[client] Introduce bundle sequence based on depth

Author: SamuelHassine

pycti/connector/opencti_connector_helper.py

@@ -862,64 +862,6 @@ def _send_bundle(self, channel, bundle, **kwargs) -> None:
             logging.error("Unable to send bundle, retry...%s", e)
             self._send_bundle(channel, bundle, **kwargs)
 
-    def split_stix2_bundle(self, bundle) -> list:
-        """splits a valid stix2 bundle into a list of bundles
-
-        :param bundle: valid stix2 bundle
-        :type bundle:
-        :raises Exception: if data is not valid JSON
-        :return: returns a list of bundles
-        :rtype: list
-        """
-
-        self.cache_index = {}
-        self.cache_added = []
-        try:
-            bundle_data = json.loads(bundle)
-        except Exception as e:
-            raise Exception("File data is not a valid JSON") from e
-
-        # validation = validate_parsed_json(bundle_data)
-        # if not validation.is_valid:
-        #     raise ValueError('The bundle is not a valid STIX2 JSON:' + bundle)
-
-        # Index all objects by id
-        for item in bundle_data["objects"]:
-            self.cache_index[item["id"]] = item
-
-        bundles = []
-        # Reports must be handled because of object_refs
-        for item in bundle_data["objects"]:
-            if item["type"] == "report":
-                items_to_send = self.stix2_deduplicate_objects(
-                    self.stix2_get_report_objects(item)
-                )
-                for item_to_send in items_to_send:
-                    self.cache_added.append(item_to_send["id"])
-                bundles.append(self.stix2_create_bundle(items_to_send))
-
-        # Relationships not added in previous reports
-        for item in bundle_data["objects"]:
-            if item["type"] == "relationship" and item["id"] not in self.cache_added:
-                items_to_send = self.stix2_deduplicate_objects(
-                    self.stix2_get_relationship_objects(item)
-                )
-                for item_to_send in items_to_send:
-                    self.cache_added.append(item_to_send["id"])
-                bundles.append(self.stix2_create_bundle(items_to_send))
-
-        # Entities not added in previous reports and relationships
-        for item in bundle_data["objects"]:
-            if item["type"] != "relationship" and item["id"] not in self.cache_added:
-                items_to_send = self.stix2_deduplicate_objects(
-                    self.stix2_get_entity_objects(item)
-                )
-                for item_to_send in items_to_send:
-                    self.cache_added.append(item_to_send["id"])
-                bundles.append(self.stix2_create_bundle(items_to_send))
-
-        return bundles
-
     def stix2_get_embedded_objects(self, item) -> Dict:
         """gets created and marking refs for a stix2 item
 
@@ -1045,7 +987,7 @@ def stix2_create_bundle(items) -> Optional[str]:
         bundle = {
             "type": "bundle",
             "id": f"bundle--{uuid.uuid4()}",
-            "spec_version": "2.0",
+            "spec_version": "2.1",
             "objects": items,
         }
         return json.dumps(bundle)

pycti/entities/opencti_stix_cyber_observable.py

@@ -270,24 +270,6 @@ def __init__(self, opencti, file):
                 data
                 data_type
             }
-            ... on X509V3ExtensionsType {
-                basic_constraints
-                name_constraints
-                policy_constraints
-                key_usage
-                extended_key_usage
-                subject_key_identifier
-                authority_key_identifier
-                subject_alternative_name
-                issuer_alternative_name
-                subject_directory_attributes
-                crl_distribution_points
-                inhibit_any_policy
-                private_key_usage_period_not_before
-                private_key_usage_period_not_after
-                certificate_policies
-                policy_mappings
-            }
             ... on CryptographicKey {
                 value
             }
@@ -668,7 +650,6 @@ def create(self, **kwargs):
                     $UserAccount: UserAccountAddInput,
                     $WindowsRegistryKey: WindowsRegistryKeyAddInput,
                     $WindowsRegistryValueType: WindowsRegistryValueTypeAddInput,
-                    $X509V3ExtensionsType: X509V3ExtensionsTypeAddInput,
                     $CryptographicKey: CryptographicKeyAddInput,
                     $CryptocurrencyWallet: CryptocurrencyWalletAddInput,
                     $Hostname: HostnameAddInput
@@ -705,7 +686,6 @@ def create(self, **kwargs):
                         UserAccount: $UserAccount,
                         WindowsRegistryKey: $WindowsRegistryKey,
                         WindowsRegistryValueType: $WindowsRegistryValueType,
-                        X509V3ExtensionsType: $X509V3ExtensionsType,
                         CryptographicKey: $CryptographicKey,
                         CryptocurrencyWallet: $CryptocurrencyWallet,
                         Hostname: $Hostname,
@@ -1057,71 +1037,6 @@ def create(self, **kwargs):
                     if "data_type" in observable_data
                     else None,
                 }
-            elif type == "X509-V3-Extensions-Type":
-                input_variables["X509V3ExtensionsType"] = {
-                    "basic_constraints": observable_data["basic_constraints"]
-                    if "basic_constraints" in observable_data
-                    else None,
-                    "name_constraints": observable_data["name_constraints"]
-                    if "name_constraints" in observable_data
-                    else None,
-                    "policy_constraints": observable_data["policy_constraints"]
-                    if "policy_constraints" in observable_data
-                    else None,
-                    "key_usage": observable_data["key_usage"]
-                    if "key_usage" in observable_data
-                    else None,
-                    "extended_key_usage": observable_data["extended_key_usage"]
-                    if "extended_key_usage" in observable_data
-                    else None,
-                    "subject_key_identifier": observable_data["subject_key_identifier"]
-                    if "subject_key_identifier" in observable_data
-                    else None,
-                    "authority_key_identifier": observable_data[
-                        "authority_key_identifier"
-                    ]
-                    if "authority_key_identifier" in observable_data
-                    else None,
-                    "subject_alternative_name": observable_data[
-                        "subject_alternative_name"
-                    ]
-                    if "subject_alternative_name" in observable_data
-                    else None,
-                    "issuer_alternative_name": observable_data[
-                        "issuer_alternative_name"
-                    ]
-                    if "issuer_alternative_name" in observable_data
-                    else None,
-                    "subject_directory_attributes": observable_data[
-                        "subject_directory_attributes"
-                    ]
-                    if "subject_directory_attributes" in observable_data
-                    else None,
-                    "crl_distribution_points": observable_data[
-                        "crl_distribution_points"
-                    ]
-                    if "crl_distribution_points" in observable_data
-                    else None,
-                    "inhibit_any_policy": observable_data["inhibit_any_policy"]
-                    if "inhibit_any_policy" in observable_data
-                    else None,
-                    "private_key_usage_period_not_before": observable_data[
-                        "private_key_usage_period_not_before"
-                    ]
-                    if "private_key_usage_period_not_before" in observable_data
-                    else None,
-                    "private_key_usage_period_not_after": observable_data[
-                        "private_key_usage_period_not_after"
-                    ]
-                    if "private_key_usage_period_not_after" in observable_data
-                    else None,
-                    "certificate_policies": observable_data["certificate_policies"]
-                    if "certificate_policies" in observable_data
-                    else None,
-                    "policy_mappings": observable_data["policy_mappings"]
-                    if "policy_mappings" in observable_data
-                    else None,
-                }
             elif type == "Cryptographic-Key":
                 input_variables["CryptographicKey"] = {
                     "value": observable_data["value"]

pycti/utils/constants.py

@@ -25,7 +25,6 @@ class StixCyberObservableTypes(Enum):
     USER_ACCOUNT = "User-Account"
     WINDOWS_REGISTRY_KEY = "Windows-Registry-Key"
     WINDOWS_REGISTRY_VALUE_TYPE = "Windows-Registry-Value-Type"
-    X509_V3_EXTENSIONS_TYPE = "X509-V3-Extensions-Type"
     HOSTNAME = "Hostname"
     CRYPTOGRAPHIC_KEY = "Cryptographic-Key"
     CRYPTOCURRENCY_WALLET = "Cryptocurrency-Wallet"

pycti/utils/opencti_stix2_splitter.py

@@ -55,6 +55,8 @@ def split_bundle(self, bundle, use_json=True, event_version=None) -> list:
 
         if "objects" not in bundle_data:
             raise Exception("File data is not a valid bundle")
+        if "id" not in bundle_data:
+            bundle_data["id"] = "bundle--" + str(uuid.uuid4())
 
         raw_data = {}
         # Build flat list of elements
@@ -71,11 +73,19 @@ def by_dep_size(elem):
 
         self.elements.sort(key=by_dep_size)
         for entity in self.elements:
-            bundles.append(self.stix2_create_bundle([entity], use_json, event_version))
+            bundles.append(
+                self.stix2_create_bundle(
+                    bundle_data["id"],
+                    entity["nb_deps"],
+                    [entity],
+                    use_json,
+                    event_version,
+                )
+            )
         return bundles
 
     @staticmethod
-    def stix2_create_bundle(items, use_json, event_version=None):
+    def stix2_create_bundle(bundle_id, bundle_seq, items, use_json, event_version=None):
         """create a stix2 bundle with items
 
         :param items: valid stix2 items
@@ -88,8 +98,9 @@ def stix2_create_bundle(items, use_json, event_version=None):
 
         bundle = {
             "type": "bundle",
-            "id": "bundle--" + str(uuid.uuid4()),
+            "id": bundle_id,
             "spec_version": "2.1",
+            "x_opencti_seq": bundle_seq,
             "objects": items,
         }
         if event_version is not None:

tests/conftest.py

@@ -14,7 +14,7 @@
 def api_client():
     return OpenCTIApiClient(
         "https://demo.opencti.io",
-        "62c2bdf5-d3ae-4093-9d35-48e5b27a5b6f",
+        "7e663f91-d048-4a8b-bdfa-cdb55597942b",
         ssl_verify=True,
     )