[Shodan] Save results to note (OpenCTI-Platform#2636)

klaviyo · Sep 23, 2024 · 0842217 · 0842217
1 parent 793f81b
commit 0842217
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/internal-enrichment/shodan/docker-compose.yml b/internal-enrichment/shodan/docker-compose.yml
@@ -14,4 +14,5 @@ services:
       - SHODAN_MAX_TLP=TLP:AMBER
       - SHODAN_DEFAULT_SCORE=50
       - SHODAN_IMPORT_SEARCH_RESULTS=true
+      - SHODAN_CREATE_NOTE=true # Add results to note rather than description
     restart: always
diff --git a/internal-enrichment/shodan/src/config.yml.sample b/internal-enrichment/shodan/src/config.yml.sample
@@ -15,3 +15,4 @@ shodan:
   max_tlp: 'TLP:AMBER'
   default_score: 50
   import_search_results: true
+  create_note: true
diff --git a/internal-enrichment/shodan/src/shodanImport.py b/internal-enrichment/shodan/src/shodanImport.py
@@ -63,6 +63,12 @@ def __init__(self):
             config,
             default=True,
         )
+        self.create_note = get_config_variable(
+            "SHODAN_CREATE_NOTE",
+            ["shodan", "create_note"],
+            config,
+            default=True,
+        )
 
         # Shodan Identity
         self.shodan_identity = self.helper.api.identity.create(
@@ -338,21 +344,28 @@ def _upsert_stix_observable(self, description, labels, external_reference):
             value=self.stix_entity["value"],
             custom_properties={
                 "x_opencti_external_references": [external_reference],
-                "x_opencti_description": description,
+                **(
+                    {"x_opencti_description": description}
+                    if not self.create_note
+                    else {}
+                ),
                 "x_opencti_score": self.score,
                 "x_opencti_labels": labels,
                 "x_opencti_created_by_ref": self.shodan_identity["standard_id"],
             },
         )
         self.stix_objects.append(stix_observable)
-        """
-        {
-                    "source_name": "Shodan",
-                    "url": f"www.shodan.io/host/{data['ip_str']}",
-                    "description": "ceci est une description",
-                    # "external_id": str(data['ip_str']),
-                }
-        """
+        if self.create_note:
+            now = datetime.now().strftime("%Y-%m-%dT%H:%M:%SZ")
+            stix_note = stix2.Note(
+                type="note",
+                id=Note.generate_id(now, description),
+                abstract="Shodan Results",
+                content=description,
+                created_by_ref=self.shodan_identity["standard_id"],
+                object_refs=self.stix_entity["id"],
+            )
+            self.stix_objects.append(stix_note)
         return stix_observable
 
     def _generate_stix_bundle(