# Test for Fetch or Optional

## 1. Aim

## Needs TypeDB v2.24 

To generate complex variations of objects to see if they can be solved by Fetch, or require Optional capabilities:

1. **File SCO:** Create variations on File, including:
    1. Basic File, 
    2. Basic File with Granular Markings, 
    3. Basic File with Embedded References, 
    4. Basic File with Hashes
    5. Basic File with Extension
    6. Basic File with Extension, where Extension has Embedded Reference
    7. Basic File with Extension, where Extension has Hashes
    8. Basic File with Extension, where Extension has embedded dict
    9. Basic File with Extension, where Extension has sub-object
    10. Basic File with Extension, where Extension has list of sub-objects
    11. Basic File with Extension, where Extension has list of sub-objects that contain hashes
 
## 2. Imports

In [142]:
import sys
!{sys.executable} -m pip install stixorm
from stixorm.module.typedb import TypeDBSink, TypeDBSource
from stixorm.module.authorise import import_type_factory
from stixorm.module.definitions.stix21 import (
    WindowsPEBinaryExt, PDFExt, Bundle, File, RasterImageExt,
    WindowsPEOptionalHeaderType, WindowsPESection, ArchiveExt,
    AlternateDataStream, NTFSExt, Directory
)
from stixorm.module.authorise import import_type_factory
from stixorm.module.typedb_lib.instructions import ResultStatus, Result
import_type = import_type_factory.get_all_imports()
import logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)




[notice] A new release of pip available: 22.3.1 -> 23.3.1
[notice] To update, run: python.exe -m pip install --upgrade pip


## 3. Setup Variables Need for File Setup


In [143]:
hash_dict1 = {
        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
    }

# Granular Marking details
red_id = "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
name_selector = [ "name" ]
name_gran_mark = [ { "marking_ref": red_id, "selectors": name_selector}]
names = []
middle = []

## 4. Setup File Objects

### A. Basic File Object

In [144]:
# Setup Object
file_A = File(name="foo_A.dll", size=25546)

#Setup Documentation
print(file_A.serialize(pretty=True))
names.append("A. Basic File Object")
midd_temp = '\n        has $b;'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--bbf20f10-3d0b-5d1c-913e-e302e06749c5",
    "size": 25546,
    "name": "foo_A.dll"
}


### B. Basic File with Granular Markings

In [145]:
# Setup Object
file_B = File(name="foo_B.dll", size=25546, granular_markings=name_gran_mark)

#Setup Documentation
print(file_B.serialize(pretty=True))
names.append("B. Basic File with Granular Markings")
midd_temp = '\n        has name $name,\n        has $b;\n      $mark isa marking-definition,\n        has stix-id $mark_id;\n      $gran (marking:$mark, object:$file, marked:$name) isa granular-marking;'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--ea07da26-5db2-5cc9-9c83-f7fb53547253",
    "size": 25546,
    "name": "foo_B.dll",
    "granular_markings": [
        {
            "marking_ref": "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed",
            "selectors": [
                "name"
            ]
        }
    ]
}


### C. Basic File with Embedded References,

In [146]:
# Setup Object
enclosing_dir = Directory(path="C:\\Windows\\System32")
file_C = File(name="foo_C.dll", size=25546, parent_directory_ref=enclosing_dir)

#Setup Documentation
print(file_C.serialize(pretty=True))
names.append("C. Basic File with Embedded References,")
midd_temp = '\n        has $b;\n      $sub isa stix-core-object\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--a1e4a735-583e-5490-8c3b-ce8f2048fb59",
    "size": 25546,
    "name": "foo_C.dll",
    "parent_directory_ref": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622"
}


### D. Basic File with Hashes

In [147]:
# Setup Object
file_D = File(name="foo_D.dll", size=25546, hashes=hash_dict1)

#Setup Documentation
print(file_D.serialize(pretty=True))
names.append("D. Basic File with Hashes")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--e2269959-626d-5c26-974e-8961db0e2ab7",
    "hashes": {
        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
    },
    "size": 25546,
    "name": "foo_D.dll"
}


### E. Basic File with Extension

In [148]:
# Setup Object
pdf_ext = PDFExt(version="1.7", pdfid0="DFCE52BD827ECF765649852119D", pdfid1="57A1E0F9ED2AE523E313C")
file_E = File(name="foo_E.dll", size=25546, extensions={"pdf-ext":pdf_ext})

#Setup Documentation
print(file_E.serialize(pretty=True))
names.append("E. Basic File with Extension")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--8c2a130b-327d-51cf-a637-3ff9a969893f",
    "size": 25546,
    "name": "foo_E.dll",
    "extensions": {
        "pdf-ext": {
            "version": "1.7",
            "pdfid0": "DFCE52BD827ECF765649852119D",
            "pdfid1": "57A1E0F9ED2AE523E313C"
        }
    }
}


### F. Basic File with Extension, where Extension has Embedded Reference

In [149]:
# Setup Object
cont_refs = [file_A.id, file_B.id, file_C.id]
archive_ext = ArchiveExt(contains_refs=cont_refs,comment="Zip Archive")
file_F = File(name="foo_F.dll", size=25546, mime_type="application/zip", extensions={"archive-ext":archive_ext})

#Setup Documentation
print(file_F.serialize(pretty=True))
names.append("F. Basic File with Extension, where Extension has Embedded Reference¶")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n      $core isa stix-cyber-observable-object,\n        has stix-id $stix_id;\n      $emb2 (owner:$sub, pointed-to:$core) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--ffbdf8ea-92df-56f2-95ae-54801d106620",
    "size": 25546,
    "name": "foo_F.dll",
    "mime_type": "application/zip",
    "extensions": {
        "archive-ext": {
            "contains_refs": [
                "file--bbf20f10-3d0b-5d1c-913e-e302e06749c5",
                "file--ea07da26-5db2-5cc9-9c83-f7fb53547253",
                "file--a1e4a735-583e-5490-8c3b-ce8f2048fb59"
            ],
            "comment": "Zip Archive"
        }
    }
}


### G. Basic File with Extension, where Extension has Hashes

In [150]:
# Setup Object
win_bin_ext1 = WindowsPEBinaryExt(pe_type="exe", machine_hex="014c", pointer_to_symbol_table_hex="74726144", file_header_hashes=hash_dict1)
file_G = File(name="foo_G.dll", size=25546, extensions={"windows-pebinary-ext":win_bin_ext1})

#Setup Documentation
print(file_G.serialize(pretty=True))
names.append("G. Basic File with Extension, where Extension has Hashes")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$sub) isa embedded;\n      $hash isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$hash) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--7e7a3aa4-6c53-5dc8-927e-9256e3740d99",
    "size": 25546,
    "name": "foo_G.dll",
    "extensions": {
        "windows-pebinary-ext": {
            "pe_type": "exe",
            "machine_hex": "014c",
            "pointer_to_symbol_table_hex": "74726144",
            "file_header_hashes": {
                "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
                "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
            }
        }
    }
}


### H. Basic File with Extension, where Extension has embedded dict

In [151]:
# Setup Object
exif_tags=  {
        "Make": "Nikon",
        "Model": "D7000"
}
raster_ext = RasterImageExt(image_height=3264, image_width=4928, exif_tags=exif_tags)
file_H = File(name="foo_H.dll", size=25546, extensions={"raster-image-ext":raster_ext})

#Setup Documentation
print(file_H.serialize(pretty=True))
names.append("H. Basic File with Extension, where Extension has embedded dict")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$sub) isa embedded;\n      $dict_key isa stix-attribute-string,\n       has $dict_value;\n      $emb2 (owner:$sub, pointed-to:$dict_key) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--f4e96608-8a92-5d6d-b15a-7099816882e7",
    "size": 25546,
    "name": "foo_H.dll",
    "extensions": {
        "raster-image-ext": {
            "image_height": 3264,
            "image_width": 4928,
            "exif_tags": {
                "Make": "Nikon",
                "Model": "D7000"
            }
        }
    }
}


### I. Basic File with Extension, where Extension has sub-object

In [152]:
# Setup Object
win_header = WindowsPEOptionalHeaderType(magic_hex="010b", size_of_code=512, address_of_entry_point=4096, base_of_data=8192, loader_flags_hex="abdbffde", subsystem_hex="03")
win_bin_ext2 = WindowsPEBinaryExt(pe_type="exe", machine_hex="014c", pointer_to_symbol_table_hex="74726144", size_of_optional_header=224, optional_header=win_header)
file_I = File(name="foo_I.dll", size=25546, extensions={"windows-pebinary-ext":win_bin_ext2})

#Setup Documentation
print(file_I.serialize(pretty=True))
names.append("I. Basic File with Extension, where Extension has sub-object")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$sub) isa embedded;\n      $sub isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--85ffbf0b-3ba1-55f6-bb35-311c6a26d879",
    "size": 25546,
    "name": "foo_I.dll",
    "extensions": {
        "windows-pebinary-ext": {
            "pe_type": "exe",
            "machine_hex": "014c",
            "pointer_to_symbol_table_hex": "74726144",
            "size_of_optional_header": 224,
            "optional_header": {
                "magic_hex": "010b",
                "size_of_code": 512,
                "address_of_entry_point": 4096,
                "base_of_data": 8192,
                "subsystem_hex": "03",
                "loader_flags_hex": "abdbffde"
            }
        }
    }
}


### J. Basic File with Extension, where Extension has list of sub-objects

In [153]:
# Setup Object
section1 = WindowsPESection(name="CODE", entropy=0.061089)
section2 = WindowsPESection(name="DATA", entropy=7.980693) 
win_bin_ext3 = WindowsPEBinaryExt(pe_type="exe", machine_hex="014c", pointer_to_symbol_table_hex="74726144", number_of_sections=2, sections=[section1, section2])
file_J = File(name="foo_J.dll", size=25546, extensions={"windows-pebinary-ext":win_bin_ext3})

#Setup Documentation
print(file_J.serialize(pretty=True))
names.append("J. Basic File with Extension, where Extension has list of sub-objects")
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$sub) isa embedded;\n      $sub isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--d6ee02fa-f8b0-5c12-b220-3b65479d464b",
    "size": 25546,
    "name": "foo_J.dll",
    "extensions": {
        "windows-pebinary-ext": {
            "pe_type": "exe",
            "machine_hex": "014c",
            "number_of_sections": 2,
            "pointer_to_symbol_table_hex": "74726144",
            "sections": [
                {
                    "name": "CODE",
                    "entropy": 0.061089
                },
                {
                    "name": "DATA",
                    "entropy": 7.980693
                }
            ]
        }
    }
}


### K. Basic File with Extension, where Extension has list of sub-objects that contain hashes

In [154]:

#Setup Object
hash_dict2 = {
    "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
  }
alt_data_stream1 = AlternateDataStream(name="first.stream", size=25536, hashes=hash_dict1)
#alt_data_stream2 = AlternateDataStream(name="second.stream", size=25536, hashes=hash_dict2)
ntfs_ext = NTFSExt(sid="1234567", alternate_data_streams=[alt_data_stream1])
file_K = File(name="foo_K.dll", size=25546, extensions={"ntfs-ext":ntfs_ext})

#Setup Documentation
print(file_K.serialize(pretty=True))
names.append("K. Basic File with Extension, where Extension has list of sub-objects that contain hashes")
midd_temp = '\n        has $b;\n      $ext_sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$ext_sub) isa embedded;\n      $alt isa stix-sub-object,\n       has $d;\n      $emb2 (owner:$ext_sub, pointed-to:$alt) isa embedded;\n    $hash isa stix-sub-object,\n        has $e;\n      $emb3(owner:$alt, pointed-to:$hash) isa embedded;\n'
middle.append(midd_temp)

{
    "type": "file",
    "spec_version": "2.1",
    "id": "file--39f167a3-09a9-524c-9dac-3b1b2a02609b",
    "size": 25546,
    "name": "foo_K.dll",
    "extensions": {
        "ntfs-ext": {
            "sid": "1234567",
            "alternate_data_streams": [
                {
                    "name": "first.stream",
                    "hashes": {
                        "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4",
                        "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76"
                    },
                    "size": 25536
                }
            ]
        }
    }
}


## 5. Add Objects to TypeDB

In [155]:
# Set Objects into Bundle
bundle = Bundle(file_A, file_B, file_C, file_D, enclosing_dir, file_E, file_F, file_G, file_H, file_I, file_J, file_K)

# Setup Connection for TypeDB
connection = {
    "uri": "localhost",
    "port": "1729",
    "database": "stix",
    "user": None,
    "password": None
}

# Initialise TypeDB
reinitilise = True
typedb = TypeDBSink(connection=connection, clear=reinitilise, import_type=import_type)

# add the bundle to TypeDB
results_raw = typedb.add(bundle)
result_list = [res.model_dump_json() for res in results_raw]
length = len(result_list)
for i, result in enumerate(result_list):
    print(f"--------- importing {i+1} from {length} ----------------")
    print(result)

--------- importing 1 from 12 ----------------
{"id":"file--bbf20f10-3d0b-5d1c-913e-e302e06749c5","status":"success","error":null,"message":null}
--------- importing 2 from 12 ----------------
{"id":"file--ea07da26-5db2-5cc9-9c83-f7fb53547253","status":"success","error":null,"message":null}
--------- importing 3 from 12 ----------------
{"id":"file--a1e4a735-583e-5490-8c3b-ce8f2048fb59","status":"success","error":null,"message":null}
--------- importing 4 from 12 ----------------
{"id":"file--e2269959-626d-5c26-974e-8961db0e2ab7","status":"success","error":null,"message":null}
--------- importing 5 from 12 ----------------
{"id":"directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622","status":"success","error":null,"message":null}
--------- importing 6 from 12 ----------------
{"id":"file--8c2a130b-327d-51cf-a637-3ff9a969893f","status":"success","error":null,"message":null}
--------- importing 7 from 12 ----------------
{"id":"file--ffbdf8ea-92df-56f2-95ae-54801d106620","status":"success","e

# 6. Create Studio Query Variations Using Class Hierarchy

# 6.1 Create Common Begining and End

In [156]:
begining = 'match\n      $file isa a file, \n        has stix-id "'
suffix = '", '
end = '      get;'
import json
middle = []
# A
midd_temp = '\n        has $b;'
middle.append(midd_temp)
# B
midd_temp = '\n        has name $name,\n        has $b;\n      $mark isa marking-definition,\n        has stix-id $mark_id;\n      $gran (marking:$mark, object:$file, marked:$name) isa granular-marking;'
middle.append(midd_temp)
# C
midd_temp = '\n        has $b;\n      $core isa stix-core-object,\n        has stix-id $stix_id2;\n      $emb (owner:$file, pointed-to:$core) isa embedded;\n'
middle.append(midd_temp)
# D
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)
# E
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;\n'
middle.append(midd_temp)
#F
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;'
midd_temp += '\n      $core isa stix-core-object,\n        has stix-id $stix_id2;\n      $emb2 (owner:$sub, pointed-to:$core) isa embedded;\n'
middle.append(midd_temp)
# G
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;'
midd_temp += '\n      $hash isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$hash) isa embedded;\n'
middle.append(midd_temp)
#H
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;'
midd_temp += '\n      $dict_key isa stix-attribute-string,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$dict_key) isa embedded;\n'
middle.append(midd_temp)
# I
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;'
midd_temp += '\n      $sub2 isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$sub2) isa embedded;\n'
middle.append(midd_temp)
# J
midd_temp = '\n        has $b;\n      $sub isa stix-sub-object,\n        has $c;\n      $emb (owner:$file, pointed-to:$sub) isa embedded;'
midd_temp += '\n      $sub2 isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$sub2) isa embedded;\n'
middle.append(midd_temp)
# K
midd_temp = '\n        has $b;\n      $ext_sub isa stix-sub-object,\n        has $c;\n      $ext (owner:$file, pointed-to:$ext_sub) isa embedded;'
midd_temp += '\n      $alt isa stix-sub-object,\n        has $d;\n      $emb2 (owner:$sub, pointed-to:$alt) isa embedded;'
midd_temp += '\n      $hash isa stix-sub-object,\n        has $d;\n      $emb3 (owner:$alt, pointed-to:$hash) isa embedded;\n'
middle.append(midd_temp)

print("#######################################################################################")
print("                      Use These Queries in TypeDB Studio")
print("#######################################################################################")

for i, mid in enumerate(middle):
    match = begining + json.loads(result_list[i])["id"] +suffix + mid + end
    print("----------------------------------------------------------------------------------")
    print(f"                        {names[i]}    {i+1} in len(middle)")
    print("----------------------------------------------------------------------------------")
    print(f"&&&&&&&&&&&&&&&&&&&&&&&&& Studio Match Statement &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&")
    print(match)
    print(" ")

#######################################################################################
                      Use These Queries in TypeDB Studio
#######################################################################################
----------------------------------------------------------------------------------
                        A. Basic File Object    1 in len(middle)
----------------------------------------------------------------------------------
&&&&&&&&&&&&&&&&&&&&&&&&& Studio Match Statement &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
match
      $file isa a file, 
        has stix-id "file--bbf20f10-3d0b-5d1c-913e-e302e06749c5", 
        has $b;      get;
 
----------------------------------------------------------------------------------
                        B. Basic File with Granular Markings    2 in len(middle)
----------------------------------------------------------------------------------
&&&&&&&&&&&&&&&&&&&&&&&&& Studio Match Statement &&&&&&&&&&&&&&&&&&&&&&&&&&&&&