From 8438700b7e93568eee1788a7c3e095fb2ede4f22 Mon Sep 17 00:00:00 2001 From: Jeremy Cloarec Date: Wed, 4 Jun 2025 18:10:05 +0200 Subject: [PATCH 1/4] [client] handle delete operation depending on type --- pycti/utils/opencti_stix2.py | 14 +++++++-- pycti/utils/opencti_stix2_utils.py | 48 ++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py index d46333420..dbdfc341f 100644 --- a/pycti/utils/opencti_stix2.py +++ b/pycti/utils/opencti_stix2.py @@ -31,6 +31,8 @@ OBSERVABLES_VALUE_INT, STIX_CYBER_OBSERVABLE_MAPPING, STIX_OBJECTS, + STIX_META_OBJECTS, + STIX_CORE_OBJECTS, ) datefinder.ValueError = ValueError, OverflowError @@ -2542,9 +2544,17 @@ def organization_unshare(self, item): def element_operation_delete(self, item, operation): # If data is stix, just use the generic stix function for deletion - if item["type"] in STIX_OBJECTS: - force_delete = operation == "delete_force" + force_delete = operation == "delete_force" + if item["type"] == "relationship": + self.opencti.stix_core_relationship.delete(id=item["id"]) + elif item["type"] == "sighting": + self.opencti.stix_sighting_relationship.delete(id=item["id"]) + elif item["type"] in STIX_META_OBJECTS: self.opencti.stix.delete(id=item["id"], force_delete=force_delete) + elif item["type"] in list(STIX_CYBER_OBSERVABLE_MAPPING.keys()): + self.opencti.stix_cyber_observable.delete(id=item["id"]) + elif item["type"] in STIX_CORE_OBJECTS: + self.opencti.stix_core_object.delete(id=item["id"]) else: # Element is not knowledge we need to use the right api stix_helper = self.get_internal_helper().get(item["type"]) diff --git a/pycti/utils/opencti_stix2_utils.py b/pycti/utils/opencti_stix2_utils.py index 32e56e346..4798cfdd6 100644 --- a/pycti/utils/opencti_stix2_utils.py +++ b/pycti/utils/opencti_stix2_utils.py @@ -17,6 +17,54 @@ "publicdashboard", ] +STIX_META_OBJECTS = [ + "label", + "vocabulary", + "kill-chain-phase", +] + +STIX_CORE_OBJECTS = [ + "attack-pattern", + "campaign", + "case-incident", + "x-opencti-case-incident", + "case-rfi", + "x-opencti-case-rfi", + "case-rft", + "x-opencti-case-rft", + "channel", + "course-of-action", + "data-component", + "x-mitre-data-component", + "data-source", + "x-mitre-data-source", + "event", + "external-reference", + "feedback", + "x-opencti-feedback", + "grouping", + "identity", + "incident", + "indicator", + "infrastructure", + "intrusion-set", + "language", + "location", + "malware", + "malware-analysis", + "marking-definition", + "narrative", + "note", + "observed-data", + "opinion", + "report", + "task", + "x-opencti-task", + "threat-actor", + "tool", + "vulnerability", +] + SUPPORTED_STIX_ENTITY_OBJECTS = [ "attack-pattern", "campaign", From 86a5d61a2af5339af183efff73c7d9d574402585 Mon Sep 17 00:00:00 2001 From: Jeremy Cloarec Date: Wed, 4 Jun 2025 18:11:49 +0200 Subject: [PATCH 2/4] [client] fix --- pycti/utils/opencti_stix2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py index dbdfc341f..9b9768ec7 100644 --- a/pycti/utils/opencti_stix2.py +++ b/pycti/utils/opencti_stix2.py @@ -2562,7 +2562,7 @@ def element_operation_delete(self, item, operation): stix_helper.delete(id=item["id"]) else: raise ValueError( - "Delete operation or no stix helper", {"type": item["type"]} + "Delete operation or not found stix helper", {"type": item["type"]} ) def apply_opencti_operation(self, item, operation): From 9d5e3901ac237549960cc2af22d5dfbeff597f6e Mon Sep 17 00:00:00 2001 From: Jeremy Cloarec Date: Wed, 4 Jun 2025 18:14:21 +0200 Subject: [PATCH 3/4] [client] fix --- pycti/utils/opencti_stix2.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py index 9b9768ec7..7ae903dfe 100644 --- a/pycti/utils/opencti_stix2.py +++ b/pycti/utils/opencti_stix2.py @@ -29,10 +29,9 @@ from pycti.utils.opencti_stix2_update import OpenCTIStix2Update from pycti.utils.opencti_stix2_utils import ( OBSERVABLES_VALUE_INT, + STIX_CORE_OBJECTS, STIX_CYBER_OBSERVABLE_MAPPING, - STIX_OBJECTS, STIX_META_OBJECTS, - STIX_CORE_OBJECTS, ) datefinder.ValueError = ValueError, OverflowError From 05231790dd22f39bc8e5d1899235069a3edeb41a Mon Sep 17 00:00:00 2001 From: Jeremy Cloarec Date: Thu, 5 Jun 2025 17:54:28 +0200 Subject: [PATCH 4/4] [client] refactor SUPPORTED_STIX_ENTITY_OBJECTS --- pycti/utils/opencti_stix2_utils.py | 45 +----------------------------- 1 file changed, 1 insertion(+), 44 deletions(-) diff --git a/pycti/utils/opencti_stix2_utils.py b/pycti/utils/opencti_stix2_utils.py index 4798cfdd6..c45a5ea08 100644 --- a/pycti/utils/opencti_stix2_utils.py +++ b/pycti/utils/opencti_stix2_utils.py @@ -65,50 +65,7 @@ "vulnerability", ] -SUPPORTED_STIX_ENTITY_OBJECTS = [ - "attack-pattern", - "campaign", - "case-incident", - "x-opencti-case-incident", - "case-rfi", - "x-opencti-case-rfi", - "case-rft", - "x-opencti-case-rft", - "channel", - "course-of-action", - "data-component", - "x-mitre-data-component", - "data-source", - "x-mitre-data-source", - "event", - "external-reference", - "feedback", - "x-opencti-feedback", - "grouping", - "identity", - "incident", - "indicator", - "infrastructure", - "intrusion-set", - "kill-chain-phase", - "label", - "language", - "location", - "malware", - "malware-analysis", - "marking-definition", - "narrative", - "note", - "observed-data", - "opinion", - "report", - "task", - "x-opencti-task", - "threat-actor", - "tool", - "vocabulary", - "vulnerability", -] +SUPPORTED_STIX_ENTITY_OBJECTS = STIX_META_OBJECTS + STIX_CORE_OBJECTS STIX_CYBER_OBSERVABLE_MAPPING = { "autonomous-system": "Autonomous-System",