client-python icon indicating copy to clipboard operation
client-python copied to clipboard
verified publisher icon OpenCTI-Platform

Stix-Sighting-Relationship (StixSightingRelationship) missing Bundle approach function

Open ParamConstructor opened this issue 8 months ago • 0 comments

Problem to Solve

When building a connector - there doesn't seem to be a stix bundle object approach for Stix-Sighting-Relationship directly between and Observable (example: ASN) and a Location (example: City)?

The OpenCTI UI will allow you to create this relationship directly.

Image

But, when building a connector, you would use StixSightingRelationship (which appears to be a custom PyCTI way to link these object types, since generally STIX wants them linked to an SDO directly.)

The non-bundle approach seems to be:

location_relationship = StixSightingRelationship(opencti_client).create(
                                                                          fromId=asn_entity.id,
                                                                          toId=location.id,
                                                                          count=1,
                                                                          )

But this requires that the Entity and Location already exist in the platform, since it fires it off immediately.

A call using the STIX2 Sighting object when passing in an ASN Observable errors out with:

"Invalid value for Sighting 'sighting_of_ref': The type-specifying prefix 'autonomous-system' for this property is not one of the valid types for this property: SDO."

sighting = stix2.Sighting(
                        sighting_of_ref=asn_entity.id,
                        observed_data_refs=[asn_entity.id],
                        where_sighted_refs=[location.id],  # Link to the Location
                        count=1,
                        summary=True,
                        object_marking_refs=[self.tlp_marking],
                        created_by_ref=self.author["id"],
                        custom_properties={
                            "x_opencti_labels": self.tags_as_labels,
                        },
                    )

To do this it seems using the STIX2 standard STIX objects you have to create a bundle objects of Observed Data --> Observable (ASN record), then a Sighting linking Observed Data to Location. (i.e. replace the asn_entity.id above with the observed_data.id)

However, this is displayed/represented differently in the platform and now your Observable doesn’t at a top level show in the Sighting tab(on the ASN Observable) it was linked to the location. It shows up under a sighting of an "Observed Data" versus the Observable directly:

Image

Image

There seems to be missing a maybe CustomStixSightingRelationship() function to make a StixBundle object to represent a Stix-Sighting-Relationship (Observable-->Location) when processing in a Connector using the send bundles to RabbitMQ approach?

Current Workaround

Non-bundle approach from above. However, the new connector design approach requested that you use Bundles and send to RabbitMQ. Additionally, this is represented differently than you can do directly within the OpenCTI UI when using the STIX2 bundles approach. When using the non-bundle approach from above that requires the Location and the Observable already existing the platform and fires it off immediately, versus sending to a RabbitMQ queue.

Proposed Solution

Add a bundle approach for StixSightingRelationships (Observable-->Location)

Additional Information

N/A

ParamConstructor avatar Jun 24 '25 19:06 ParamConstructor