[client] Split threat actors into 2 sub types (#420)

Co-authored-by: sarahBocognano <[email protected]>

Author: richard-julien

.drone.yml

@@ -6,7 +6,7 @@ steps:
   - name: sleep-for-opencti
     image: python:3.11
     commands:
-      - sleep 100
+      - sleep 180
   - name: client-test-38
     image: python:3.8
     commands:
@@ -87,7 +87,7 @@ services:
       EXPIRATION_SCHEDULER__ENABLED: false
       SUBSCRIPTION_SCHEDULER__ENABLED: false
     commands:
-      - apk add build-base git libffi-dev
+      - apk add build-base git libffi-dev cargo
       - BRANCH=$(echo $DRONE_COMMIT_BRANCH)
       - OPENCTI_BRANCH=$([ $(echo $BRANCH | cut -d "/" -f 1) == opencti ] && echo issue/$(echo $BRANCH | cut -d "/" -f 2) || echo 'master' )
       - git clone -b $OPENCTI_BRANCH https://github.com/OpenCTI-Platform/opencti.git /tmp/opencti

pycti/__init__.py

@@ -46,6 +46,7 @@
 from .entities.opencti_task import Task
 from .entities.opencti_threat_actor import ThreatActor
 from .entities.opencti_threat_actor_group import ThreatActorGroup
+from .entities.opencti_threat_actor_individual import ThreatActorIndividual
 from .entities.opencti_tool import Tool
 from .entities.opencti_vulnerability import Vulnerability
 from .utils.constants import (
@@ -113,6 +114,7 @@
     "StixSightingRelationship",
     "ThreatActor",
     "ThreatActorGroup",
+    "ThreatActorIndividual",
     "Tool",
     "Vulnerability",
     "get_config_variable",

pycti/api/opencti_api_client.py

@@ -60,6 +60,7 @@
 from pycti.entities.opencti_task import Task
 from pycti.entities.opencti_threat_actor import ThreatActor
 from pycti.entities.opencti_threat_actor_group import ThreatActorGroup
+from pycti.entities.opencti_threat_actor_individual import ThreatActorIndividual
 from pycti.entities.opencti_tool import Tool
 from pycti.entities.opencti_vocabulary import Vocabulary
 from pycti.entities.opencti_vulnerability import Vulnerability
@@ -183,6 +184,7 @@ def __init__(
         self.location = Location(self)
         self.threat_actor = ThreatActor(self)
         self.threat_actor_group = ThreatActorGroup(self)
+        self.threat_actor_individual = ThreatActorIndividual(self)
         self.intrusion_set = IntrusionSet(self)
         self.infrastructure = Infrastructure(self)
         self.campaign = Campaign(self)

pycti/entities/opencti_indicator.py

@@ -274,7 +274,7 @@ def read(self, **kwargs):
 
         Note: either `id` or `filters` is required.
 
-        :param str id: the id of the Threat-Actor
+        :param str id: the id of the Threat-Actor-Group
         :param list filters: the filters to apply if no id provided
 
         :return: Indicator object

pycti/entities/opencti_infrastructure.py

@@ -257,7 +257,7 @@ def read(self, **kwargs):
 
         Note: either `id` or `filters` is required.
 
-        :param str id: the id of the Threat-Actor
+        :param str id: the id of the Threat-Actor-Group
         :param list filters: the filters to apply if no id provided
         """
 

pycti/entities/opencti_stix_core_object.py

@@ -349,9 +349,7 @@ def __init__(self, opencti, file):
                 resource_level
                 primary_motivation
                 secondary_motivations
-                ... on ThreatActorGroup {
-                    personal_motivations
-                }
+                personal_motivations
             }
             ... on Tool {
                 name

pycti/entities/opencti_stix_domain_object.py

@@ -437,9 +437,7 @@ def __init__(self, opencti, file):
                 resource_level
                 primary_motivation
                 secondary_motivations
-                ... on ThreatActorGroup {
-                    personal_motivations
-                }
+                personal_motivations
             }
             ... on Tool {
                 name

pycti/entities/opencti_stix_object_or_stix_relationship.py

@@ -288,9 +288,7 @@ def __init__(self, opencti):
                 resource_level
                 primary_motivation
                 secondary_motivations
-                ... on ThreatActorGroup {
-                    personal_motivations
-                }
+                personal_motivations
             }
             ... on Tool {
                 name

pycti/entities/opencti_threat_actor.py

@@ -8,6 +8,7 @@
 
 from pycti.entities import LOGGER
 from pycti.entities.opencti_threat_actor_group import ThreatActorGroup
+from pycti.entities.opencti_threat_actor_individual import ThreatActorIndividual
 
 
 class ThreatActor:
@@ -21,6 +22,7 @@ def __init__(self, opencti):
 
         self.opencti = opencti
         self.threat_actor_group = ThreatActorGroup(opencti)
+        self.threat_actor_individual = ThreatActorIndividual(opencti)
         self.properties = """
             id
             standard_id
@@ -186,11 +188,11 @@ def list(self, **kwargs) -> dict:
         LOGGER.info("Listing Threat-Actors with filters %s.", json.dumps(filters))
         query = (
             """
-            query ThreatActors($filters: [ThreatActorsFiltering], $search: String, $first: Int, $after: ID, $orderBy: ThreatActorsOrdering, $orderMode: OrderingMode) {
-                threatActors(filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {
-                    edges {
-                        node {
-                            """
+                query ThreatActors($filters: [ThreatActorsFiltering], $search: String, $first: Int, $after: ID, $orderBy: ThreatActorsOrdering, $orderMode: OrderingMode) {
+                    threatActors(filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {
+                        edges {
+                            node {
+                                """
             + (custom_attributes if custom_attributes is not None else self.properties)
             + """
                         }
@@ -242,9 +244,9 @@ def read(self, **kwargs) -> Union[dict, None]:
             LOGGER.info("Reading Threat-Actor {%s}.", id)
             query = (
                 """
-                query ThreatActor($id: String!) {
-                    threatActor(id: $id) {
-                        """
+                    query ThreatActor($id: String!) {
+                        threatActor(id: $id) {
+                            """
                 + (
                     custom_attributes
                     if custom_attributes is not None
@@ -267,41 +269,9 @@ def read(self, **kwargs) -> Union[dict, None]:
             LOGGER.error("[opencti_threat_actor] Missing parameters: id or filters")
             return None
 
+    @DeprecationWarning
     def create(self, **kwargs):
-        """Create a Threat-Actor object
-
-        The Threat-Actor entity will only be created if it doesn't exists
-        By setting `update` to `True` it acts like an upsert and updates
-        fields of an existing Threat-Actor entity.
-
-        The create method accepts the following kwargs.
-
-        Note: `name` and `description` or `stix_id` is required.
-
-        :param str stix_id: stix2 id reference for the Threat-Actor entity
-        :param str createdBy: (optional) id of the organization that created the knowledge
-        :param list objectMarking: (optional) list of OpenCTI markin definition ids
-        :param list objectLabel: (optional) list of OpenCTI label ids
-        :param list externalReferences: (optional) list of OpenCTI external references ids
-        :param bool revoked: is this entity revoked
-        :param int confidence: confidence level
-        :param str lang: language
-        :param str created: (optional) date in OpenCTI date format
-        :param str modified: (optional) date in OpenCTI date format
-        :param str name: name of the threat actor
-        :param str description: description of the threat actor
-        :param list aliases: (optional) list of alias names for the Threat-Actor
-        :param list threat_actor_types: (optional) list of threat actor types
-        :param str first_seen: (optional) date in OpenCTI date format
-        :param str last_seen: (optional) date in OpenCTI date format
-        :param list roles: (optional) list of roles
-        :param list goals: (optional) list of goals
-        :param str sophistication: (optional) describe the actors sophistication in text
-        :param str resource_level: (optional) describe the actors resource_level in text
-        :param str primary_motivation: (optional) describe the actors primary_motivation in text
-        :param list secondary_motivations: (optional) describe the actors secondary_motivations in list of string
-        :param bool update: (optional) choose to updated an existing Threat-Actor entity, default `False`
-        """
+        # For backward compatibility, please use threat_actor_group or threat_actor_individual
         return self.threat_actor_group.create(**kwargs)
 
     """
@@ -312,4 +282,17 @@ def create(self, **kwargs):
     """
 
     def import_from_stix2(self, **kwargs):
-        return self.threat_actor_group.import_from_stix2(**kwargs)
+        stix_object = kwargs.get("stixObject", None)
+        if "x_opencti_type" in stix_object:
+            type = stix_object["x_opencti_type"].lower()
+        elif self.opencti.get_attribute_in_extension("type", stix_object) is not None:
+            type = self.opencti.get_attribute_in_extension("type", stix_object).lower()
+        elif "individual" in stix_object["resource_level"].lower():
+            type = "threat-actor-individual"
+        else:
+            type = "threat-actor-group"
+
+        if "threat-actor-group" in type:
+            return self.threat_actor_group.import_from_stix2(**kwargs)
+        if "threat-actor-individual" in type:
+            return self.threat_actor_individual.import_from_stix2(**kwargs)

pycti/entities/opencti_threat_actor_group.py

@@ -130,6 +130,7 @@ def __init__(self, opencti):
             resource_level
             primary_motivation
             secondary_motivations
+            personal_motivations
             importFiles {
                 edges {
                     node {
@@ -302,6 +303,7 @@ def create(self, **kwargs):
         :param str resource_level: (optional) describe the actors resource_level in text
         :param str primary_motivation: (optional) describe the actors primary_motivation in text
         :param list secondary_motivations: (optional) describe the actors secondary_motivations in list of string
+        :param list personal_motivations: (optional) describe the actors personal_motivations in list of strings
         :param bool update: (optional) choose to updated an existing Threat-Actor-Group entity, default `False`
         """
 
@@ -326,6 +328,7 @@ def create(self, **kwargs):
         resource_level = kwargs.get("resource_level", None)
         primary_motivation = kwargs.get("primary_motivation", None)
         secondary_motivations = kwargs.get("secondary_motivations", None)
+        personal_motivations = kwargs.get("personal_motivations", None)
         x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None)
         granted_refs = kwargs.get("objectOrganization", None)
         update = kwargs.get("update", False)
@@ -368,6 +371,7 @@ def create(self, **kwargs):
                         "resource_level": resource_level,
                         "primary_motivation": primary_motivation,
                         "secondary_motivations": secondary_motivations,
+                        "personal_motivations": personal_motivations,
                         "x_opencti_stix_ids": x_opencti_stix_ids,
                         "update": update,
                     }
@@ -453,6 +457,9 @@ def import_from_stix2(self, **kwargs):
                 secondary_motivations=stix_object["secondary_motivations"]
                 if "secondary_motivations" in stix_object
                 else None,
+                personal_motivations=stix_object["personal_motivations"]
+                if "personal_motivations" in stix_object
+                else None,
                 x_opencti_stix_ids=stix_object["x_opencti_stix_ids"]
                 if "x_opencti_stix_ids" in stix_object
                 else None,