#14 update doc for OpenCTI and parse URL in case of errors with trail…

…ing slash (/)
stanfrbd · Jan 15, 2025 · b3536c8 · b3536c8
1 parent e92cc00
commit b3536c8
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ without having to deploy a **complex** solution.
 * **Abuse Contact Lookup**: Accurately find abuse contacts for IPs, URLs, and domains.
 * **Export Options**: Export results to CSV and **autofiltered well formatted** Excel files.
 * **MDE Integration**: Check if observables are flagged on your Microsoft Defender for Endpoint (MDE) tenant.
+* **OpenCTI Integration**: Get stats (number of incidents, indicators) from OpenCTI and the latest Indicator if available.
 * **Proxy Support**: Use a proxy if required.
 * **Data Storage**: Store results in a SQLite database.
 * **Analysis History**: Maintain a history of analyses with easy retrieval and search functionality.
@@ -80,7 +81,7 @@ cp secrets-sample.json secrets.json
     "mde_client_secret": "client_secret_here",
     "shodan": "token_here",
     "opencti_api_key": "token_here",
-    "opencti_url": "https://your.opencti-without-slash-at-end.io"
+    "opencti_url": "https://demo.opencti.io"
 }
 ```
 
@@ -227,6 +228,7 @@ curl "http://localhost:5000/api/results/e88de647-b153-4904-91e5-8f5c79174854"
 * [ThreatFox](https://threatfox.abuse.ch/api/)
 * [URLscan](https://urlscan.io/)
 * [Ioc.One](https://ioc.one/)
+* [OpenCTI](https://www.opencti.io/)
 
 > [!NOTE]
 > Any questions? Check the [wiki](https://github.com/stanfrbd/cyberbro/wiki) or raise an [issue](https://github.com/stanfrbd/cyberbro/issues/new)

diff --git a/engines/opencti.py b/engines/opencti.py
@@ -1,4 +1,5 @@
 import requests
+from urllib.parse import urljoin
 
 # Disable SSL warnings in case of proxies like Zscaler which break SSL...
 requests.packages.urllib3.disable_warnings()
@@ -18,6 +19,10 @@ def query_opencti(observable, API_KEY, OPENCTI_URL, PROXIES):
       ValueError: If the response cannot be parsed as JSON.
     """
     try:
+      # Ensure the URL is properly formatted without trailing slashes
+      OPENCTI_URL = urljoin(OPENCTI_URL, '/')
+      OPENCTI_URL = OPENCTI_URL.rstrip('/')
+
       # URL for the OpenCTI API
       url = f"{OPENCTI_URL}/graphql"
 

diff --git a/secrets-sample.json b/secrets-sample.json
@@ -9,5 +9,5 @@
     "mde_client_secret": "client_secret_here",
     "shodan": "token_here",
     "opencti_api_key": "token_here",
-    "opencti_url": "https://your.opencti-without-slash-at-end.io"
+    "opencti_url": "https://demo.opencti.io"
 }