Closed r0mingo closed 5 years ago
I believe the issue is due to a relationship not existing between the Report and indicators in the stix bundle. I've had similar issues. I don't see the Report SDO in the json file above. Each of the objects, including the relationships need to be added to the object_refs variable of the Report object. An example snippet of what I've used is below. The object_refs is a python list that contains all the objects (indicators, threat actor, relationships)
`
report = Report(
name=report_name,
description=report_description,
published=report_created,
created_by_ref=author,
object_marking_refs=attribute_marking,
labels=['threat-report'],
object_refs=report_refs,
external_references=report_references,
custom_properties={
"x_opencti_report_class": "external"
}
)
`
I didn't know that it needed a relationship between report and indicators, it works now, thank you 👍
@r0mingo: this issue is linked to a Python client issue.
This piece of code, in opencti_stix2.py:
def create_indicator(self, stix_object, update=False):
if 'x_opencti_observable_type' in stix_object and 'x_opencti_observable_value' in stix_object:
return self.opencti.create_stix_observable_if_not_exists(
stix_object['x_opencti_observable_type'],
stix_object['x_opencti_observable_value'],
self.convert_markdown(stix_object['description']) if 'description' in stix_object else '',
stix_object['x_opencti_id'] if 'x_opencti_id' in stix_object else None,
stix_object['id'] if 'id' in stix_object else None,
stix_object['created'] if 'created' in stix_object else None,
stix_object['modified'] if 'modified' in stix_object else None,
)
# TODO: Implement extraction of observables from STIX2 patterns
return None
Description
I tried to import the JSON/STIX2 file sample below and I don't see observables in the web GUI. I tried via the web GUI and via the Python client.
Environment
Expected Output
See something in observables.
Actual Output
I see reports, entities etc but not observables.
This is the Docker logs in the terminal :