Merge pull request #16 from misje/bug-15/adapt-to-graphql-changes

Bug 15/adapt to graphql changes
misje · Feb 2, 2024 · ec94f0b · ec94f0b
2 parents cffa40b + 592c7f5
commit ec94f0b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -56,9 +56,9 @@ The logic is as follows:
 
 ## Requirements
 
-* An OpenCTI instance (version 5.12 or higher) up and running
-  * Older versions are supported, but you need to revert the changes in #11 in
-	 order to support the older graphql filter syntax.
+* An OpenCTI instance (version 5.12.24 or higher) up and running
+  * Older versions are supported, but you need to revert the changes in #13/#11
+    and/or #15 in order to support the older graphql filter syntax.
 * A read-only OpenCTI API token suitable for querying data (*Access knowledge*
   \+ *Access exploration*(?))
 

diff --git a/custom-opencti.py b/custom-opencti.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright Andreas Misje 2023, 2022 Aurora Networks Managed Services 
+# Copyright Andreas Misje 2024, 2022 Aurora Networks Managed Services
 # See https://github.com/misje/wazuh-opencti for documentation
 #
 # This program is free software; you can redistribute it
@@ -99,9 +99,16 @@ def empty(value):
 # {'objectLabel': {'edges': [{'node': {'value': 'cryptbot'}}, {'node': {'value': 'exe'}}]}}
 # →
 # {'labels:': ['cryptbot', 'exe']}
+# {'objectLabel': [{'value': 'cryptbot'}, {'value': 'exe'}]}
+# →
+# {'labels:': ['cryptbot', 'exe']}
 def simplify_objectlist(output, listKey, valueKey, newKey):
-    edges = output[listKey]['edges']
-    output[newKey] = [key[valueKey] for edge in edges for _, key in edge.items()]
+    if 'edges' in output[listKey]:
+        edges = output[listKey]['edges']
+        output[newKey] = [key[valueKey] for edge in edges for _, key in edge.items()]
+    else:
+        output[newKey] = [key[valueKey] for key in output[listKey]]
+
     if newKey != listKey:
         # Delete objectLabels (array of objects) now that we have just the names:
         del output[listKey]
@@ -359,11 +366,7 @@ def query_opencti(alert, url, token):
             '''
             fragment Labels on StixCoreObject {
               objectLabel {
-                edges {
-                  node {
-                    value
-                  }
-                }
+                value
               }
             }
 
@@ -412,11 +415,7 @@ def query_opencti(alert, url, token):
               pattern
               ...Labels
               killChainPhases {
-                edges {
-                  node {
-                    kill_chain_name
-                  }
-                }
+                kill_chain_name
               }
             }