Merge pull request #8 from misje/dev

Fix two minor issues
misje · Sep 28, 2023 · 362d32a · 362d32a
2 parents 6cf6006 + 597944f
commit 362d32a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -39,7 +39,8 @@ The logic is as follows:
   *indicator_pattern_match* is created. A maximum of three alerts are created
   (configurable by modifying the *max_ind_alerts* variable, and a maximum of 10
   indicators are returned by the query. Indicators are sorted by !revoked,
-  detection, score, confidence and valid\_until.
+  detection, score, confidence and valid\_until. If the indicator only matches
+  partially, the event type will be *indicator_partial_pattern_match*.
 - For every observable that matches (either by *value* or *hashes_SHA256*,
   depending on type of observable), an alert is created if the
   observable has an indicator related to it. Only one indicator is included,
@@ -174,6 +175,14 @@ in your setup):
       <options>no_full_log</options>
       <group>opencti,opencti_alert,</group>
    </rule>
+
+   <rule id="100215" level="10">
+      <if_sid>100210</if_sid>
+      <field name="opencti.event_type">indicator_partial_pattern_match</field>
+      <description>OpenCTI: IoC possibly found in threat intel: $(opencti.indicator.name)</description>
+      <options>no_full_log</options>
+      <group>opencti,opencti_alert,</group>
+   </rule>
 </group>
 ```
 

diff --git a/custom-opencti.py b/custom-opencti.py
@@ -122,7 +122,9 @@ def unmap_ipv6(addr):
         # Extract only A/AAAA records (and discard the empty strings):
         results = list(filter(len, dns_results_regex.findall(results)))
         # Convert IPv4-mapped IPv6 to IPv4:
-        return list(map(lambda x: unmap_ipv6(ipaddress.ip_address(x)).exploded, results))
+        results = list(map(lambda x: unmap_ipv6(ipaddress.ip_address(x)).exploded, results))
+        # Keep only global addresses:
+        return list(filter(lambda x: ipaddress.ip_address(x).is_global, results))
     except ValueError:
         return []
 
@@ -586,7 +588,7 @@ def query_opencti(alert, url, token):
             'indicator_link': indicator_link(indicator),
             'query_key': filter_key,
             'query_values': ';'.join(ind_filter),
-            'event_type': 'indicator_pattern_match',
+            'event_type': 'indicator_pattern_match' if indicator['pattern'] == ind_filter else 'indicator_partial_pattern_match',
             }}
         add_context(alert, new_alert)
         new_alerts.append(remove_empties(new_alert))