[crowdstrike] Fix STIX IDs accumulation, start time and stop time on …

…several relations (OpenCTI-Platform#2779)

external-import/crowdstrike/src/crowdstrike_feeds_connector/actor/builder.py

@@ -11,8 +11,6 @@
     create_regions_and_countries_from_entities,
     create_sectors_from_entities,
     create_targets_relationships,
-    datetime_utc_epoch_start,
-    datetime_utc_now,
     normalize_start_time_and_stop_time,
     remove_html_tags,
     timestamp_to_datetime,
@@ -62,12 +60,7 @@ def __init__(
         self.confidence_level = confidence_level
 
         first_seen = timestamp_to_datetime(self.actor["first_activity_date"])
-        if first_seen is None:
-            first_seen = datetime_utc_epoch_start()
-
         last_seen = timestamp_to_datetime(self.actor["last_activity_date"])
-        if last_seen is None:
-            last_seen = datetime_utc_now()
 
         first_seen, last_seen = normalize_start_time_and_stop_time(
             first_seen, last_seen
@@ -233,8 +226,6 @@ def _create_originates_from_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
-            stop_time=self.last_seen,
         )
 
     def build(self) -> Bundle:

external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py

@@ -150,8 +150,6 @@ def __init__(self, config: IndicatorBundleBuilderConfig) -> None:
 
         self.observation_factory = self._get_observation_factory(self.indicator["type"])
 
-        self.first_seen = timestamp_to_datetime(self.indicator["published_date"])
-
     @classmethod
     def _get_observation_factory(cls, indicator_type: str) -> ObservationFactory:
         factory = cls._INDICATOR_TYPE_TO_OBSERVATION_FACTORY.get(indicator_type)
@@ -227,7 +225,6 @@ def _create_uses_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
         )
 
     def _create_targeted_sectors(self) -> List[Identity]:
@@ -246,7 +243,6 @@ def _create_targets_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
         )
 
     def _create_vulnerability(self, name: str):
@@ -383,6 +379,7 @@ def _create_indicator(
             created_by=self.author,
             name=indicator_value,
             valid_from=indicator_published,
+            created=indicator_published,
             kill_chain_phases=kill_chain_phases,
             labels=labels,
             confidence=self.confidence_level,
@@ -411,7 +408,6 @@ def _create_indicates_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
         )
 
     def _create_report(

external-import/crowdstrike/src/crowdstrike_feeds_connector/report/builder.py

@@ -15,8 +15,6 @@
     create_stix2_report_from_report,
     create_targets_relationships,
     create_uses_relationships,
-    datetime_utc_epoch_start,
-    datetime_utc_now,
     normalize_start_time_and_stop_time,
     timestamp_to_datetime,
 )
@@ -66,12 +64,7 @@ def __init__(
 
         # Use report dates for start time and stop time.
         start_time = timestamp_to_datetime(self.report["created_date"])
-        if start_time is None:
-            start_time = datetime_utc_epoch_start()
-
-        stop_time = timestamp_to_datetime(self.report["last_modified_date"])
-        if stop_time is None:
-            stop_time = datetime_utc_now()
+        stop_time = None
 
         start_time, stop_time = normalize_start_time_and_stop_time(
             start_time, stop_time

external-import/crowdstrike/src/crowdstrike_feeds_connector/rule/yara_master_builder.py

@@ -146,7 +146,6 @@ def _create_uses_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
         )
 
     def _create_indicators(self) -> List[Indicator]:
@@ -162,6 +161,7 @@ def _create_yara_indicator(self) -> Indicator:
             name=rule.name,
             description=rule.description,
             valid_from=self.first_seen,
+            created=self.first_seen,
             confidence=self.confidence_level,
             object_markings=self.object_markings,
         )
@@ -175,7 +175,6 @@ def _create_indicates_relationships(
             targets,
             self.confidence_level,
             self.object_markings,
-            start_time=self.first_seen,
         )
 
     def _create_reports(self, objects: List[_DomainObject]) -> List[STIXReport]:

external-import/crowdstrike/src/crowdstrike_feeds_services/utils/__init__.py

@@ -270,13 +270,13 @@ def normalize_start_time_and_stop_time(
     STIX 2 Relationship object expects the stop time to be later than the start time
     or the creation of Relationship object fails.
     """
-    if start_time == stop_time:
+    if start_time is not None and stop_time is not None and start_time == stop_time:
         logger.warning("Start time equals stop time, adding 1 second to stop time")
 
         stop_time += timedelta(seconds=1)
         return start_time, stop_time
 
-    if start_time > stop_time:
+    if start_time is not None and stop_time is not None and start_time > stop_time:
         logger.warning("Start time is greater than stop time, swapping times")
 
         start_time, stop_time = stop_time, start_time
@@ -686,8 +686,6 @@ def create_indicates_relationships(
     targets: List[_DomainObject],
     confidence: int,
     object_markings: List[stix2.MarkingDefinition],
-    start_time: Optional[datetime] = None,
-    stop_time: Optional[datetime] = None,
 ) -> List[stix2.Relationship]:
     """Create 'indicates' relationships."""
     return create_relationships(
@@ -697,8 +695,6 @@ def create_indicates_relationships(
         targets,
         confidence,
         object_markings,
-        start_time=start_time,
-        stop_time=stop_time,
     )
 
 
@@ -708,8 +704,6 @@ def create_originates_from_relationships(
     targets: List[_DomainObject],
     confidence: int,
     object_markings: List[stix2.MarkingDefinition],
-    start_time: Optional[datetime] = None,
-    stop_time: Optional[datetime] = None,
 ) -> List[stix2.Relationship]:
     """Create 'originates-from' relationships."""
     return create_relationships(
@@ -719,8 +713,6 @@ def create_originates_from_relationships(
         targets,
         confidence,
         object_markings,
-        start_time=start_time,
-        stop_time=stop_time,
     )
 
 
@@ -730,8 +722,6 @@ def create_based_on_relationships(
     targets: List[_DomainObject],
     confidence: int,
     object_markings: List[stix2.MarkingDefinition],
-    start_time: Optional[datetime] = None,
-    stop_time: Optional[datetime] = None,
 ) -> List[stix2.Relationship]:
     """Create 'based-on' relationships."""
     return create_relationships(
@@ -741,8 +731,6 @@ def create_based_on_relationships(
         targets,
         confidence,
         object_markings,
-        start_time=start_time,
-        stop_time=stop_time,
     )
 
 
@@ -974,6 +962,7 @@ def create_indicator(
     name: Optional[str] = None,
     description: Optional[str] = None,
     valid_from: Optional[datetime] = None,
+    created: Optional[datetime] = None,
     kill_chain_phases: Optional[List[stix2.KillChainPhase]] = None,
     labels: Optional[List[str]] = None,
     confidence: Optional[int] = None,
@@ -1001,6 +990,7 @@ def create_indicator(
         pattern=pattern,
         pattern_type=pattern_type,
         valid_from=valid_from,
+        created=created,
         kill_chain_phases=kill_chain_phases,
         labels=labels,
         confidence=confidence,