From 01856270aa43678e3918f10a52299856485d4044 Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Thu, 1 Feb 2024 22:29:07 +0100
Subject: [PATCH 1/5] Update year in copyright notice

---
 custom-opencti.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/custom-opencti.py b/custom-opencti.py
index 1d7bc03..e925457 100755
--- a/custom-opencti.py
+++ b/custom-opencti.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright Andreas Misje 2023, 2022 Aurora Networks Managed Services 
+# Copyright Andreas Misje 2024, 2022 Aurora Networks Managed Services
 # See https://github.com/misje/wazuh-opencti for documentation
 #
 # This program is free software; you can redistribute it

From e54f5a7cc02397bb1b2d76d19460b81c07926162 Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Thu, 1 Feb 2024 22:29:22 +0100
Subject: [PATCH 2/5] Require new OpenCTI version

5.12.24 is now the minimum version for this integration due to graphql
API changes.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 59b3bfc..1eea5b3 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ The logic is as follows:
 
 ## Requirements
 
-* An OpenCTI instance (version 5.12 or higher) up and running
+* An OpenCTI instance (version 5.12.24 or higher) up and running
   * Older versions are supported, but you need to revert the changes in #11 in
 	 order to support the older graphql filter syntax.
 * A read-only OpenCTI API token suitable for querying data (*Access knowledge*

From 0d7cd7389a9545744bd4b8b37b46531cc47ae360 Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Thu, 1 Feb 2024 22:30:21 +0100
Subject: [PATCH 3/5] Extend simplify function to support lists without
 edges::node

Allow the simplify_objectlist function to still be used to simplify
nested object lists, but without the edges + node structure. See the
updated function comment for examples and details.
---
 custom-opencti.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/custom-opencti.py b/custom-opencti.py
index e925457..7b603b4 100755
--- a/custom-opencti.py
+++ b/custom-opencti.py
@@ -99,9 +99,16 @@ def empty(value):
 # {'objectLabel': {'edges': [{'node': {'value': 'cryptbot'}}, {'node': {'value': 'exe'}}]}}
 # →
 # {'labels:': ['cryptbot', 'exe']}
+# {'objectLabel': [{'value': 'cryptbot'}, {'value': 'exe'}]}
+# →
+# {'labels:': ['cryptbot', 'exe']}
 def simplify_objectlist(output, listKey, valueKey, newKey):
-    edges = output[listKey]['edges']
-    output[newKey] = [key[valueKey] for edge in edges for _, key in edge.items()]
+    if 'edges' in output[listKey]:
+        edges = output[listKey]['edges']
+        output[newKey] = [key[valueKey] for edge in edges for _, key in edge.items()]
+    else:
+        output[newKey] = [key[valueKey] for key in output[listKey]]
+
     if newKey != listKey:
         # Delete objectLabels (array of objects) now that we have just the names:
         del output[listKey]

From 02a334914764f653806e9fe3ce370d48af803b3f Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Thu, 1 Feb 2024 22:31:44 +0100
Subject: [PATCH 4/5] Adapt grapqhl for new objectLabel and killChainPhases
 syntax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

objectLabel, killChainPhases and objectMarking are no longer of the form
edges { node { … } }. See
https://github.com/OpenCTI-Platform/client-python/commit/16c8fe1429fe7b5baeb586146aabb774368bb174
for details.
---
 custom-opencti.py | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/custom-opencti.py b/custom-opencti.py
index 7b603b4..fb1f629 100755
--- a/custom-opencti.py
+++ b/custom-opencti.py
@@ -366,11 +366,7 @@ def query_opencti(alert, url, token):
             '''
             fragment Labels on StixCoreObject {
               objectLabel {
-                edges {
-                  node {
-                    value
-                  }
-                }
+                value
               }
             }
 
@@ -419,11 +415,7 @@ def query_opencti(alert, url, token):
               pattern
               ...Labels
               killChainPhases {
-                edges {
-                  node {
-                    kill_chain_name
-                  }
-                }
+                kill_chain_name
               }
             }
 

From 592c7f559bef576db9e713aadd31e9cfdf595a4a Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Thu, 1 Feb 2024 22:40:06 +0100
Subject: [PATCH 5/5] Specify when OpenCTI version requirements changed

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1eea5b3..0d9866e 100644
--- a/README.md
+++ b/README.md
@@ -57,8 +57,8 @@ The logic is as follows:
 ## Requirements
 
 * An OpenCTI instance (version 5.12.24 or higher) up and running
-  * Older versions are supported, but you need to revert the changes in #11 in
-	 order to support the older graphql filter syntax.
+  * Older versions are supported, but you need to revert the changes in #13/#11
+    and/or #15 in order to support the older graphql filter syntax.
 * A read-only OpenCTI API token suitable for querying data (*Access knowledge*
   \+ *Access exploration*(?))