Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Schema definition named [hashes] is missing mapping for attribute [SHA256] - OpenCTI & Wazuh integration #9460

Open
3 tasks done
igniter07 opened this issue Dec 25, 2024 · 2 comments
Open
3 tasks done

Schema definition named [hashes] is missing mapping for attribute [SHA256] - OpenCTI & Wazuh integration #9460

igniter07 opened this issue Dec 25, 2024 · 2 comments
Labels
question Further information is requested

Comments

@igniter07
Copy link

Prerequisites

  • I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
  • I went through old GitHub issues and couldn't find anything relevant
  • I googled the issue and didn't find anything relevant

Description

We have this python script that is a custom wazuh integration with OpenCTI. When a new file is created on a monitored place in wazuh, wazuh will use this script to query OpenCTI about this file hash and create a new alert if the file exists (the script also works with IPs and domains but we are interested now in the file hashes).

The original script repo is this: https://github.com/misje/wazuh-opencti

But we modified the query to look a little bit like this:

` api_json_body={'query':
'''
fragment Labels on StixCoreObject {
objectLabel {
value
}
}

        fragment Object on StixCoreObject {
          id
          type: entity_type
          created_at
          updated_at
          createdBy {
            ... on Identity {
              id
              standard_id
              identity_class
              name
            }
            ... on Organization {
              x_opencti_organization_type
              x_opencti_reliability
            }
            ... on Individual {
              x_opencti_firstname
              x_opencti_lastname
            }
          }
          ...Labels
          externalReferences {
            edges {
              node {
                url
              }
            }
          }
        }

        fragment IndShort on Indicator {
          id
          name
          valid_until
          revoked
          confidence
          x_opencti_score
          x_opencti_detection
          indicator_types
          x_mitre_platforms
          pattern_type
          pattern
          ...Labels
          killChainPhases {
            kill_chain_name
          }
        }

        fragment IndLong on Indicator {
          ...Object
          ...IndShort
        }

        fragment Indicators on StixCyberObservable {
          indicators {
            edges {
              node {
                ...IndShort
              }
            }
          }
        }

        fragment PageInfo on PageInfo {
          startCursor
          endCursor
          hasNextPage
          hasPreviousPage
          globalCount
        }

        fragment NameRelation on StixObjectOrStixRelationshipOrCreator {
          ... on DomainName {
            id
            value
            ...Indicators
          }
          ... on Hostname {
            id
            value
            ...Indicators
          }
        }

        fragment AddrRelation on StixObjectOrStixRelationshipOrCreator {
          ... on IPv4Addr {
            id
            value
            ...Indicators
          }
          ... on IPv6Addr {
            id
            value
            ...Indicators
          }
        }

        query IoCs($obs: FilterGroup, $ind: FilterGroup) {
          indicators(filters: $ind, first: 10) {
            edges {
              node {
                ...IndLong
              }
            }
            pageInfo {
              ...PageInfo
            }
          }
          stixCyberObservables(filters: $obs, first: 10) {
            edges {
              node {
                ...Object
                observable_value
                x_opencti_description
                x_opencti_score
                ...Indicators
                ... on DomainName {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on Hostname {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on Url {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on IPv4Addr {
                  value
                  stixCoreRelationships(fromTypes: ["Domain-Name", "Hostname"]) {
                    edges {
                      node {
                        type: fromType
                        relationship_type
                        related: from {
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on IPv6Addr {
                  value
                  stixCoreRelationships(fromTypes: ["Domain-Name", "Hostname"]) {
                    edges {
                      node {
                        type: fromType
                        relationship_type
                        related: from {
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on StixFile {
                  hashes {
                    algorithm
                    hash
                  }
                  stixCoreRelationships( toTypes: ["SHA256", "DomainName", "IPv4-Addr", "IPv6-Addr", "Hostname"] ) { edges { node { type: toType relationship_type related: to { ...AddrRelation ...NameRelation ... on StixFile { hashes { algorithm hash } } } } } }
                  extensions
                  size
                  name
                  x_opencti_additional_names
                }
              }
            }
            pageInfo {
              ...PageInfo
            }
          }
        }
        ''' , 'variables': {
                'obs': {
                    "mode": "or",
                    "filterGroups": [],
                    "filters": [{"key": filter_key, "values": filter_values}]
                },
                'ind': {
                    "mode": "and",
                    "filterGroups": [],
                    "filters": [
                        {"key": "pattern_type", "values": ["stix"]},
                        {"mode": "or", "key": "pattern", "values": ind_filter},
                    ]
                }
                }}`

The error after testing this:

'errors': [{'message': 'Schema definition named [hashes] is missing mapping for attribute [SHA256]', 'locations': [{'line': 117, 'column': 15}], 'path': ['stixCyberObservables'], 'extensions': {'code': 'FUNCTIONAL_ERROR', 'data': {'http_status': 400, 'genre': 'BUSINESS'}}, 'name': 'FUNCTIONAL_ERROR'}], 'data': {'indicators': {'edges': [], 'pageInfo': {'startCursor': '', 'endCursor': '', 'hasNextPage': False, 'hasPreviousPage': False, 'globalCount': 0}}, 'stixCyberObservables': None}

Environment

  1. OS (where OpenCTI server runs): Debian 12
  2. OpenCTI version: OpenCTI v 6.4.0
  3. OpenCTI client: python script
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Install OpenCTI and Wazuh
  2. Use the script https://github.com/misje/wazuh-opencti and change the query like we did
  3. Enable debugging

Additional information
@igniter07 igniter07 added needs triage use to identify issue needing triage from Filigran Product team question Further information is requested labels Dec 25, 2024
@romain-filigran
Copy link
Member

Hi @igniter07 . I think the problem come from this part of your query.
SHA256 is not a valid observable type. You need to use "stixFile" type if you want to retrieve File relationships.

Image

@romain-filigran romain-filigran removed the needs triage use to identify issue needing triage from Filigran Product team label Dec 26, 2024
@igniter07
Copy link
Author

Hello @romain-filigran ,
Thanks for your answer.

I did remove the "SHA256" and the error still the same.
The problem from what I understand is related to mapping the stixFile schema with hashes like SHA256, SHA1, etc..

@igniter07 igniter07 mentioned this issue Jan 2, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@igniter07 @romain-filigran