Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Cortex Analyzer OpenCTI #919

Open
V1D1AN opened this issue Dec 21, 2020 · 9 comments
Open

[Bug] Cortex Analyzer OpenCTI #919

V1D1AN opened this issue Dec 21, 2020 · 9 comments

Comments

@V1D1AN
Copy link

V1D1AN commented Dec 21, 2020
edited
Loading

Describe the bug
I have an error with OpenCTI v4 and the cortex analyzer.

The version of pycti is 4.0.3

I have the error :

Traceback (most recent call last): File "/opt/Cortex-Analyzers/analyzers/OpenCTI/opencti.py", line 119, in OpenCTIAnalyzer().run() File "/opt/Cortex-Analyzers/analyzers/OpenCTI/opencti.py", line 74, in run observable = opencti["api_client"].stix_observable.read(AttributeError: 'OpenCTIApiClient' object has no attribute 'stix_observable'

Work environment

  • Client OS: W10
  • Server OS: CentOS 7 with docker
  • Cortex version: 3.0.1-1
  • Cortex Analyzer/Responder name: OpenCTI
  • Cortex Analyzer/Responder version: V1
@dadokkio
Copy link
Contributor

Since the new release of opencti the syntax has changed a bit.
I tried to fix changing from:

observable = opencti["api_client"].stix_observable.read(
    filters=[{"key": "observable_value", "values": [data]}]
)
[..]
reports = opencti["api_client"].report.list(
    filters=[{"key": "observablesContains", "values": [observable["id"]],}]
)

to:

observable = opencti["api_client"].stix_cyber_observable.read(
    filters=[{"key": "observable_value", "values": [data]}]
)
[..]
reports = opencti["api_client"].report.list(
    filters=[{"key": "objectContains", "values": [observable["id"]],}]
)

but the first query is not returning any result.
Probably @amr-cossi can give me some hint?

@V1D1AN
Copy link
Author

V1D1AN commented Dec 21, 2020

Yes i agree with you, i don't have any results

@amr-cossi amr-cossi mentioned this issue Jan 20, 2021
Merged
@amr-cossi
Copy link
Contributor

Hi,
The field "observable_value" can't be used for searches across all types of observables in v4 and it will be removed from filters in the API to avoid further confusion.

I have modified the analyzer to bring compatibility with the v4 and took the occasion to change a bit the logic. There are now 2 flavors, one to search exactly for an observable and another one to do a full text search of an observable (get URLs when you search for a domain name for eg).

As with the first version, I have provided TheHive templates which haven't been tested. If someone wants to have a look at them on a TheHive test instance before the merge it would be nice.

@amr-cossi amr-cossi mentioned this issue Jan 20, 2021
Closed
@dadokkio
Copy link
Contributor

Thanks for the fix. I've just ended test and everything works fine.
Some notes:

  • cortex docker image has six 1.12.0 and installing requirements didn't updat six and analyzer doesn't work. Probably adding six > 1.13 as requirements could help.
  • you can use this update to add logo and subscription info as described here
  • I was not able to test the new analyzer with v3 yet, but since you didn't remove json and template I image that still works, right?

@amr-cossi
Copy link
Contributor

  • I have added a requirement for six. I do have an updated version of six on my test platform which must have been setup by another analyzer.
  • I have added a logo and the infos regarding subscriptions. It is not entirely clear what values are correst as OpenCTI is not a centralized service but is deployed by users.
  • I confirm that this new version doesn't work with OpenCTI v3. As this version will not be supported further, I didn't put a new parameter to say if each OpenCTI instance queried is in v3 or v4 and adapt the code to be able to query both. But I have changed the flavors versions (and names) and left the 1_0 TheHive template for users who don't want to upgrade the analyzer just yet. It may be more coherent to either remove the template or keep the v1 JSON flavor. What do you think ?

@dadokkio
Copy link
Contributor

dadokkio commented Jan 21, 2021
edited
Loading

At the moment we install v4 pycti and execute v3 code.. so, event to just keep supporting v3, we should have pinned pycti to an older release.
So I believe that who is still using v3 is not updating libs in a while 😄

Probably the easiest solution is to just move all to v4. Keep old templates and old json could be misleading.

The only problem I can image is if someone is using opencti v3 and dockerized analyzer images because in this case analyzer image will be updated automagically.

@dadokkio
Copy link
Contributor

Going to merge in develop, last question. There is an old open issue regarding proxy support #814 and @garanews did a commit trying to fix it. Can we now take proxy from config and use it as api constructor parameter?

@amr-cossi
Copy link
Contributor

Nice catch.
I have copied what was done in MISP analyzer to add the proxies set up from the parent analyzer config.

@amr-cossi
Copy link
Contributor

Thank you @dadokkio !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dadokkio @V1D1AN @amr-cossi