Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Schema definition named [hashes] is missing mapping for attribute [SHA256] - OpenCTI & Wazuh integration #28

Open
3 tasks done
igniter07 opened this issue Jan 2, 2025 · 1 comment
Open
3 tasks done

Schema definition named [hashes] is missing mapping for attribute [SHA256] - OpenCTI & Wazuh integration #28

igniter07 opened this issue Jan 2, 2025 · 1 comment

Comments

@igniter07
Copy link

I have open this issue in the OpenCTI github repo but I want also your feedback is you have any solution:

The issue link: OpenCTI-Platform/opencti#9460

Issue description:

Prerequisites

  • I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
  • I went through old GitHub issues and couldn't find anything relevant
  • I googled the issue and didn't find anything relevant

Description

We have this python script that is a custom wazuh integration with OpenCTI. When a new file is created on a monitored place in wazuh, wazuh will use this script to query OpenCTI about this file hash and create a new alert if the file exists (the script also works with IPs and domains but we are interested now in the file hashes).

The original script repo is this: https://github.com/misje/wazuh-opencti

But we modified the query to look a little bit like this:

` api_json_body={'query':
'''
fragment Labels on StixCoreObject {
objectLabel {
value
}
}

        fragment Object on StixCoreObject {
          id
          type: entity_type
          created_at
          updated_at
          createdBy {
            ... on Identity {
              id
              standard_id
              identity_class
              name
            }
            ... on Organization {
              x_opencti_organization_type
              x_opencti_reliability
            }
            ... on Individual {
              x_opencti_firstname
              x_opencti_lastname
            }
          }
          ...Labels
          externalReferences {
            edges {
              node {
                url
              }
            }
          }
        }

        fragment IndShort on Indicator {
          id
          name
          valid_until
          revoked
          confidence
          x_opencti_score
          x_opencti_detection
          indicator_types
          x_mitre_platforms
          pattern_type
          pattern
          ...Labels
          killChainPhases {
            kill_chain_name
          }
        }

        fragment IndLong on Indicator {
          ...Object
          ...IndShort
        }

        fragment Indicators on StixCyberObservable {
          indicators {
            edges {
              node {
                ...IndShort
              }
            }
          }
        }

        fragment PageInfo on PageInfo {
          startCursor
          endCursor
          hasNextPage
          hasPreviousPage
          globalCount
        }

        fragment NameRelation on StixObjectOrStixRelationshipOrCreator {
          ... on DomainName {
            id
            value
            ...Indicators
          }
          ... on Hostname {
            id
            value
            ...Indicators
          }
        }

        fragment AddrRelation on StixObjectOrStixRelationshipOrCreator {
          ... on IPv4Addr {
            id
            value
            ...Indicators
          }
          ... on IPv6Addr {
            id
            value
            ...Indicators
          }
        }

        query IoCs($obs: FilterGroup, $ind: FilterGroup) {
          indicators(filters: $ind, first: 10) {
            edges {
              node {
                ...IndLong
              }
            }
            pageInfo {
              ...PageInfo
            }
          }
          stixCyberObservables(filters: $obs, first: 10) {
            edges {
              node {
                ...Object
                observable_value
                x_opencti_description
                x_opencti_score
                ...Indicators
                ... on DomainName {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on Hostname {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on Url {
                  value
                  stixCoreRelationships(
                    toTypes: ["IPv4-Addr", "IPv6-Addr", "Domain-Name", "Hostname"]
                  ) {
                    edges {
                      node {
                        type: toType
                        relationship_type
                        related: to {
                          ...AddrRelation
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on IPv4Addr {
                  value
                  stixCoreRelationships(fromTypes: ["Domain-Name", "Hostname"]) {
                    edges {
                      node {
                        type: fromType
                        relationship_type
                        related: from {
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on IPv6Addr {
                  value
                  stixCoreRelationships(fromTypes: ["Domain-Name", "Hostname"]) {
                    edges {
                      node {
                        type: fromType
                        relationship_type
                        related: from {
                          ...NameRelation
                        }
                      }
                    }
                  }
                }
                ... on StixFile {
                  hashes {
                    algorithm
                    hash
                  }
                  stixCoreRelationships( toTypes: ["SHA256", "DomainName", "IPv4-Addr", "IPv6-Addr", "Hostname"] ) { edges { node { type: toType relationship_type related: to { ...AddrRelation ...NameRelation ... on StixFile { hashes { algorithm hash } } } } } }
                  extensions
                  size
                  name
                  x_opencti_additional_names
                }
              }
            }
            pageInfo {
              ...PageInfo
            }
          }
        }
        ''' , 'variables': {
                'obs': {
                    "mode": "or",
                    "filterGroups": [],
                    "filters": [{"key": filter_key, "values": filter_values}]
                },
                'ind': {
                    "mode": "and",
                    "filterGroups": [],
                    "filters": [
                        {"key": "pattern_type", "values": ["stix"]},
                        {"mode": "or", "key": "pattern", "values": ind_filter},
                    ]
                }
                }}`

The error after testing this:

'errors': [{'message': 'Schema definition named [hashes] is missing mapping for attribute [SHA256]', 'locations': [{'line': 117, 'column': 15}], 'path': ['stixCyberObservables'], 'extensions': {'code': 'FUNCTIONAL_ERROR', 'data': {'http_status': 400, 'genre': 'BUSINESS'}}, 'name': 'FUNCTIONAL_ERROR'}], 'data': {'indicators': {'edges': [], 'pageInfo': {'startCursor': '', 'endCursor': '', 'hasNextPage': False, 'hasPreviousPage': False, 'globalCount': 0}}, 'stixCyberObservables': None}

Environment

  1. OS (where OpenCTI server runs): Debian 12
  2. OpenCTI version: OpenCTI v 6.4.0
  3. OpenCTI client: python script
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Install OpenCTI and Wazuh
  2. Use the script https://github.com/misje/wazuh-opencti and change the query like we did
  3. Enable debugging

Additional information
@igniter07
Copy link
Author

It is also possible to test with your script if a linux endpoint detects a new file, does the request to opencti and the response are properly handled ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@igniter07