[client] Handle creation of relation between observables, handle avoid spliting if needed

Author: Samuel Hassine

examples/link_hashes_together.py

@@ -1,6 +1,5 @@
 # coding: utf-8
 
-import datetime
 from pycti import OpenCTIApiClient
 
 # Variables

pycti/connector/opencti_connector_helper.py

@@ -166,20 +166,25 @@ def date_now(self):
         return datetime.datetime.utcnow().replace(microsecond=0, tzinfo=datetime.timezone.utc).isoformat()
 
     # Push Stix2 helper
-    def send_stix2_bundle(self, bundle, entities_types=None, update=False, confidence_level=1):
+    def send_stix2_bundle(self, bundle, entities_types=None, update=False, split=True):
         if entities_types is None:
             entities_types = []
-        bundles = self.split_stix2_bundle(bundle)
-        if len(bundles) == 0:
-            raise ValueError('Nothing to import')
-        pika_connection = pika.BlockingConnection(pika.URLParameters(self.config['uri']))
-        channel = pika_connection.channel()
-        for bundle in bundles:
-            self._send_bundle(channel, bundle, entities_types, update, confidence_level)
+        if split:
+            bundles = self.split_stix2_bundle(bundle)
+            if len(bundles) == 0:
+                raise ValueError('Nothing to import')
+            pika_connection = pika.BlockingConnection(pika.URLParameters(self.config['uri']))
+            channel = pika_connection.channel()
+            for bundle in bundles:
+                self._send_bundle(channel, bundle, entities_types, update)
+        else:
+            pika_connection = pika.BlockingConnection(pika.URLParameters(self.config['uri']))
+            channel = pika_connection.channel()
+            self._send_bundle(channel, bundle, entities_types, update)
         channel.close()
-        return bundles
+        return True
 
-    def _send_bundle(self, channel, bundle, entities_types=None, update=False, confidence_level=1):
+    def _send_bundle(self, channel, bundle, entities_types=None, update=False):
         """
             This method send a STIX2 bundle to RabbitMQ to be consumed by workers
             :param bundle: A valid STIX2 bundle
@@ -206,7 +211,6 @@ def _send_bundle(self, channel, bundle, entities_types=None, update=False, confi
             'job_id': job_id,
             'entities_types': entities_types,
             'update': update,
-            'confidence_level': confidence_level,
             'content': base64.b64encode(bundle.encode('utf-8')).decode('utf-8')
         }
 

pycti/entities/opencti_stix_observable_relation.py

@@ -121,8 +121,9 @@ def list(self, **kwargs):
         after = kwargs.get('after', None)
         order_by = kwargs.get('orderBy', None)
         order_mode = kwargs.get('orderMode', None)
-        self.opencti.log('info', 'Listing stix_observable_relations with {from_id: ' + str(from_id) + ', to_id: ' + str(
-            to_id) + '}')
+        self.opencti.log('info',
+                         'Listing stix_observable_relations with {type: ' + relation_type + ', from_id: ' + str(
+                             from_id) + ', to_id: ' + str(to_id) + '}')
         query = """
             query StixObservableRelations($fromId: String, $fromTypes: [String], $toId: String, $toTypes: [String], $relationType: String, $firstSeenStart: DateTime, $firstSeenStop: DateTime, $lastSeenStart: DateTime, $lastSeenStop: DateTime, $inferred: Boolean, $first: Int, $after: ID, $orderBy: StixObservableRelationsOrdering, $orderMode: OrderingMode) {
                 stixObservableRelations(fromId: $fromId, fromTypes: $fromTypes, toId: $toId, toTypes: $toTypes, relationType: $relationType, firstSeenStart: $firstSeenStart, firstSeenStop: $firstSeenStop, lastSeenStart: $lastSeenStart, lastSeenStop: $lastSeenStop, inferred: $inferred, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {

pycti/entities/opencti_stix_relation.py

@@ -145,7 +145,8 @@ def list(self, **kwargs):
         order_by = kwargs.get('orderBy', None)
         order_mode = kwargs.get('orderMode', None)
         self.opencti.log('info',
-                         'Listing stix_relations with {from_id: ' + str(from_id) + ', to_id: ' + str(to_id) + '}')
+                         'Listing stix_relations with {type: ' + relation_type + ', from_id: ' + str(
+                             from_id) + ', to_id: ' + str(to_id) + '}')
         query = """
             query StixRelations($fromId: String, $fromTypes: [String], $toId: String, $toTypes: [String], $relationType: String, $firstSeenStart: DateTime, $firstSeenStop: DateTime, $lastSeenStart: DateTime, $lastSeenStop: DateTime, $inferred: Boolean, $first: Int, $after: ID, $orderBy: StixRelationsOrdering, $orderMode: OrderingMode) {
                 stixRelations(fromId: $fromId, fromTypes: $fromTypes, toId: $toId, toTypes: $toTypes, relationType: $relationType, firstSeenStart: $firstSeenStart, firstSeenStop: $firstSeenStop, lastSeenStart: $lastSeenStart, lastSeenStop: $lastSeenStop, inferred: $inferred, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {

pycti/utils/opencti_stix2.py

@@ -332,11 +332,7 @@ def import_object(self, stix_object, update=False, types=None):
 
         # Add embedded relationships
         if stix_object_result is not None:
-            if stix_object['type'] == 'indicator':
-                stix_object_result_type = 'observable'
-            else:
-                stix_object_result_type = stix_object_result['entity_type']
-            self.mapping_cache[stix_object['id']] = {'id': stix_object_result['id'], 'type': stix_object_result_type}
+            self.mapping_cache[stix_object['id']] = {'id': stix_object_result['id'], 'type': stix_object_result['entity_type']}
 
             # Update created by ref
             if created_by_ref_id is not None and stix_object['type'] != 'marking-definition':
@@ -1205,20 +1201,22 @@ def create_course_of_action(self, stix_object, update=False):
         )
 
     def create_report(self, stix_object, update=False):
-        return self.opencti.create_report_if_not_exists(
-            stix_object['name'],
-            self.convert_markdown(stix_object['description']) if 'description' in stix_object else '',
-            stix_object['published'] if 'published' in stix_object else '',
-            stix_object[
+        return self.opencti.report.create(
+            name=stix_object['name'],
+            description=self.convert_markdown(stix_object['description']) if 'description' in stix_object else '',
+            published=stix_object['published'] if 'published' in stix_object else '',
+            report_class=stix_object[
                 CustomProperties.REPORT_CLASS] if CustomProperties.REPORT_CLASS in stix_object else 'Threat Report',
-            stix_object[CustomProperties.OBJECT_STATUS] if CustomProperties.OBJECT_STATUS in stix_object else 0,
-            stix_object[CustomProperties.SRC_CONF_LEVEL] if CustomProperties.SRC_CONF_LEVEL in stix_object else 3,
-            stix_object[CustomProperties.GRAPH_DATA] if CustomProperties.GRAPH_DATA in stix_object else '',
-            stix_object[CustomProperties.ID] if CustomProperties.ID in stix_object else None,
-            stix_object['id'] if 'id' in stix_object else None,
-            stix_object['created'] if 'created' in stix_object else None,
-            stix_object['modified'] if 'modified' in stix_object else None,
-            update
+            object_status=stix_object[
+                CustomProperties.OBJECT_STATUS] if CustomProperties.OBJECT_STATUS in stix_object else 0,
+            source_confidence_level=stix_object[
+                CustomProperties.SRC_CONF_LEVEL] if CustomProperties.SRC_CONF_LEVEL in stix_object else 1,
+            graph_data=stix_object[CustomProperties.GRAPH_DATA] if CustomProperties.GRAPH_DATA in stix_object else '',
+            id=stix_object[CustomProperties.ID] if CustomProperties.ID in stix_object else None,
+            stix_id_key=stix_object['id'] if 'id' in stix_object else None,
+            created=stix_object['created'] if 'created' in stix_object else None,
+            modified=stix_object['modified'] if 'modified' in stix_object else None,
+            update=update
         )
 
     def export_stix_observable(self, entity):

setup.py

@@ -13,7 +13,7 @@
     print("warning: pypandoc module not found, could not convert Markdown to RST")
     read_md = lambda f: open(f, 'r').read()
 
-VERSION = "2.1.2"
+VERSION = "2.1.3"
 
 
 class VerifyVersionCommand(install):