Skip to content
This repository was archived by the owner on Dec 5, 2025. It is now read-only.

Commit 63540fb

Browse files
author
Samuel Hassine
committed
[client] Take into account the scope (#171)
1 parent aea31ed commit 63540fb

File tree

2 files changed

+139
-5
lines changed

2 files changed

+139
-5
lines changed

pycti/utils/opencti_stix2.py

Lines changed: 31 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1499,8 +1499,13 @@ def import_bundle(self, stix_bundle, update=False, types=None) -> List:
14991499
# Marking definitions
15001500
for bundle in bundles:
15011501
for item in bundle["objects"]:
1502-
if "x_data_update" in item:
1503-
self.stix2_update.process_update(item)
1502+
if "x_opencti_event_version" in bundle:
1503+
if bundle["x_opencti_event_version"] == "1":
1504+
if "x_data_update" in item:
1505+
self.stix2_update.process_update_v1(item)
1506+
elif bundle["x_opencti_event_version"] == "2":
1507+
if "x_opencti_patch":
1508+
self.stix2_update.process_update_v2(item)
15041509
elif item["type"] == "relationship":
15051510
self.import_relationship(item, update, types)
15061511
elif item["type"] == "sighting":
@@ -1527,9 +1532,31 @@ def import_bundle(self, stix_bundle, update=False, types=None) -> List:
15271532
item, observed_data_ref, to_id, update
15281533
)
15291534
elif StixCyberObservableTypes.has_value(item["type"]):
1530-
self.import_observable(item, update, types)
1535+
if types is None or len(types) == 0:
1536+
self.import_observable(item, update, types)
1537+
elif item["type"] in types or "observable" in types:
1538+
self.import_observable(item, update, types)
15311539
else:
1532-
self.import_object(item, update, types)
1540+
# Check the scope
1541+
if types is None or len(types) == 0:
1542+
self.import_object(item, update, types)
1543+
# Handle identity & location if part of the scope
1544+
elif item["type"] in types:
1545+
self.import_object(item, update, types)
1546+
else:
1547+
# Specific OpenCTI scopes
1548+
if item["type"] == "identity":
1549+
if "identity_class" in item:
1550+
if ("class" in types or "sector" in types) and item[
1551+
"identity_class"
1552+
] == "class":
1553+
self.import_object(item, update, types)
1554+
elif item["identity_class"] in types:
1555+
self.import_object(item, update, types)
1556+
elif item["type"] == "location":
1557+
if "x_opencti_location_type" in item:
1558+
if item["x_opencti_location_type"] in types:
1559+
self.import_object(item, update, types)
15331560
imported_elements.append({"id": item["id"], "type": item["type"]})
15341561

15351562
return imported_elements

pycti/utils/opencti_stix2_update.py

Lines changed: 108 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ def replace_created_by_ref(self, entity_type, id, created_by_ref):
212212
id=id, identity_id=created_by_ref
213213
)
214214

215-
def process_update(self, data):
215+
def process_update_v1(self, data):
216216
try:
217217
if "add" in data["x_data_update"]:
218218
for key in data["x_data_update"]["add"].keys():
@@ -325,3 +325,110 @@ def process_update(self, data):
325325
except:
326326
self.opencti.log("error", "Cannot process this message")
327327
pass
328+
329+
def process_update_v2(self, data):
330+
try:
331+
if "add" in data["x_opencti_patch"]:
332+
for key in data["x_opencti_patch"]["add"].keys():
333+
if key == "object_marking_refs":
334+
self.add_object_marking_refs(
335+
data["type"],
336+
data["id"],
337+
data["x_opencti_patch"]["add"]["object_marking_refs"],
338+
)
339+
elif key == "object_refs":
340+
self.add_object_refs(
341+
data["type"],
342+
data["id"],
343+
data["x_opencti_patch"]["add"]["object_refs"],
344+
)
345+
elif key == "labels":
346+
self.add_labels(
347+
data["type"],
348+
data["id"],
349+
data["x_opencti_patch"]["add"]["labels"],
350+
)
351+
elif key == "external_references":
352+
self.add_external_references(
353+
data["type"],
354+
data["id"],
355+
data["x_opencti_patch"]["add"]["external_references"],
356+
)
357+
elif key == "kill_chain_phases":
358+
self.add_kill_chain_phases(
359+
data["type"],
360+
data["id"],
361+
data["x_opencti_patch"]["add"]["kill_chain_phases"],
362+
)
363+
elif key == "created_by_ref":
364+
self.replace_created_by_ref(
365+
data["type"],
366+
data["id"],
367+
data["x_opencti_patch"]["add"]["created_by_ref"],
368+
)
369+
else:
370+
self.update_attribute(
371+
data["type"],
372+
data["id"],
373+
"add",
374+
key,
375+
data["x_opencti_patch"]["add"][key],
376+
)
377+
if "remove" in data["x_opencti_patch"]:
378+
for key in data["x_opencti_patch"]["remove"].keys():
379+
if key == "object_marking_refs":
380+
self.remove_object_marking_refs(
381+
data["type"],
382+
data["id"],
383+
data["x_opencti_patch"]["remove"]["object_marking_refs"],
384+
)
385+
elif key == "object_refs":
386+
self.remove_object_refs(
387+
data["type"],
388+
data["id"],
389+
data["x_opencti_patch"]["remove"]["object_refs"],
390+
)
391+
elif key == "labels":
392+
self.remove_labels(
393+
data["type"],
394+
data["id"],
395+
data["x_opencti_patch"]["remove"]["labels"],
396+
)
397+
elif key == "external_references":
398+
self.remove_external_references(
399+
data["type"],
400+
data["id"],
401+
data["x_opencti_patch"]["remove"]["external_references"],
402+
)
403+
elif key == "kill_chain_phases":
404+
self.remove_kill_chain_phases(
405+
data["type"],
406+
data["id"],
407+
data["x_opencti_patch"]["remove"]["kill_chain_phases"],
408+
)
409+
elif key == "created_by_ref":
410+
self.replace_created_by_ref(
411+
data["type"],
412+
data["id"],
413+
None,
414+
)
415+
else:
416+
self.update_attribute(
417+
data["type"],
418+
data["id"],
419+
"remove",
420+
key,
421+
data["x_opencti_patch"]["remove"][key],
422+
)
423+
if "replace" in data["x_opencti_patch"]:
424+
for key in data["x_opencti_patch"]["replace"].keys():
425+
self.update_attribute(
426+
data["type"],
427+
data["id"],
428+
"replace",
429+
key,
430+
data["x_opencti_patch"]["replace"][key]["current"],
431+
)
432+
except:
433+
self.opencti.log("error", "Cannot process this message")
434+
pass

0 commit comments

Comments
 (0)