-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathexample_entity_creation_test.go
More file actions
146 lines (123 loc) · 4.47 KB
/
example_entity_creation_test.go
File metadata and controls
146 lines (123 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
// package main_test contains examples of GoCTI usage.
//
// This example shows the basic functionality and usage principles of GoCTI.
package main_test
import (
"context"
"fmt"
"log/slog"
"os"
"github.com/kelseyhightower/envconfig"
"github.com/weisshorn-cyd/gocti"
"github.com/weisshorn-cyd/gocti/entity"
)
func Example_entityCreation() {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelError}))
// Get config from env
cfg := struct {
URL string `envconfig:"URL" required:"true"`
Token string `envconfig:"TOKEN" required:"true"`
}{}
if err := envconfig.Process("OPENCTI", &cfg); err != nil {
logger.Error("loading config", "error", err)
os.Exit(1)
}
// Create client
client, err := gocti.NewOpenCTIAPIClient(
cfg.URL,
cfg.Token,
gocti.WithHealthCheck(),
gocti.WithLogger(logger),
)
if err != nil {
logger.Error("creating client", "error", err)
os.Exit(1)
}
ctx := context.Background()
// Create a malware entity
// The customAttributes function parameter is the empty string because we
// are not interested in customizing which attributes of entity.Malware
// should be set. The empty string means that the default attributes will be set.
malware, err := client.CreateMalware(ctx, "", entity.MalwareAddInput{
Name: "Example Malware",
Description: "An example of a very malicious malware.",
})
if err != nil {
logger.Error("creating malware", "error", err)
}
// Since this is an example, we clean up after ourselves
defer func() {
if _, err := client.DeleteMalware(ctx, malware.ID); err != nil {
logger.Error("deleting", "malware", malware, "error", err)
}
}()
fmt.Printf("We created a malware named: '%s'\n", malware.Name)
// List all malwares
// We want only the ID to be returned; we override the default properties by using the customAttributes field
// There are few entites in our platform; we can specify that we want all values returned instead of using pagination.
// We do not require an options argument (such as filters, etc)
malwares, err := client.ListMalwares(ctx, "id, name", true, nil)
if err != nil {
logger.Error("listing malwares", "error", err)
}
found := false
for _, malware := range malwares {
if malware.Name == "Example Malware" {
found = true
}
}
if found {
fmt.Println("We found our example malware.")
} else {
fmt.Println("We didn't find our example malware.")
}
// Create an instrusion set
intrusionSet, err := client.CreateIntrusionSet(ctx, "", entity.IntrusionSetAddInput{
Name: "Example Intrusion Set",
})
if err != nil {
logger.Error("creating intrusion set", "error", err)
}
defer func() {
if _, err := client.DeleteIntrusionSet(ctx, intrusionSet.ID); err != nil {
logger.Error("deleting", "intrusion set", intrusionSet, "error", err)
}
}()
fmt.Printf("We created an intrusion set named: '%s'\n", intrusionSet.Name)
// Mark the intrusion set as using the example malware by creating the
// required relationship between the two entities
_, err = client.CreateStixCoreRelationship(ctx, "", entity.StixCoreRelationshipAddInput{
FromID: intrusionSet.ID,
ToID: malware.ID,
RelationshipType: "uses",
})
if err != nil {
logger.Error("creating relationship", "error", err)
}
// Update the existing intrusion set
// Reuse the key fields to force the update
//
// Note: An actual update function will be added in a future release of GoCTI
updatedIntrusionSet, err := client.CreateIntrusionSet(ctx, "", entity.IntrusionSetAddInput{
Name: intrusionSet.Name, // Required field
Description: "I have been updated.", // An updated description
})
if err != nil {
logger.Error("updating intrusion set", "error", err)
}
fmt.Printf("The updated intrusion set has description: '%s'\n", updatedIntrusionSet.Description)
// If the ID is known, entities can be read directly
// Since we do not provide values for customAttributes, all the fields
// contained in the default attributes will be set.
intrusionSet, err = client.ReadIntrusionSet(ctx, "", intrusionSet.ID)
if err != nil {
logger.Error("reading intrusion set", "error", err)
}
fmt.Printf("Intrusion set has description: '%s'\n", intrusionSet.Description)
// Output:
// We created a malware named: 'Example Malware'
// We found our example malware.
// We created an intrusion set named: 'Example Intrusion Set'
// The updated intrusion set has description: 'I have been updated.'
// Intrusion set has description: 'I have been updated.'
}