Custom properties available ?

[guitarzero]

Hi all,

I am working in the field of malware analysis and I'd like to use Yeti as my primary database storing all gathered information and computed KPIs for a given malware.

As far as i know, it is possible using STIX2 to add custom content. Is it also possible in Yeti (i would like to store my computed KPIs in Yeti) ? If no, is it planned ?

Thank you for any comments

Stéphane

[udgover]

Hi Stéphane,

Is it possible to get more details about what would ressemble your custom content just to be sure we correctly understand what you would like to implement.

If my guess is correct, currently, it is possible to create what we call private schemas in Yeti. This means you can easily extend the current model without having to create a PR to be included in this repository. For example, I'm already doing this to support a new entity type describing our honeypot findings. In order to include it both from core and UI, you need to follow this process:

Create a new entity (or observable or indicator) under yeti/core/schemas/<schema_type>/private/. Based on honeypot-finding I was mentioning, this looks like this:

cat yeti/core/schemas/entities/private/honeypot_finding.py

import datetime
from typing import ClassVar, Literal

from pydantic import Field

from core.helpers import now
from core.schemas import entity


class HoneypotFinding(entity.Entity):
    _type_filter: ClassVar[str] = "honeypot-finding"
    type: Literal["honeypot-finding"] = "honeypot-finding"
    aliases: list[str] = []
    first_seen: datetime.datetime = Field(default_factory=now)
    last_seen: datetime.datetime = Field(default_factory=now)

Defining this new entity will let you create a new honeypot-finding from a python shell or via an API call.

Then I guess you will need to use this entity from the UI. In order to support this new entity from the UI, you have to clone yeti-feeds-frontend and define the following in privateDefinitions:

cat yeti-feeds-frontend/src/definitions/private/privateEntityDefinitions.js

export const PRIVATE_ENTITY_TYPES = [
    {
        name: "Honeypot",
        type: "honeypot-finding",
        fields: [
          {
            field: "created",
            type: "date",
            label: "Created",
            displayList: true,
            editable: false,
            sortable: true,
            width: "200px"
          },
          { field: "first_seen", type: "date", label: "First seen", displayList: true, editable: true, sortable: true, width: "200px" },
          { field: "last_seen", type: "date", label: "Last seen", displayList: true, editable: true, sortable: true, width: "200px" },
          {
            field: "name",
            type: "text",
            label: "Name",
            displayList: true,
            editable: true,
            sortable: true,
            maxWidth: "500px"
          },
          { field: "tags", type: "list", label: "Tags", displayList: true, editable: false },
          // { field: "total_links", type: "text", label: "Total links", displayList: true, editable: false, sortable: true },
          { field: "aliases", type: "list", label: "Aliases", displayList: true },
          { field: "description", type: "longtext", label: "Description", displayList: false, editable: true },
        ],
        filterAliases: ["aliases"],
        icon: "mdi-beehive-outline",
    }
]

Once you have defined both in core and UI, everything is automagically loaded and you can use your new custom content. We still have to document this feature. This feature also works with observables and indicators. You can follow the same process by updating
yeti/core/schemas/observables/private/ or yeti/core/schemas/indicators/private/ respectively in the yeti core. For UI, you can update yeti-feeds-frontend/src/definitions/private/privateObservableDefinitions.js or yeti-feeds-frontend/src/definitions/private/privateIndicatorDefinitions.js respectively.

If using docker deployment, you can then just rely on docker volume to easily provide access to your private definitions or you can rebuild your own image by ADDing your files at the right place.

Happy to help you to create your custom content.

[guitarzero]

Very, very, very interesting. Thank you so much.

I will give it a try after having gained more knowledge on Yeti. The possibility of having such custom content is a must-have for me

Thank you again, I really appreciate

[udgover]

You're welcome! Glad it helped :)