client-python icon indicating copy to clipboard operation
client-python copied to clipboard
verified publisher icon OpenCTI-Platform

OpenCTI API MITRE attack patterns workaround error

Open fish-not-phish opened this issue 1 year ago • 1 comments

Environment

OS: Ubuntu 22.04.3 LTS OpenCTI version: 5.12.9 OpenCTI client: Python API pycti==5.12.20

Question

I have tried a variety of different options via the OpenCTI API to capture Intrusion Sets and Malware MITRE attack patterns and nothing appears to be working. Has anyone found a way to extract this information programmatically?

I have even tried using the examples provides to pull a STIX2 report of an Intrusion Set and it just errors out. I seem to be receiving this error for a few different python functions.

Reproducible Steps

Steps to create the smallest reproducible scenario:

opencti_api_client = OpenCTIApiClient("https://my-opencti.instance", "my-secret-key")

bundle = opencti_api_client.stix2.export_entity(
    "Intrusion-Set", "intrusion-set--f743ab1d-b2f2-58f8-975f-0993511d0b9a", "full"
)
json_bundle = json.dumps(bundle, indent=4)

f = open("intrusion-set.json", "w")
f.write(json_bundle)
f.close()

Expected Output

I expect to get the STIX report for that Intrusion Set. However I get an error about an unknown arguement.

Actual Output

Traceback (most recent call last):
  File "/home/mitre/mitre-web/openctipy.py", line 21, in <module>
    bundle = opencti_api_client.stix2.export_entity(
  File "/home/mitre/mitre-web/env/lib/python3.10/site-packages/pycti/utils/opencti_stix2.py", line 2098, in export_entity
    stix_objects = self.prepare_export(
  File "/home/mitre/mitre-web/env/lib/python3.10/site-packages/pycti/utils/opencti_stix2.py", line 1720, in prepare_export
    stix_nested_ref_relationships = self.opencti.stix_nested_ref_relationship.list(
  File "/home/mitre/mitre-web/env/lib/python3.10/site-packages/pycti/entities/opencti_stix_nested_ref_relationship.py", line 131, in list
    result = self.opencti.query(
  File "/home/mitre/mitre-web/env/lib/python3.10/site-packages/pycti/api/opencti_api_client.py", line 344, in query
    raise ValueError(
ValueError: {'name': 'Unknown argument "fromOrToId" on field "Query.stixNestedRefRelationships". Did you mean "fromId"?', 'message': 'Unknown argument "fromOrToId" on field "Query.stixNestedRefRelationships". Did you mean "fromId"?'}

Additional information

As I said, I'm just looking for a way to get back the MITRE attack patterns for malware families and intrusion sets. I'm just trying anything I can as a workaround as I couldn't find a direct solution.

fish-not-phish avatar Jan 24 '24 02:01 fish-not-phish

You need to update OpenCTI or downgrade the python client. Quickly checking the commits, this was added (well, renamed from something else) in 5.12.19 or 5.12.20.

jvalente-salemstate avatar Jan 30 '24 23:01 jvalente-salemstate

Closing, the problem seems resolved.

romain-filigran avatar Oct 16 '24 07:10 romain-filigran