first_seen']
+        last_seen = relation['last_seen']
+        print('Observable with value "' + observable_value + '" (first_seen: ' + first_seen + ', last_seen: ' + last_seen + ')')

examples/observables/get_observables.py

@@ -7,7 +7,7 @@
 from opencti import OpenCTI
 
 # Load configuration
-config = yaml.load(open(os.path.dirname(__file__) + '/config.yml'))
+config = yaml.load(open(os.path.dirname(__file__) + '/../config.yml'))
 
 # Export file
 export_file = './exports/IntrusionSets.json'

examples/stix2/export.py

@@ -6,7 +6,7 @@
 from opencti import OpenCTI
 
 # Load configuration
-config = yaml.load(open(os.path.dirname(__file__) + '/config.yml'))
+config = yaml.load(open(os.path.dirname(__file__) + '/../config.yml'))
 
 # File to import
 file_to_import = config['mitre']['repository_path_cti'] + '/enterprise-attack/enterprise-attack.json'
@@ -15,4 +15,4 @@
 opencti = OpenCTI(config['opencti']['api_url'], config['opencti']['api_key'], config['opencti']['log_file'], config['opencti']['verbose'])
 
 # Import the bundle
-opencti.stix2_import_bundle_from_file(file_to_import)
+opencti.stix2_import_bundle_from_file(file_to_import, False)

examples/stix2/import.py

@@ -70,6 +70,8 @@ def parse_stix(self, data):
             data['observableRefs'] = self.parse_multiple(data['observableRefs'])
         if 'relationRefs' in data:
             data['relationRefs'] = self.parse_multiple(data['relationRefs'])
+        if 'stixRelations' in data:
+            data['stixRelations'] = self.parse_multiple(data['stixRelations'])
         return data
 
     def check_existing_stix_domain_entity(self, stix_id=None, name=None, type=None):
@@ -81,6 +83,7 @@ def check_existing_stix_domain_entity(self, stix_id=None, name=None, type=None):
         return object_result
 
     def update_settings_field(self, id, key, value):
+
         self.log('Updating settings field ' + key + ' of ' + id + '...')
         query = """
             mutation SettingsEdit($id: ID!, $input: EditInput!) {
@@ -346,6 +349,8 @@ def get_stix_relation_by_id(self, id):
                     description
                     weight
                     role_played
+                    score
+                    expiration
                     first_seen
                     last_seen
                     created
@@ -365,6 +370,9 @@ def get_stix_relation_by_id(self, id):
         return result['data']['stixRelation']
 
     def get_stix_relations(self, from_id=None, to_id=None, type='stix_relation', first_seen=None, last_seen=None):
+        if type == 'revoked-by':
+            return []
+
         if first_seen is not None and last_seen is not None:
             first_seen = dateutil.parser.parse(first_seen)
             first_seen_start = (first_seen + datetime.timedelta(days=-1)).strftime('%Y-%m-%dT%H:%M:%S+00:00')
@@ -390,6 +398,8 @@ def get_stix_relations(self, from_id=None, to_id=None, type='stix_relation', fir
                             description
                             weight
                             role_played
+                            score
+                            expiration
                             first_seen
                             last_seen
                             created
@@ -436,6 +446,8 @@ def create_relation(self,
                         last_seen,
                         weight,
                         role_played=None,
+                        score=None,
+                        expiration=None,
                         id=None,
                         stix_id=None,
                         created=None,
@@ -458,6 +470,8 @@ def create_relation(self,
                 'relationship_type': type,
                 'description': description,
                 'role_played': role_played,
+                'score': score,
+                'expiration': expiration,
                 'first_seen': first_seen,
                 'last_seen': last_seen,
                 'weight': weight,
@@ -480,6 +494,8 @@ def create_relation_if_not_exists(self,
                                       last_seen,
                                       weight,
                                       role_played=None,
+                                      score=None,
+                                      expiration=None,
                                       id=None,
                                       stix_id=None,
                                       created=None,
@@ -522,6 +538,8 @@ def create_relation_if_not_exists(self,
                 last_seen,
                 weight,
                 role_played,
+                score,
+                expiration,
                 id,
                 stix_id,
                 created,
@@ -2807,6 +2825,10 @@ def get_stix_observable(self, id):
                                 role_played
                                 expiration
                                 score
+                                to {
+                                    id
+                                    name
+                                }
                             }
                         }
                     }
@@ -2869,6 +2891,10 @@ def get_stix_observable_by_value(self, observable_value):
                                         role_played
                                         expiration
                                         score
+                                        to {
+                                            id
+                                            name
+                                        }
                                     }
                                 }
                             }
@@ -2936,6 +2962,10 @@ def get_stix_observables(self, limit=10000):
                                         role_played
                                         expiration
                                         score
+                                        to {
+                                            id
+                                            name
+                                        }
                                     }
                                 }
                             }
@@ -3443,6 +3473,12 @@ def resolve_role(self, relation_type, from_type, to_type):
                     'malware': {'from_role': 'indicator', 'to_role': 'characterize'},
                     'tool': {'from_role': 'indicator', 'to_role': 'characterize'},
                 }
+            },
+            'gathering': {
+                'sector': {
+                    'sector': {'from_role': 'gather', 'to_role': 'part_of'},
+                    'organization': {'from_role': 'gather', 'to_role': 'part_of'},
+                }
             }
         }
         if relation_type in mapping and from_type in mapping[relation_type] and to_type in mapping[relation_type][

pycti/opencti.py

@@ -824,6 +824,8 @@ def export_stix_relation(self, entity):
             'x_opencti_last_seen': entity['last_seen'],
             'x_opencti_weight': entity['weight'],
             'x_opencti_role_played': entity['role_played'],
+            'x_opencti_score': entity['score'],
+            'x_opencti_expiration': entity['expiration'],
         }
         return self.prepare_export(entity, stix_relation)
 
@@ -872,7 +874,7 @@ def import_relationship(self, stix_relation, update=False):
         if date is None:
             date = datetime.datetime.utcnow().replace(microsecond=0, tzinfo=datetime.timezone.utc).isoformat()
 
-        stix_relation_id = self.opencti.create_relation_if_not_exists(
+        stix_relation = self.opencti.create_relation_if_not_exists(
             source_id,
             source_type,
             target_id,
@@ -885,11 +887,17 @@ def import_relationship(self, stix_relation, update=False):
                 'x_opencti_last_seen'] if 'x_opencti_last_seen' in stix_relation else date,
             stix_relation['x_opencti_weight'] if 'x_opencti_weight' in stix_relation else 4,
             stix_relation['x_opencti_role_played'] if 'x_opencti_role_played' in stix_relation else None,
+            stix_relation['x_opencti_score'] if 'x_opencti_score' in stix_relation else None,
+            stix_relation['x_opencti_expiration'] if 'x_opencti_expiration' in stix_relation else None,
             stix_relation['x_opencti_id'] if 'x_opencti_id' in stix_relation else None,
             stix_relation['id'] if 'id' in stix_relation else None,
             stix_relation['created'] if 'created' in stix_relation else None,
             stix_relation['modified'] if 'modified' in stix_relation else None,
-        )['id']
+        )
+        if stix_relation is not None:
+            stix_relation_id = stix_relation['id']
+        else:
+            return None
 
         # External References
         external_references_ids = []