search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.08k stars 903 forks source link

[Platform] Allow searching on defanged indicators #3142

Open MaxwellDPS opened 1 year ago

MaxwellDPS commented 1 year ago

Use case

With the UI search and Bulk search, it would be useful to search against example.com as well as example[.]com as we may receive large amounts of defanged IOCs we would like to search for

Current Workaround

Removing the brackets

Proposed Solution

clean search input for common methods of defanging

Sample (likely overly simple) approach

def refang_indicator(self, indicator: str) -> str:
        """
        Makes those IOCs more spicy 🔥

        :indicator: The indicator to defang
        Example `malwarz[.]co` -> `malwarz.co`
        """

        return indicator \
            .replace(']', '') \
            .replace('[', '') \
            .replace('(', '') \
            .replace(')', '')

Additional Information

N/A

If the feature request is approved, would you be willing to submit a PR?

Yep!

Thanks Y'all!

xorhex commented 7 months ago

Mimicking some or all the defang behavior seen here https://pypi.org/project/defang/ would be awesome!