From 0842217918000bd2c2f881939030dbb570e006e1 Mon Sep 17 00:00:00 2001
From: annoyingapt <55898651+annoyingapt@users.noreply.github.com>
Date: Mon, 23 Sep 2024 18:40:18 +1200
Subject: [PATCH] [Shodan] Save results to note (#2636)

---
 internal-enrichment/shodan/docker-compose.yml |  1 +
 .../shodan/src/config.yml.sample              |  1 +
 .../shodan/src/shodanImport.py                | 31 +++++++++++++------
 3 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/internal-enrichment/shodan/docker-compose.yml b/internal-enrichment/shodan/docker-compose.yml
index 12ae93a372..3f3b90dd49 100644
--- a/internal-enrichment/shodan/docker-compose.yml
+++ b/internal-enrichment/shodan/docker-compose.yml
@@ -14,4 +14,5 @@ services:
       - SHODAN_MAX_TLP=TLP:AMBER
       - SHODAN_DEFAULT_SCORE=50
       - SHODAN_IMPORT_SEARCH_RESULTS=true
+      - SHODAN_CREATE_NOTE=true # Add results to note rather than description
     restart: always
diff --git a/internal-enrichment/shodan/src/config.yml.sample b/internal-enrichment/shodan/src/config.yml.sample
index 6848e9497c..7a7f7eac26 100644
--- a/internal-enrichment/shodan/src/config.yml.sample
+++ b/internal-enrichment/shodan/src/config.yml.sample
@@ -15,3 +15,4 @@ shodan:
   max_tlp: 'TLP:AMBER'
   default_score: 50
   import_search_results: true
+  create_note: true
diff --git a/internal-enrichment/shodan/src/shodanImport.py b/internal-enrichment/shodan/src/shodanImport.py
index 216b0e2b9b..d9848edcbd 100644
--- a/internal-enrichment/shodan/src/shodanImport.py
+++ b/internal-enrichment/shodan/src/shodanImport.py
@@ -63,6 +63,12 @@ def __init__(self):
             config,
             default=True,
         )
+        self.create_note = get_config_variable(
+            "SHODAN_CREATE_NOTE",
+            ["shodan", "create_note"],
+            config,
+            default=True,
+        )
 
         # Shodan Identity
         self.shodan_identity = self.helper.api.identity.create(
@@ -338,21 +344,28 @@ def _upsert_stix_observable(self, description, labels, external_reference):
             value=self.stix_entity["value"],
             custom_properties={
                 "x_opencti_external_references": [external_reference],
-                "x_opencti_description": description,
+                **(
+                    {"x_opencti_description": description}
+                    if not self.create_note
+                    else {}
+                ),
                 "x_opencti_score": self.score,
                 "x_opencti_labels": labels,
                 "x_opencti_created_by_ref": self.shodan_identity["standard_id"],
             },
         )
         self.stix_objects.append(stix_observable)
-        """
-        {
-                    "source_name": "Shodan",
-                    "url": f"www.shodan.io/host/{data['ip_str']}",
-                    "description": "ceci est une description",
-                    # "external_id": str(data['ip_str']),
-                }
-        """
+        if self.create_note:
+            now = datetime.now().strftime("%Y-%m-%dT%H:%M:%SZ")
+            stix_note = stix2.Note(
+                type="note",
+                id=Note.generate_id(now, description),
+                abstract="Shodan Results",
+                content=description,
+                created_by_ref=self.shodan_identity["standard_id"],
+                object_refs=self.stix_entity["id"],
+            )
+            self.stix_objects.append(stix_note)
         return stix_observable
 
     def _generate_stix_bundle(