Dev 1.1.5 (#26)

* udpate to version 1.1.5

* #25

* #24

---------

Co-authored-by: Romain GUIGNARD <[email protected]>

Author: romain-filigran

README.md

@@ -18,10 +18,10 @@ The app is installed
 
 ### Installing from file
 
-1. Download latest version of the Splunk App: [TA-opencti-add-on-1.1.4.spl](https://github.com/OpenCTI-Platform/splunk-add-on/releases/download/1.1.4/TA-opencti-add-on-1.1.4.spl)
+1. Download latest version of the Splunk App: [TA-opencti-add-on-1.1.5.spl](https://github.com/OpenCTI-Platform/splunk-add-on/releases/download/1.1.5/TA-opencti-add-on-1.1.5.spl)
 2. Log in to the Splunk Web UI and navigate to "Apps" and click on "Manage Apps"
 3. Click "Install app from file"
-4. Choose file and select the "TA-opencti-add-on-1.1.4.spl" file
+4. Choose file and select the "TA-opencti-add-on-1.1.5.spl" file
 5. Click on Upload
 The app is installed
 

TA-opencti-add-on/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-opencti-add-on",
-      "version": "1.1.4"
+      "version": "1.1.5"
     },
     "author": [
       {

TA-opencti-add-on/appserver/static/js/build/globalConfig.json

@@ -2,7 +2,7 @@
     "meta": {
         "name": "TA-opencti-add-on",
         "displayName": "OpenCTI Add-on",
-        "version": "1.1.4",
+        "version": "1.1.5",
         "restRoot": "TA_opencti_add_on",
         "_uccVersion": "5.39.0",
         "schemaVersion": "0.0.3"

TA-opencti-add-on/appserver/static/openapi.json

@@ -2,7 +2,7 @@
     "openapi": "3.0.0",
     "info": {
         "title": "TA-opencti-add-on",
-        "version": "1.1.4",
+        "version": "1.1.5",
         "description": "OpenCTI Add-on",
         "contact": {
             "name": "Filigran"

TA-opencti-add-on/bin/ta_opencti_add_on/stix_converter.py

@@ -3,11 +3,12 @@
 
 from stix_constants import CustomObservableUserAgent, CustomObservableText, CustomObjectCaseIncident
 from utils import get_hash_type, is_ipv6, is_ipv4
+from utils import generate_incident_id, generate_identity_id, generate_relation_id, generate_case_incident_id
 
 
 def _get_stix_marking_id(value):
     if value == "tlp_clear":
-        return stix2.TLP_CLEAR
+        return stix2.TLP_WHITE
     if value == "tlp_green":
         return stix2.TLP_GREEN
     if value == "tlp_amber":
@@ -268,6 +269,7 @@ def convert_to_incident_response(alert_params, event):
 
     # manage author
     stix_author = stix2.Identity(
+        id=generate_identity_id(event.get("host", "Splunk"), "system"),
         name=event.get("host", "Splunk"),
         identity_class="system"
     )
@@ -296,6 +298,7 @@ def convert_to_incident_response(alert_params, event):
 
     # create incident response case
     stix_case_incident = CustomObjectCaseIncident(
+        id=generate_case_incident_id(alert_params.get("name"), event_date),
         name=alert_params.get("name"),
         description=alert_params.get("description"),
         severity=alert_params.get("severity"),
@@ -330,6 +333,7 @@ def convert_to_incident(alert_params, event):
 
     # manage author
     stix_author = stix2.Identity(
+        id=generate_identity_id(event.get("host", "Splunk"), "system"),
         name=event.get("host", "Splunk"),
         identity_class="system"
     )
@@ -341,21 +345,24 @@ def convert_to_incident(alert_params, event):
         observables = _extract_observables_from_cim_model(
             event=event,
             marking=marking_id,
-            creator=stix_author)
+            creator=stix_author
+        )
         for observable in observables:
             bundle_objects.append(observable)
             observable_ref_ids.append(observable.id)
     if alert_params.get("observables_extraction") == "field_mapping":
         observables = _extract_observables_from_key_model(
             event=event,
             marking=marking_id,
-            creator=stix_author)
+            creator=stix_author
+        )
         for observable in observables:
             bundle_objects.append(observable)
             observable_ref_ids.append(observable.id)
 
     # create incident
     stix_incident = stix2.Incident(
+        id=generate_incident_id(alert_params.get("name"), event_date),
         name=alert_params.get("name"),
         created=event_date,
         description=alert_params.get("description"),
@@ -375,6 +382,8 @@ def convert_to_incident(alert_params, event):
 
     for observable_id in observable_ref_ids:
         stix_relation_account = stix2.Relationship(
+            id=generate_relation_id(
+                "related-to", observable_id, stix_incident.id),
             relationship_type="related-to",
             source_ref=observable_id,
             target_ref=stix_incident.id,

TA-opencti-add-on/bin/ta_opencti_add_on/utils.py

@@ -1,5 +1,9 @@
+import datetime
 import ipaddress
 import re
+import uuid
+
+from stix2.canonicalization.Canonicalize import canonicalize
 
 regex_sha512 = r"[0-9a-fA-F]{128}"
 regex_sha256 = r"[0-9a-fA-F]{64}"
@@ -53,3 +57,61 @@ def get_hash_type(value):
         return "md5"
     else:
         return None
+
+def generate_identity_id(name, identity_class):
+    data = {"name": name.lower().strip(), "identity_class": identity_class.lower()}
+    data = canonicalize(data, utf8=False)
+    id = str(uuid.uuid5(uuid.UUID("00abedb4-aa42-466c-9c01-fed23315a9b7"), data))
+    return "identity--" + id
+
+def generate_incident_id(name, created):
+    name = name.lower().strip()
+    if isinstance(created, datetime.datetime):
+        created = created.isoformat()
+    data = {"name": name, "created": created}
+    data = canonicalize(data, utf8=False)
+    id = str(uuid.uuid5(uuid.UUID("00abedb4-aa42-466c-9c01-fed23315a9b7"), data))
+    return "incident--" + id
+
+
+def generate_case_incident_id(name, created):
+    name = name.lower().strip()
+    if isinstance(created, datetime.datetime):
+        created = created.isoformat()
+    data = {"name": name, "created": created}
+    data = canonicalize(data, utf8=False)
+    id = str(uuid.uuid5(uuid.UUID("00abedb4-aa42-466c-9c01-fed23315a9b7"), data))
+    return "case-incident--" + id
+
+def generate_relation_id(
+        relationship_type, source_ref, target_ref, start_time=None, stop_time=None
+):
+    if isinstance(start_time, datetime.datetime):
+        start_time = start_time.isoformat()
+    if isinstance(stop_time, datetime.datetime):
+        stop_time = stop_time.isoformat()
+
+    if start_time is not None and stop_time is not None:
+        data = {
+            "relationship_type": relationship_type,
+            "source_ref": source_ref,
+            "target_ref": target_ref,
+            "start_time": start_time,
+            "stop_time": stop_time,
+        }
+    elif start_time is not None:
+        data = {
+            "relationship_type": relationship_type,
+            "source_ref": source_ref,
+            "target_ref": target_ref,
+            "start_time": start_time,
+        }
+    else:
+        data = {
+            "relationship_type": relationship_type,
+            "source_ref": source_ref,
+            "target_ref": target_ref,
+        }
+    data = canonicalize(data, utf8=False)
+    id = str(uuid.uuid5(uuid.UUID("00abedb4-aa42-466c-9c01-fed23315a9b7"), data))
+    return "relationship--" + id

TA-opencti-add-on/default/app.conf

@@ -7,7 +7,7 @@ build = 1
 
 [launcher]
 author = Filigran
-version = 1.1.4
+version = 1.1.5
 description = Add-on for OpenCTI
 
 [ui]