mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-10-23 08:12:16 +00:00
Merge pull request #16 from protocolpaladin/main
Update custom-opencti.py
This commit is contained in:
taylor_socfortress
GitHub
@@ -44,7 +44,7 @@ opencti_base_url = "http://your_opencti_instance/graphql"
|
||||
# OpenCTI Server API AUTH KEY
|
||||
opencti_api_auth_key = "Bearer your_opencti_token"
|
||||
# API - HTTP Headers
|
||||
opencti_apicall_headers = {"Content-Type":"application/json", "Authorization":f"{opencti_api_auth_key}", "Accept":"*/*"}
|
||||
opencti_apicall_headers = {"Content-Type":"application/json", "Authorization":f"Bearer {opencti_api_auth_key}", "Accept":"*/*"}
|
||||
## Extract Sysmon for Windows/Sysmon for Linux and Sysmon Event ID
|
||||
event_source = alert["rule"]["groups"][0]
|
||||
event_type = alert["rule"]["groups"][2]
|
||||
@@ -111,7 +111,7 @@ if event_source == 'windows':
|
||||
sys.exit()
|
||||
else:
|
||||
sys.exit()
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
try:
|
||||
opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
|
||||
except ConnectionError:
|
||||
@@ -137,7 +137,7 @@ elif event_source == 'linux':
|
||||
dst_ip = alert["data"]["eventdata"]["DestinationIp"]
|
||||
if ipaddress.ip_address(dst_ip).is_global:
|
||||
wazuh_event_param = dst_ip
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
try:
|
||||
opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
|
||||
except ConnectionError:
|
||||
@@ -169,7 +169,7 @@ elif event_source == 'ossec' and event_type == "syscheck_entry_added":
|
||||
opencti_key_valyue_type="hashes_SHA256"
|
||||
except IndexError:
|
||||
sys.exit()
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n algorithm\n hash\n} \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n algorithm\n hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
|
||||
try:
|
||||
opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
|
||||
except ConnectionError:
|
||||
|
||||
Reference in New Issue
Block a user