diff --git a/services/fastapi/generated/os-triage/common_files/convert_n_and_e.py b/services/fastapi/generated/os-triage/common_files/convert_n_and_e.py
new file mode 100644
index 000000000..f1894292c
--- /dev/null
+++ b/services/fastapi/generated/os-triage/common_files/convert_n_and_e.py
@@ -0,0 +1,1473 @@
+
+from stixorm.module.authorise import authorised_mappings, import_type_factory
+from stixorm.module.typedb_lib.factories.auth_factory import get_auth_factory_instance
+import copy
+from posixpath import basename
+import json
+import os
+
+import logging
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
+
+import_type = import_type_factory.get_all_imports()
+
+
+
+
+
+######################################################################################
+#
+# Setup Nodes and Edges Array Stuff for Force Graph Display - including icons
+#
+########################################################################################
+
+
+def convert_relns(obj):
+ nodes = []
+ edges = []
+ nodes, relation_edges, relation_replacement_edges = setup_relationship(obj)
+ edges2 = find_embedded(obj, edges, obj["id"], exclusion_list=["id", "source_ref", "target_ref"])
+ edges = edges + edges2
+ return nodes, edges, relation_edges, relation_replacement_edges
+
+
+def convert_sighting(obj):
+ nodes = []
+ edges = []
+ nodes, edges = setup_sighting(obj, nodes, edges)
+ # #edges2 = find_embedded(obj, edges, obj["id"], exclusion_list=["id", "observed_data_refs", "where_sighted_refs", "sighting_of_ref"])
+ # edges = edges + edges2
+ return nodes, edges
+
+
+def convert_node(obj):
+ nodes = []
+ edges = []
+ nodes, edges = setup_nodes(obj, nodes, edges)
+ edges = find_embedded(obj, edges, obj["id"], exclusion_list=["id", "observed_data_refs", "where_sighted_refs", "sighting_of_ref"])
+ # edges = edges + edges2
+ return nodes, edges
+
+
+def refine_edges(nodes, original_edges):
+ node_ids = [x["id"] for x in nodes]
+ edges = [x for x in original_edges if (x["source"] in node_ids and x["target"] in node_ids)]
+ return edges
+
+
+def generate_legend(nodes):
+ check_icons = []
+ legend = []
+ for node in nodes:
+ if node["icon"] not in check_icons:
+ check_icons.append(node["icon"])
+ layer = {}
+ layer["icon"] = node["icon"]
+ layer["name"] = node["name"]
+ legend.append(layer)
+ return legend
+
+
+# def make_nodes_and_edges(obj_list):
+# nodes_edges = {}
+# nodes = []
+# edges = []
+# for obj in obj_list:
+# if obj["type"] == "relationship":
+# edges = setup_relationship(obj, edges)
+# elif obj["type"] == "sighting":
+# nodes, edges = setup_sighting(obj, nodes, edges)
+# else:
+# nodes, edges = setup_nodes(obj, nodes, edges)
+# legend = []
+# node_ids = []
+# for node in nodes:
+# node_ids.append(node["id"])
+# if node["icon"] not in check_icons:
+# check_icons.append(node["icon"])
+# layer = {}
+# layer["icon"] = node["icon"]
+# layer["name"] = node["name"]
+# legend.append(layer)
+# # remove any edges without nodes
+# edges = [x for x in edges if (x["source"] in node_ids and x["target"] in node_ids)]
+# nodes_edges["nodes"] = nodes
+# nodes_edges["edges"] = edges
+# nodes_edges["legend"] = legend
+# return nodes_edges
+
+
+def setup_relationship(obj):
+ source_role = ""
+ target_role = ""
+ auth_factory = get_auth_factory_instance()
+ auth = auth_factory.get_auth_for_import(import_type)
+ if "icon" in obj:
+ obj_orig = obj['original']
+ else:
+ obj_orig = obj
+ for record in auth["reln"]["standard_relations"]:
+ if record['stix'] == obj["relationship_type"]:
+ source_role = record['source']
+ target_role = record['target']
+ source_type = obj_orig['source_ref'].split('--')[0]
+ target_type = obj_orig['target_ref'].split('--')[0]
+ # setup lists needed for SRO
+ nodes = []
+ relation_replacement_edges = []
+ relation_edges = []
+ # setup edges to connect without SRO object
+ relation_replacement_edge = {}
+ relation_replacement_edge["stix-id"] = obj["id"]
+ relation_replacement_edge["type"] = "relationship"
+ relation_replacement_edge["name"] = obj["relationship_type"]
+ relation_replacement_edge["source"] = obj["source_ref"]
+ relation_replacement_edge["target"] = obj["target_ref"]
+ relation_replacement_edge["id"] = obj["source_ref"] + '-' + obj["target_ref"]
+ relation_replacement_edges.append(relation_replacement_edge)
+ # setup source to SRO
+ relation_edge = {}
+ relation_edge["stix-id"] = obj["id"]
+ relation_edge["type"] = "relationship"
+ relation_edge["name"] = obj["relationship_type"]
+ relation_edge["source"] = obj["source_ref"]
+ relation_edge["target"] = obj["id"]
+ relation_edge["id"] = obj["source_ref"] + '-' + obj["id"]
+ relation_edges.append(relation_edge)
+ # setup SRO to target
+ relation_edge = {}
+ relation_edge["stix-id"] = obj["id"]
+ relation_edge["type"] = "relationship"
+ relation_edge["name"] = obj["relationship_type"]
+ relation_edge["source"] = obj["id"]
+ relation_edge["target"] = obj["target_ref"]
+ relation_edge["id"] = obj["id"] + '-' + obj["target_ref"]
+ relation_edges.append(relation_edge)
+ # sort out node
+ node = {}
+ node["id"] = obj["id"]
+ node["original"] = copy.deepcopy(obj)
+ node["name"] = obj["relationship_type"].title()
+ node['heading'] = obj["relationship_type"].title() + ' - SRO'
+ node['description'] = '
' + source_role.title() + ' -> ' + source_type.title() + '
' + target_role.title() + ' -> ' + target_type.title()
+ node["type"] = "relationship"
+ node["icon"] = "relationship"
+ nodes.append((node))
+ return nodes, relation_edges, relation_replacement_edges
+
+
+def setup_sighting(obj, nodes, edges):
+ # sighting_of_ref
+ description = ''
+ edge = {}
+ edge["stix-id"] = obj["id"]
+ edge["type"] = "sighting"
+ edge["name"] = "Sighting of " + obj["sighting_of_ref"].split('--')[0]
+ description += edge["name"] + '
'
+ edge["source"] = obj["id"]
+ edge["target"] = obj["sighting_of_ref"]
+ edge["id"] = obj["id"] + '-' + obj["sighting_of_ref"]
+ edges.append(edge)
+ # list of observed_data_refs
+ for obs in obj["observed_data_refs"]:
+ edge = {}
+ edge["stix-id"] = obj["id"]
+ edge["type"] = "sighting"
+ edge["name"] = "Observed Data"
+ edge["source"] = obj["id"]
+ edge["target"] = obs
+ edge["id"] = obj["id"] + '-' + obs
+ edges.append(edge)
+ # list of where_sighted_refs
+ if "where_sighted_refs" in obj:
+ for where in obj["where_sighted_refs"]:
+ edge = {}
+ edge["stix-id"] = obj["id"]
+ edge["type"] = "sighting"
+ edge["name"] = "Where Sighted -> " + where.split('--')[0]
+ description += edge["name"]
+ edge["source"] = obj["id"]
+ edge["target"] = where
+ edge["id"] = obj["id"] + '-' + where
+ edges.append(edge)
+ # sort out node
+ node = {}
+ node["id"] = obj["id"]
+ node["type"] = "sighting"
+ node["original"] = copy.deepcopy(obj)
+ sighting_type = "generic"
+ if "extensions" in obj:
+ for key, value in obj["extensions"].items():
+ if key == "extension-definition--0d76d6d9-16ca-43fd-bd41-4f800ba8fc43":
+ continue
+ else:
+ sighting_type = key
+ node["icon"] = key
+ else:
+ node["icon"] = "sighting"
+
+ node["name"] = sighting_type.title()
+ node['heading'] = sighting_type.title()
+ node['description'] = description
+ nodes.append(node)
+ return nodes, edges
+
+def setup_nodes(obj, nodes, edges):
+ obj_id = obj["id"]
+ node = {}
+ node["id"] = obj_id
+ node["type"] = obj["type"]
+ node["original"] = copy.deepcopy(obj)
+ node = find_icon(obj, node)
+ nodes.append(node)
+ return nodes, edges
+
+
+def find_embedded(obj, edges, obj_id, exclusion_list=[]):
+ auth = authorised_mappings(import_type)
+ for key, prop in obj.items():
+ if key in exclusion_list:
+ continue
+ elif key in auth["reln_name"]["embedded_relations"]:
+ edges = extract_ids(key, prop, edges, obj_id)
+ elif isinstance(prop, list):
+ edges = embedded_list(key, prop, edges, obj_id)
+ elif isinstance(prop, dict):
+ edges = find_embedded(prop, edges, obj_id)
+ else:
+ continue
+ return edges
+
+
+def embedded_list(key, prop, edges, obj_id):
+ logger.debug(f"embedded_list {key} {prop}")
+ for pro in prop:
+ if isinstance(pro, dict):
+ edges = find_embedded(pro, edges, obj_id)
+ else:
+ continue
+ return edges
+
+
+def extract_ids(key, prop, edges, obj_id):
+ auth = authorised_mappings(import_type)
+ for ex in auth["reln"]["embedded_relations"]:
+ if ex["rel"] == key:
+ label = ex["label"]
+ source_owner = ex["owner-is-source"]
+ edge = {"name": label, "type": "embedded"}
+ if isinstance(prop, list):
+ for pro in prop:
+ if pro.split('--')[0] == "relationship":
+ continue
+ elif source_owner:
+ edge["source"] = obj_id
+ edge["target"] = pro
+ edge["id"] = obj_id + '-' + pro
+ edges.append(copy.deepcopy(edge))
+ else:
+ edge["source"] = pro
+ edge["target"] = obj_id
+ edge["id"] = pro + '-' + obj_id
+ edges.append(copy.deepcopy(edge))
+ else:
+ if source_owner:
+ edge["source"] = obj_id
+ edge["target"] = prop
+ edge["id"] = obj_id + '-' + prop
+ else:
+ edge["source"] = prop
+ edge["target"] = obj_id
+ edge["id"] = prop + '-' + obj_id
+ edges.append(copy.deepcopy(edge))
+ return edges
+
+
+def find_icon(stix_object, node):
+ auth = authorised_mappings(import_type)
+ logger.debug(f'stix object type {stix_object["type"]}
')
+ auth_types = copy.deepcopy(auth["types"])
+ if stix_object["type"] in auth_types["sdo"]:
+ logger.debug(f' going into sdo ---? {stix_object}')
+ node = sdo_icon(stix_object, node)
+ elif stix_object["type"] in auth_types["sco"]:
+ logger.debug(f' going into sco ---> {stix_object}')
+ node = sco_icon(stix_object, node)
+ elif stix_object["type"] == 'marking-definition':
+ node = meta_icon(stix_object, node)
+ else:
+ logger.error(f'object type not supported: {stix_object.type}, import type {import_type}')
+ return node
+
+
+def sdo_icon(stix_object, node):
+ sdo_type = stix_object["type"]
+ name = str.title(sdo_type.replace("_", " "))
+ heading = name + " - SDO"
+ icon_type = ""
+ description = ""
+ attack_object = False if not stix_object.get("x_mitre_version", False) else True
+ if attack_object:
+ attack_type = ""
+ sub_technique = False if not stix_object.get("x_mitre_is_subtechnique", False) else True
+ if sdo_type[:7] == "x-mitre":
+ attack_type = sdo_type[8:]
+ name = str.title(attack_type.replace("_", " "))
+ heading = "ATT&CK Matrix - " + name
+ if sdo_type == "x-mitre-matrix":
+ aname = stix_object.get("name", "")
+ aversion = stix_object.get("x_mitre_version", "")
+ heading = "ATT&CK Matrix - " + aname + " - v" + aversion
+ description = '
' + stix_object.get("description", "")
+ elif sdo_type == "x-mitre-tactic":
+ aname = stix_object.get("name", "")
+ T_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ heading = "ATT&CK Tactic - " + aname + " - " + T_id
+ description = '
' + stix_object.get("description", "")
+ elif sdo_type == "x-mitre-collection":
+ aname = stix_object.get("name", "")
+ aversion = stix_object.get("x_mitre_version", "")
+ heading = "ATT&CK Collection - " + aname + " - v" + aversion
+ description = '
' + stix_object.get("description", "")
+ elif sdo_type == "x-mitre-data-source":
+ aname = stix_object.get("name", "")
+ T_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ heading = "ATT&CK Data Source - " + aname + " - " + T_id
+ description = '
' + stix_object.get("description", "")
+ elif sdo_type == "x-mitre-data-component":
+ aname = stix_object.get("name", "")
+ heading = "ATT&CK Data Source - " + aname
+ description = '
' + stix_object.get("description", "")
+ elif sdo_type == "x-mitre-asset":
+ description = '
' + "ATT&CK Asset"
+ elif sdo_type == "attack-pattern":
+ T_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ description = '
' + stix_object.get("description", "")
+ name = "Technique"
+ attack_type = "technique"
+ heading = name + ' - ' + T_id + " - ATT&CK"
+ if sub_technique:
+ attack_type = "subtechnique"
+ name = "Sub-Technique"
+ heading = name + ' - ' + T_id + " - ATT&CK"
+ elif sdo_type == "course-of-action":
+ M_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ description = '
' + stix_object.get("description", "")
+ attack_type = "mitigation"
+ name = "Mitigation"
+ heading = name + ' - ' + M_id + " - ATT&CK"
+ elif sdo_type == "intrusion-set":
+ G_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ G_name = stix_object.get("external_references", [{}])[1].get("source_name", "")
+ description = '
' + stix_object.get("description", "")
+ attack_type = "group"
+ name = "Group"
+ heading = name + ' - ' + G_id + ' - ' + G_name + " - ATT&CK"
+ elif sdo_type == "malware" or sdo_type == "tool":
+ S_id = stix_object.get("external_references", [{}])[0].get("external_id", "")
+ aname = stix_object.get("name", "")
+ description = '
' + stix_object.get("description", "")
+ attack_type = "software"
+ name = "Software"
+ heading = "ATT&CK Software - " + aname + " - " + S_id
+ elif sdo_type == "campaign":
+ attack_type = "campaign"
+ aname = stix_object.get("name", "")
+ description = '
' + stix_object.get("description", "")
+ name = "Campaign"
+ heading = "ATT&CK Campaign - " + aname
+ else:
+ attack_type = "unknown"
+ name = "Unknown"
+ heading = name + " - ATT&CK"
+
+ if "attack-" in attack_type:
+ pass
+ else:
+ attack_type = "attack-" + attack_type
+ icon_type = attack_type
+
+ else:
+ if sdo_type == "attack-pattern":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ al_list = stix_object.get("aliases", [])
+ kill_list = stix_object.get("kill_chain_phases", [])
+ kill_list = stix_object.get("kill_chain_phases", [])
+ name = "Attack Pattern"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if al_list:
+ description += "
Alternative Names -> " + str(al_list)
+ if kill_list:
+ description += "
" + str.title(kill_list[0]['kill_chain_name'].replace("_", " "))
+ description += " -> " + kill_list[0]['phase_name'].replace("_", " ")
+ elif sdo_type == "campaign":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ al_list = stix_object.get("aliases", [])
+ objective = stix_object.get("objective", "")
+ name = "Campaign"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if al_list:
+ description += "
Alternative Names -> " + str(al_list)
+ if objective:
+ description += "
Objective -> " + objective
+ elif sdo_type == "course-of-action":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ name = "Course of Action"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ elif sdo_type == "grouping":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ context = stix_object.get("context", "")
+ name = "Grouping"
+ if aname:
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if context:
+ description += "
OS_Triage -> " + str(context)
+ elif sdo_type == "identity":
+ if "extensions" in stix_object:
+ icon_type = "identity-contact"
+ aname = stix_object.get("name", "")
+ S_description = stix_object.get("description", "")
+ if S_description:
+ description = "
" + S_description
+ name = "Individual"
+ heading = name + " - " + aname
+ else:
+ if stix_object.get("identity_class", False):
+ if stix_object["identity_class"] == "individual":
+ icon_type = "identity-individual"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Individual"
+ heading = name + " - " + aname
+ elif stix_object["identity_class"] == "organization":
+ icon_type = "identity-organization"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Organization"
+ heading = name + " - " + aname
+ elif stix_object["identity_class"] == "class":
+ icon_type = "identity-class"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Identity Class"
+ heading = name + " - " + aname
+ elif stix_object["identity_class"] == "system":
+ icon_type = "identity-system"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ ext_ref = stix_object.get("external_references", [{}])
+ if ext_ref:
+ S_name = ext_ref[0].get("source_name", "")
+ S_description = ext_ref[0].get("description", "")
+ description += '
' + S_name + "
" + S_description
+ name = "Software System"
+ heading = name
+ if aname:
+ heading = heading + " - " + aname
+ elif stix_object["identity_class"] == "asset":
+ icon_type = "identity-asset"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ ext_ref = stix_object.get("external_references", [{}])
+ if ext_ref:
+ S_name = ext_ref[0].get("source_name", "")
+ S_description = ext_ref[0].get("description", "")
+ description += '
' + S_name + "
" + S_description
+ name = "Hardware Asset"
+ heading = name
+ if aname:
+ heading = heading + " - " + aname
+ elif stix_object["identity_class"] == "group":
+ icon_type = "identity-group"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Group"
+ heading = name
+ if aname:
+ heading = heading + " - " + aname
+ else:
+ icon_type = "identity-unknown"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Unknown"
+ heading = name
+ if aname:
+ heading = heading + " - " + aname
+ else:
+ icon_type = "identity-unknown"
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ if a_description:
+ description = '
' + a_description
+ name = "Unknown"
+ if aname:
+ heading = name + " - " + aname
+ elif sdo_type == "incident":
+ icon_type = "incident"
+ aname = str.title(stix_object.get("name", ""))
+ a_description = stix_object.get("description", "")
+ name = "Std Incident"
+ heading = name
+ if a_description:
+ description = '
' + a_description
+ if aname:
+ heading = name + " - " + aname
+ if "extensions" in stix_object:
+ icon_type = "incident-ext"
+ ext = stix_object["extensions"]
+ types = ext.get("incident_types", [])
+ status = ext.get("investigation_status", "")
+ determin = ext.get("determination", "")
+ if determin:
+ description = '
' + "Determination -> " + determin
+ if status:
+ description += ", Status -> " + status
+ if types:
+ description += "
Incident Types -> "
+ for t in types:
+ description += t + ", "
+ name = "Incident Extension"
+ heading = name
+ elif sdo_type == "indicator":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ pattern = stix_object.get("pattern", "")
+ kill_list = stix_object.get("kill_chain_phases", [])
+ pattern_type = stix_object.get("pattern_type", "")
+ types = stix_object.get("indicator_types", [])
+ name = "Indicator"
+ heading = name
+ if aname:
+ heading += " - " + aname
+ if a_description:
+ description += "
" + a_description
+ description += "
Pattern Type -> " + pattern_type
+ if types:
+ description += "Indicator Types -> " + str(types)
+ description += "
Pattern -> " + pattern
+ if kill_list:
+ description += "
" + str.title(kill_list[0]['kill_chain_name'].replace("_", " "))
+ elif sdo_type == "infrastructure":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ types = stix_object.get("infrastructure_types", "")
+ kill_list = stix_object.get("kill_chain_phases", [])
+ aliases = stix_object.get("aliases", [])
+ name = "Infrastructure"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if types:
+ description += "/Infrastructure Type -> " + types
+ if aliases:
+ description += ", Aliases -> " + aliases
+ if kill_list:
+ description += "
" + str.title(kill_list[0]['kill_chain_name'].replace("_", " "))
+ elif sdo_type == "intrusion-set":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ resource_level = stix_object.get("resource_level", "")
+ goals = stix_object.get("goals", [])
+ primary_motivation = stix_object.get("primary_motivation", "")
+ secondary_motivations = stix_object.get("secondary_motivations", [])
+ name = "Intrusion Set"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if a_description:
+ description = "
" + a_description
+ if resource_level:
+ description += "
Intruder Resources -> " + resource_level
+ if goals:
+ description += ", Goals -> " + str(goals)
+ if primary_motivation:
+ description += "
Primary Motivation -> " + primary_motivation
+ if secondary_motivations:
+ description += "
Secondary Motivations ->" + str(secondary_motivations)
+ elif sdo_type == "location":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ region = stix_object.get("region", "")
+ country = stix_object.get("country", "")
+ administrative_area = stix_object.get("administrative_area ", "")
+ city = stix_object.get("city", "")
+ street_address = stix_object.get("street_address", "")
+ postal_code = stix_object.get("postal_code", "")
+ name = "Location"
+ heading = name
+ if aname:
+ heading += " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if street_address:
+ description += "
Street Address -> " + street_address
+ if city:
+ description += ", City -> " + city
+ if postal_code:
+ description += ", Postal Code -> " + postal_code
+ if administrative_area:
+ description += ", Administrative Area -> " + administrative_area
+ if country:
+ description += ", Country -> " + country
+ if region:
+ description += ", Region -> " + region
+ elif sdo_type == "malware":
+ icon_type = "malware"
+ aname = stix_object.get("name", "")
+ type_list = stix_object.get("malware_types", [])
+ sample_list = stix_object.get("sample_refs", [])
+ if type_list:
+ description = '
' + "Malware Types -> "
+ for typ in type_list:
+ description = description + typ + ' '
+ if sample_list:
+ description = '
' + "Sample Refs -> "
+ for sam in sample_list:
+ description = description + sam + ', '
+ name = "Malware"
+ heading = name
+ if aname:
+ heading += " - " + aname
+ if stix_object.get("is_family", False):
+ icon_type = "malware-family"
+ aname = stix_object.get("name", "")
+ name = "Malware Family"
+ heading = name + " - " + aname
+ elif sdo_type == "malware-analysis":
+ icon_type = sdo_type
+ modules = stix_object.get("modules ", [])
+ analysis_engine_version = stix_object.get("analysis_engine_version", "")
+ analysis_definition_version = stix_object.get("analysis_definition_version", "")
+ configuration_version = stix_object.get("configuration_version", "")
+ result = stix_object.get("result", "")
+ result_name = stix_object.get("result_name", "")
+ version = stix_object.get("version", "")
+ aname = stix_object.get("product", "")
+ name = "Malware Analysis"
+ heading = name
+ if aname:
+ heading += " - " + aname
+ if version:
+ description += "
Version -> " + version
+ if modules:
+ description += ", Modules -> " + str(modules)
+ if result:
+ description += "
Result is -> " + result
+ if result_name:
+ description += ", Malware Name -> " + result_name
+ if version:
+ description += "
Version -> " + version
+ if configuration_version or analysis_engine_version or analysis_definition_version:
+ description += "
"
+ if configuration_version:
+ description += "Config Version -> " + configuration_version
+ if analysis_engine_version:
+ description += ", Engine Version -> " + analysis_engine_version
+ if analysis_definition_version:
+ description += ", Definition Version -> " + analysis_definition_version
+ elif sdo_type == "note":
+ icon_type = sdo_type
+ abstract = stix_object.get("abstract", "")
+ content = stix_object.get("content", "")
+ object_refs = stix_object.get("object_refs", [])
+ obj_list = ""
+ for i, obj in enumerate(object_refs):
+ obj_list += str.title(obj.split('--')[0].replace("_", " "))
+ if i < len(object_refs) - 1:
+ obj_list = obj_list + ", "
+ name = "Note"
+ heading = name
+ if abstract:
+ description = "
Abstract -> " + abstract
+ if content:
+ description += "
Content -> " + content
+ if object_refs:
+ description += "
Applies to -> " + str(obj_list)
+ elif sdo_type == "observed-data":
+ icon_type = sdo_type
+ first_observed = stix_object.get("first_observed", None)
+ last_observed = stix_object.get("last_observed", None)
+ number_observed = stix_object.get("number_observed ", None)
+ object_refs = stix_object.get("object_refs", [])
+ obj_list = ""
+ for i, obj in enumerate(object_refs):
+ obj_list += str.title(obj.split('--')[0].replace("_", " "))
+ if i < len(object_refs) - 1:
+ obj_list = obj_list + ", "
+ name = "Observed Data"
+ heading = name
+ if number_observed:
+ description = "
" + number_observed
+ if number_observed and obj_list:
+ description += "x "
+ if number_observed:
+ description += "Observations of - " + obj_list
+ if first_observed:
+ description += "
First Observed -> " + first_observed
+ if last_observed:
+ description += ", Last Observed -> " + last_observed
+ elif sdo_type == "opinion":
+ icon_type = sdo_type
+ opinion = stix_object.get("opinion", "")
+ authors = stix_object.get("authors", [])
+ explanation = stix_object.get("explanation", "")
+ object_refs = stix_object.get("object_refs", [])
+ obj_list = ""
+ for i, obj in enumerate(object_refs):
+ obj_list += str.title(obj.split('--')[0].replace("_", " "))
+ if i < len(object_refs) - 1:
+ obj_list = obj_list + ", "
+ name = "Opinion"
+ heading = name + " on - " + obj_list
+ description = "
" + opinion
+ if explanation:
+ description += "
Due to -> " + explanation
+ if authors:
+ description += "
Reported by -> " + str(authors)
+ elif sdo_type == "report":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ published = stix_object.get("published", None)
+ report_types = stix_object.get("report_types", [])
+ object_refs = stix_object.get("object_refs", [])
+ obj_list = ""
+ for i, obj in enumerate(object_refs):
+ obj_list += str.title(obj.split('--')[0].replace("_", " "))
+ if i < len(object_refs) - 1:
+ obj_list = obj_list + ", "
+ name = "Report"
+ heading = name + " - " + aname
+ if report_types:
+ description += "
Report Type -> " + str(report_types)
+ if a_description:
+ description += "
" + a_description
+ if published:
+ description += "
Published on -> " + published
+ elif sdo_type == "threat-actor":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ sophistication = stix_object.get("sophistication", "")
+ resource_level = stix_object.get("resource_level", "")
+ goals = stix_object.get("goals", [])
+ primary_motivation = stix_object.get("primary_motivation", "")
+ secondary_motivations = stix_object.get("secondary_motivations", [])
+ personal_motivations = stix_object.get("personal_motivations", [])
+ name = "Threat Actor"
+ heading = name + " - " + aname
+ if a_description:
+ description = "
" + a_description
+ if resource_level or goals:
+ description += "/Actor Resources -> " + resource_level + ", Goals -> " + str(goals)
+ if primary_motivation:
+ description += "
Primary Motivation -> " + primary_motivation
+ if secondary_motivations:
+ description += "
Secondary Motivations ->" + str(secondary_motivations)
+ if personal_motivations:
+ description += "
Personal Motivations ->" + str(personal_motivations)
+ elif sdo_type == "tool":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ kill_list = stix_object.get("kill_chain_phases", [])
+ tool_version = stix_object.get("tool_version", "")
+ aliases = stix_object.get("aliases", [])
+ tool_types = stix_object.get("tool_types", [])
+ name = "Tool"
+ heading = name + " - " + aname + " - " + tool_version
+ if a_description:
+ description += "
" + a_description
+ if tool_types:
+ description += "/Tool Types -> " + tool_types
+ if aliases:
+ description += "
Aliases -> " + aliases
+ if kill_list:
+ description += "
" + str.title(kill_list[0]['kill_chain_name'].replace("_", " "))
+ elif sdo_type == "vulnerability":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ external_references = stix_object.get("external_references", [])
+ name = "Vulnerability"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if a_description:
+ description = "
" + a_description
+ if external_references:
+ description += "
" + str.title(external_references[0]['kill_chain_name'].replace("_", " "))
+ elif sdo_type == "event":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ a_description = stix_object.get("description", "")
+ goal = stix_object.get("goal", "")
+ status = stix_object.get("status", "")
+ name = "Event"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ heading += ", Status -> " + status
+ if a_description:
+ description += "
" + a_description
+ if goal:
+ description += "
Goal -> " + goal
+ elif sdo_type == "impact":
+ if "extensions" in stix_object:
+ for key, value in stix_object["extensions"].items():
+ if key == "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9":
+ continue
+ else:
+ icon_type = "impact-" + key
+ if key == "monetary":
+ adescription = stix_object.get("description", "")
+ variety = value.get("variety", "")
+ currency_actual = value.get("currency_actual", "")
+ max_amount = value.get("max_amount", 0)
+ min_amount = value.get("min_amount", 0)
+ if adescription:
+ description = '
' + adescription
+ if variety:
+ description += "
" + "Variety -> " + variety + "
" + "Currency -> "
+ if currency_actual:
+ description += currency_actual
+ if max_amount:
+ description += "
" + "Max Amount -> $" + str(max_amount)
+ if min_amount:
+ description += "
" + "Min Amount -> $" + str(min_amount)
+ name = "Monetary Impact"
+ heading = name
+ elif key == "availability":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ avail = value.get("availability_impact", 0)
+ description = '
' + adescription + "
" + "Total Impact ->" + str(avail) + "
Impacted Entities -> "
+ if adescription:
+ description += '
' + adescription
+ if avail:
+ description += "
" + "Variety -> " + str(avail)
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "Availability Impact"
+ heading = name
+ elif key == "integrity":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ info = value.get("information_type", "")
+ altrd = value.get("alteration", "")
+ r_c = value.get("record_count", 0)
+ r_s = value.get("record_size", 0)
+ if adescription:
+ description = '
' + adescription
+ if variety:
+ description += "
" + "Variety -> " + variety + "
" + "Currency -> "
+ if currency_actual:
+ description += currency_actual
+ if max_amount:
+ description += "
" + "Max Amount -> $" + str(max_amount)
+ if min_amount:
+ description += "
" + "Min Amount -> $" + str(min_amount)
+ description = '
' + adescription + "
" + "Info Type -> " + info + "Alteration Type -> "
+ description += altrd + "
" + "Number of Records -> " + str(r_c)
+ description += " Size of Records -> " + str(r_s)
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "Integrity Impact"
+ heading = name
+ elif key == "confidentiality":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ info = value.get("information_type", "")
+ loss_type = value.get("loss_type", "")
+ r_c = value.get("record_count", 0)
+ r_s = value.get("record_size", 0)
+ description = '
' + adescription + "
" + "Info Type -> " + info + "Loss Type -> "
+ description += loss_type + "
" + "Number of Records -> " + str(r_c)
+ description += " Size of Records -> " + str(r_s)
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "Integrity Impact"
+ heading = name
+ elif key == "physical":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ impact_type = value.get("impact_type", "")
+ asset_type = value.get("asset_type", "")
+ description = '
' + adescription + "
Asset Type -> " + asset_type
+ description += ", Physical Impact -> " + impact_type
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "Physical Impact"
+ heading = name
+ elif key == "external":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ loss = value.get("impact_type", "")
+ description = '
' + adescription + "
" + "Actual Loss -> " + loss
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "External Impact"
+ heading = name
+ elif key == "traceability":
+ adescription = stix_object.get("description", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ tracking = value.get("traceability_impact", "")
+ description = '
' + adescription + "
" + "Ability to Trace -> " + tracking
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ name = "Traceability Impact"
+ heading = name
+ else:
+ icon_type = "impact"
+ name = icon_type
+ heading = name
+ description = heading
+ elif sdo_type == "sequence":
+ if stix_object["step_type"] == "start_step" or stix_object["step_type"] == "end_step":
+ icon_type = "step-terminal"
+ seq_type = stix_object.get("sequence_type", "")
+ name = str.title(stix_object["step_type"].replace("_", " "))
+ heading = name + ' for ' + str.title(seq_type)
+ elif stix_object["step_type"] == "single_step":
+ if "on_completion" in stix_object:
+ icon_type = "step-single"
+ seq_type = stix_object.get("sequence_type", "")
+ name = str.title(stix_object["step_type"].replace("_", " "))
+ heading = name + ' for ' + str.title(seq_type)
+ elif "on_success" in stix_object:
+ icon_type = "step-xor"
+ seq_type = stix_object.get("sequence_type", "")
+ name = str.title(stix_object["step_type"].replace("_", " "))
+ heading = name + ' for ' + str.title(seq_type)
+ else:
+ icon_type = "step-single"
+ seq_type = stix_object.get("sequence_type", "")
+ name = str.title(stix_object["step_type"].replace("_", " "))
+ heading = name + ' for ' + str.title(seq_type)
+ else:
+ icon_type = "step-parallel"
+ seq_type = stix_object.get("sequence_type", "")
+ name = str.title(stix_object["step_type"].replace("_", " "))
+ heading = name + ' for ' + str.title(seq_type)
+ elif sdo_type == "task":
+ icon_type = sdo_type
+ aname = stix_object.get("name", "")
+ outcome = stix_object.get("outcome", "")
+ impacted_entity_counts = stix_object.get("impacted_entity_counts", [])
+ a_description = stix_object.get("description", "")
+ priority = stix_object.get("priority", None)
+ task_types = stix_object.get("task_types", [])
+ name = "Task"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if outcome:
+ description += "
Outcome -> " + outcome
+ if priority:
+ description += ", Priority -> " + priority
+ if task_types:
+ description += "
Task Types -> " + task_types
+ if a_description:
+ description += "
" + a_description
+ if impacted_entity_counts:
+ description += "
Impacted Entities -> "
+ for k, v in impacted_entity_counts.items():
+ description += k + " -> " + str(v)
+ if len(impacted_entity_counts.items()) > 1:
+ description = description + ", "
+ else:
+ icon_type = sdo_type
+ name = icon_type
+ heading = name
+ description = heading
+ node["icon"] = icon_type
+ node["name"] = name
+ node["heading"] = heading
+ node["description"] = description
+ return node
+
+
+def sco_icon(stix_object, node):
+ sco_type = stix_object["type"]
+ name = ""
+ heading = ""
+ icon_type = ""
+ description = ""
+ if sco_type == "anecdote":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ report_date = stix_object.get("report_date", None)
+ name = "Anecdote"
+ heading = name
+ if report_date:
+ heading += " -> " + str(report_date)
+ description += "/Statement -> " + value
+ elif sco_type == "artifact":
+ icon_type = sco_type
+ mime_type = stix_object.get("mime_type", "")
+ url = stix_object.get("url", "")
+ hashes = stix_object.get("hashes", {})
+ encryption_algorithm = stix_object.get("encryption_algorithm", "")
+ decryption_key = stix_object.get("priority", None)
+ name = "Artifact"
+ heading = name
+ if mime_type:
+ heading += " -> " + mime_type
+ if encryption_algorithm:
+ description += "
Encryption Algorithm -> " + encryption_algorithm
+ if decryption_key:
+ description += ", Decryption Key -> " + decryption_key
+ if url:
+ description += ", URL -> " + url
+ if hashes:
+ description += "
Hashes -> "
+ for k, v in hashes.items():
+ description += "
- " + k + " -> " + str(v)
+ elif sco_type == "autonomous-system":
+ icon_type = sco_type
+ aname = stix_object.get("name", "")
+ number = stix_object.get("number", None)
+ rir = stix_object.get("rir", "")
+ name = "Autonomous System"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ description += "
Number -> " + number
+ if rir:
+ description += "
Regional Internet Registry (RIR) -> " + rir
+ elif sco_type == "directory":
+ icon_type = sco_type
+ path = stix_object.get("path", "")
+ path_enc = stix_object.get("path_enc", "")
+ ctime = stix_object.get("ctime", None)
+ mtime = stix_object.get("mtime", None)
+ atime = stix_object.get("atime", None)
+ name = "Directory"
+ heading = name
+ if path_enc:
+ heading += " -> " + path_enc
+ description += "
Path -> " + path
+ if ctime:
+ description += "
Created -> " + ctime
+ if mtime:
+ description += "
Modified -> " + mtime
+ if atime:
+ description += "
Accessed" + atime
+ elif sco_type == "domain-name":
+ icon_type = "domain"
+ value = stix_object.get("value", "")
+ resolves_to_refs = stix_object.get("resolves_to_refs", [])
+ name = "Domain Name"
+ heading = name
+ if value:
+ heading += " -> " + value
+ elif sco_type == "email-addr":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ display_name = stix_object.get("display_name", "")
+ name = "Email Address"
+ heading = name
+ if display_name:
+ heading += " -> " + display_name
+ description += "
Value -> " + value
+ elif sco_type == "email-message":
+ icon_type = "email-message"
+ content_type = stix_object.get("content_type", "")
+ received_lines = stix_object.get("received_lines", [])
+ body = stix_object.get("body", "")
+ subject = stix_object.get("subject", "")
+ message_id = stix_object.get("message_id", "")
+ date = stix_object.get("date", None)
+ additional_header_fields = stix_object.get("additional_header_fields", {})
+ is_multipart = stix_object.get("is_multipart", False)
+ name = "Email Message"
+ heading = name
+ if content_type:
+ heading += " -> " + content_type
+ if subject:
+ description += "
Subject -> " + subject
+ if date:
+ description += ", Date -> " + date
+ if body:
+ description += "
Body -> " + body
+ if message_id:
+ description += "
Message ID -> " + message_id
+ if received_lines:
+ description += "
Received Header -> "
+ for v in received_lines:
+ description += "
- " + str(v)
+ if is_multipart:
+ icon_type = "email-message-mime"
+ body_multipart = stix_object.get("body_multipart", [])
+ name = "MIME " + name
+ heading = name
+ if content_type:
+ heading += " -> " + content_type
+ if body_multipart:
+ description += "
MIME Parts -> "
+ for v in body_multipart:
+ description += "
- " + str(v)
+ elif sco_type == "file":
+ icon_type = "file"
+ aname = stix_object.get("name", "")
+ hashes = stix_object.get("hashes", {})
+ name_enc = stix_object.get("name_enc", "")
+ ctime = stix_object.get("ctime", None)
+ mtime = stix_object.get("mtime", None)
+ atime = stix_object.get("atime", None)
+ mime_type = stix_object.get("mime_type", "")
+ name = "File"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if name_enc:
+ description += "
Priority -> " + name_enc
+ if mime_type:
+ description += "MIME Type -> " + mime_type
+ if ctime:
+ description += "
Created -> " + ctime
+ if mtime:
+ description += "
Modified -> " + mtime
+ if atime:
+ description += "
Accessed" + atime
+ if hashes:
+ description += "
Hashes -> "
+ for k, v in hashes.items():
+ description += "
- " + k + " -> " + str(v)
+ if "extensions" in stix_object:
+ if stix_object["extensions"].get("archive-ext", False):
+ icon_type = "file-archive"
+ archive = stix_object.get("archive-ext", {})
+ comment = archive.get("comment", "")
+ name = "Archive " + name
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if comment:
+ description += "
Comment -> " + comment
+ elif stix_object["extensions"].get("pdf-ext", False):
+ icon_type = "file-pdf"
+ pdf = stix_object.get("pdf-ext", {})
+ doc_info_dict = pdf.get("document_info_dict", {})
+ name = "PDF " + name
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if doc_info_dict:
+ for k, v in doc_info_dict.items():
+ description += "
" + k + " -> " + str(v)
+ elif stix_object["extensions"].get("raster-image-ext", False):
+ icon_type = "file-img"
+ img = stix_object.get("raster-image-ext", {})
+ exif_tags = img.get("exif_tags", {})
+ name = "Image " + name
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if exif_tags:
+ for k, v in exif_tags.items():
+ description += "
" + k + " -> " + str(v)
+ elif stix_object["extensions"].get("windows-pebinary-ext", False):
+ icon_type = "file-bin"
+ binary = stix_object.get("windows-pebinary-ext", {})
+ pe_type = binary.get("pe_type", "")
+ number_of_sections = binary.get("number_of_sections", None)
+ name = "Binary " + name
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if pe_type:
+ description += "
Executable Type -> " + pe_type
+ if number_of_sections:
+ description += ", Number of Sections -> " + number_of_sections
+ elif stix_object["extensions"].get("ntfs-ext", False):
+ icon_type = "file-ntfs"
+ ntfs = stix_object.get("ntfs-ext", "")
+ alt_list = ntfs.get("alternate_data_streams", [])
+ name = "NTFS " + name
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if alt_list:
+ description += "
Number of Streams -> " + len(alt_list)
+ elif sco_type == "ipv4-addr":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ name = "IPv4 Address"
+ heading = name
+ description += "
Value -> " + value
+ elif sco_type == "ipv6-addr":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ name = "IPv6 Address"
+ heading = name
+ description += "
Value -> " + value
+ elif sco_type == "mac-addr":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ name = "MAC Address"
+ heading = name
+ description += "
Value -> " + value
+ elif sco_type == "mutex":
+ icon_type = sco_type
+ aname = stix_object.get("name", "")
+ name = "Mutex"
+ heading = name
+ description += "
Name -> " + aname
+ elif sco_type == "network-traffic":
+ icon_type = "network-traffic"
+ protocols = stix_object.get("protocols", [])
+ ipfix = stix_object.get("ipfix", {})
+ name = "Network Traffic"
+ heading = name
+ if protocols:
+ description += "
Protocols -> " + protocols
+ if ipfix:
+ for k, v in ipfix.items():
+ description += "
- " + k + " -> " + str(v)
+ if "extensions" in stix_object:
+ if stix_object["extensions"].get("http-request-ext", False):
+ icon_type = "network-traffic-http"
+ http = stix_object.get("http-request-ext", "")
+ request_method = http.get("request_method", "")
+ request_value = http.get("request_value", "")
+ request_version = http.get("request_version", "")
+ request_header = http.get("request_header", {})
+ name = "HTTP " + name
+ heading = name
+ if request_method:
+ description += "
HTTP Method -> " + request_method
+ if request_value:
+ description += ", Request Value -> " + request_value
+ if request_version:
+ description += "
Request Version -> " + request_version
+ if request_header:
+ for k, v in request_header.items():
+ description += "
- " + k + " -> " + str(v)
+ elif stix_object["extensions"].get("icmp-ext", False):
+ icon_type = "network-traffic-icmp"
+ name = "ICMP " + name
+ heading = name
+ elif stix_object["extensions"].get("tcp-ext", False):
+ icon_type = "network-traffic-tcp"
+ name = "TCP " + name
+ heading = name
+ elif stix_object["extensions"].get("socket-ext", False):
+ icon_type = "network-traffic-sock"
+ name = "Socket " + name
+ heading = name
+
+ elif sco_type == "process":
+ icon_type = sco_type
+ pid = stix_object.get("pid", "")
+ cwd = stix_object.get("cwd", "")
+ command_line = stix_object.get("command_line", "")
+ environment_variables = stix_object.get("environment_variables", {})
+ name = "Process"
+ heading = name
+ if pid:
+ description += "Process ID -> " + str(pid)
+ if command_line:
+ description += ", Command Line -> " + command_line
+ if cwd:
+ description += "
CWD -> " + cwd
+ if environment_variables:
+ description += "
IEnvironment Variables -> "
+ for k, v in environment_variables.items():
+ description += "
- " + k + " -> " + str(v)
+ if "extensions" in stix_object:
+ if stix_object["extensions"].get("windows-process-ext", False):
+ windows = stix_object.get("windows-process-ext", "")
+ window_title = windows.get("window_title", "")
+ integrity_level = windows.get("integrity_level", "")
+ startup_info = windows.get("startup_info", {})
+ name = "Windows " + name
+ heading = name
+ if window_title:
+ description += "
Windows Title -> " + window_title
+ if integrity_level:
+ description += "
Task Types -> " + integrity_level
+ if startup_info:
+ description += "
Startup Info -> "
+ for k, v in startup_info.items():
+ description += "
" + k + " -> " + str(v)
+ elif stix_object["extensions"].get("windows-service-ext", False):
+ service = stix_object.get("windows-service-ext", "")
+ display_name = service.get("display_name", "")
+ service_name = service.get("service_name", "")
+ start_type = service.get("start_type", "")
+ service_type = service.get("service_type", "")
+ service_status = service.get("service_status", "")
+ name = "Windows Service"
+ heading = name
+ if display_name:
+ description += "
Display Name -> " + display_name
+ if service_name:
+ description += ", Service Name -> " + service_name
+ if service_status:
+ description += "
Service Status -> " + service_status
+ if service_type:
+ description += ", Service Type -> " + service_type
+ if start_type:
+ description += "
Service Status -> " + start_type
+ elif sco_type == "software":
+ icon_type = sco_type
+ aname = stix_object.get("name", "")
+ cpe = stix_object.get("cpe", "")
+ swid = stix_object.get("swid", "")
+ vendor = stix_object.get("vendor", "")
+ version = stix_object.get("version", "")
+ name = "Software"
+ heading = name
+ if aname:
+ heading += " -> " + aname
+ if cpe:
+ description += "
CPE -> " + cpe
+ if swid:
+ description += "
SWID -> " + swid
+ if vendor:
+ description += "
" + vendor + ' - ' + aname
+ if version:
+ description += ", Version" + version
+ elif sco_type == "url":
+ icon_type = sco_type
+ value = stix_object.get("value", "")
+ name = "URL"
+ heading = name
+ description += "
Value -> " + value
+ elif sco_type == "user-account":
+ icon_type = sco_type
+ user_id = stix_object.get("user_id", "")
+ credential = stix_object.get("credential", "")
+ account_login = stix_object.get("account_login", "")
+ account_type = stix_object.get("account_type", "")
+ display_name = stix_object.get("display_name", "")
+ name = "User Account"
+ heading = name
+ if display_name:
+ description += "
Display Name -> " + display_name
+ if account_type:
+ description += "
Account Type -> " + account_type
+ if user_id:
+ description += ", User ID -> " + user_id
+ if account_login:
+ description += "
Login String ->" + account_login
+ if credential:
+ description += ", Credential -> " + credential
+ if "extensions" in stix_object:
+ if stix_object["extensions"].get("unix-account-ext", False):
+ icon_type = "user-account-unix"
+ name = "Unix " + name
+ heading = name
+ elif sco_type == "windows-registry-key":
+ key = stix_object.get("key", "")
+ values = stix_object.get("values", [])
+ name = "Windows Registry Key"
+ heading = name
+ if key:
+ description += "
Registry Key -> " + key
+ if values:
+ description += "
Windows Registry Key Values -> "
+ for i, v in enumerate(values):
+ description += "
"
+ name = v.get("name", "")
+ data = v.get("data", "")
+ data_type = v.get("data_type", "")
+ if name:
+ description += "Value Name -> " + name
+ if data_type:
+ description += ", Data Type -> " + data_type
+ if data:
+ description += ", Registry Data -> " + data
+ elif sco_type == "x509-certificate":
+ issuer = stix_object.get("issuer", "")
+ subject = stix_object.get("subject", "")
+ name = "X.509 Certificate"
+ heading = name
+ if issuer:
+ description += "
Issuer -> " + issuer
+ if subject:
+ description += "
Subject -> " + subject
+ else:
+ pass
+ node["icon"] = icon_type
+ node["name"] = name
+ node["heading"] = heading
+ node["description"] = description
+ return node
+
+
+
+def meta_icon(stix_object, node):
+ name = "Marking"
+ heading = "Marking"
+ icon_type = "marking"
+ description = ""
+ type = stix_object.get("definition_type", "")
+ if type == "tlp":
+ definition = stix_object.get("definition", {})
+ colour = definition.get("tlp", "")
+ heading = heading + " -> " + str.title(colour) + '!'
+ else:
+ definition = stix_object.get("definition", {})
+ statement = definition.get("statement", "")
+ heading = heading + " -> Statement"
+ description = '
' + statement
+ node["icon"] = icon_type
+ node["name"] = name
+ node["heading"] = heading
+ node["description"] = description
+ return node
+
diff --git a/services/fastapi/generated/os-triage/context_mem/context_map.json b/services/fastapi/generated/os-triage/context_mem/context_map.json
new file mode 100644
index 000000000..8303f411b
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/context_map.json
@@ -0,0 +1 @@
+{"current_incident": "incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a", "current_company": "identity--86f326c5-0e44-4c3d-9170-da08a77bbcda", "company_list": ["identity--86f326c5-0e44-4c3d-9170-da08a77bbcda"], "incident_list": ["incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a"]}
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/assets.json b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/assets.json
new file mode 100644
index 000000000..665395486
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/assets.json
@@ -0,0 +1 @@
+[{"id": "identity--9cfa0d8d-5033-476e-b32f-49845fb2033c", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--9cfa0d8d-5033-476e-b32f-49845fb2033c", "created": "2024-09-01T06:49:33.807Z", "modified": "2024-09-01T06:49:33.807Z", "name": "HP Laptop 1", "description": "Usr 1's Laptop", "roles": ["laptop"], "identity_class": "asset", "sectors": ["technology"], "external_references": [{"source_name": "HP Ultima 10", "description": "16GB RAM, 1TB SD, Microsoft Windows 11 Professional", "url": "https://mail.echange.microsoft.com", "external_id": "Asset--629456a"}]}, "icon": "identity-asset", "name": "Hardware Asset", "heading": "Hardware Asset - HP Laptop 1", "description": "
Usr 1's Laptop
HP Ultima 10
16GB RAM, 1TB SD, Microsoft Windows 11 Professional"}, {"id": "identity--ff6ee573-da6c-4da9-ba35-70e83fa7fbe5", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--ff6ee573-da6c-4da9-ba35-70e83fa7fbe5", "created": "2024-09-01T06:49:33.829Z", "modified": "2024-09-01T06:49:33.829Z", "name": "HP Laptop 2", "description": "Usr 2's Laptop", "roles": ["laptop"], "identity_class": "asset", "sectors": ["technology"], "external_references": [{"source_name": "HP Ultima 10", "description": "16GB RAM, 1TB SD, Microsoft Windows 11 Professional", "url": "https://mail.echange.microsoft.com", "external_id": "Asset--629457ca"}]}, "icon": "identity-asset", "name": "Hardware Asset", "heading": "Hardware Asset - HP Laptop 2", "description": "
Usr 2's Laptop
HP Ultima 10
16GB RAM, 1TB SD, Microsoft Windows 11 Professional"}, {"id": "identity--5fa9263b-107b-47d7-a6ab-398c39409e8d", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--5fa9263b-107b-47d7-a6ab-398c39409e8d", "created": "2024-09-01T06:49:33.849Z", "modified": "2024-09-01T06:49:33.849Z", "name": "Apple MacBook Pro", "description": "Usr 3's Laptop", "roles": ["laptop"], "identity_class": "asset", "sectors": ["technology"], "external_references": [{"source_name": "Apple MaxBook Pro", "description": "32GB RAM, 1TB SD, Microsoft Windows 11 Professional", "url": "https://our-assets.com", "external_id": "Asset--629457bb"}]}, "icon": "identity-asset", "name": "Hardware Asset", "heading": "Hardware Asset - Apple MacBook Pro", "description": "
Usr 3's Laptop
Apple MaxBook Pro
32GB RAM, 1TB SD, Microsoft Windows 11 Professional"}, {"id": "identity--e8fa639c-27ee-41ef-980b-ea4c1dba71e8", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--e8fa639c-27ee-41ef-980b-ea4c1dba71e8", "created": "2024-09-01T06:49:33.870Z", "modified": "2024-09-01T06:49:33.870Z", "name": "Dell Inspiron Pro", "description": "Usr 4's Laptop", "roles": ["laptop"], "identity_class": "asset", "sectors": ["technology"], "external_references": [{"source_name": "Dell Inspiron Pro", "description": "32GB RAM, 1TB SD, Microsoft Windows 11 Professional", "url": "https://our-assets.com", "external_id": "Asset--62945788"}]}, "icon": "identity-asset", "name": "Hardware Asset", "heading": "Hardware Asset - Dell Inspiron Pro", "description": "
Usr 4's Laptop
Dell Inspiron Pro
32GB RAM, 1TB SD, Microsoft Windows 11 Professional"}, {"id": "identity--350a77f2-c01d-4db4-9397-e87836bffea1", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--350a77f2-c01d-4db4-9397-e87836bffea1", "created": "2024-09-01T06:49:33.892Z", "modified": "2024-09-01T06:49:33.892Z", "name": "ZScaler Pro", "description": "Usr 5's Laptop", "roles": ["laptop"], "identity_class": "asset", "sectors": ["technology"], "external_references": [{"source_name": "ZScaler Pro", "description": "32GB RAM, 1TB SD, Microsoft Windows 11 Professional", "url": "https://our-assets.com", "external_id": "Asset--62945788"}]}, "icon": "identity-asset", "name": "Hardware Asset", "heading": "Hardware Asset - ZScaler Pro", "description": "
Usr 5's Laptop
ZScaler Pro
32GB RAM, 1TB SD, Microsoft Windows 11 Professional"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/company.json b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/company.json
new file mode 100644
index 000000000..79fb5f867
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/company.json
@@ -0,0 +1 @@
+[{"id": "identity--86f326c5-0e44-4c3d-9170-da08a77bbcda", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--86f326c5-0e44-4c3d-9170-da08a77bbcda", "created": "2024-09-01T06:49:33.268Z", "modified": "2024-09-01T06:49:33.268Z", "name": "Example Company", "description": "An Example Organisation", "identity_class": "organization", "sectors": ["technology"]}, "icon": "identity-organization", "name": "Organization", "heading": "Organization - Example Company", "description": "
An Example Organisation"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/edges.json b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/edges.json
new file mode 100644
index 000000000..3ab42ca85
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/edges.json
@@ -0,0 +1 @@
+[{"name": "belongs-to", "type": "embedded", "source": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "target": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b-user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, {"name": "email address", "type": "embedded", "source": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "target": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe-email-addr--4722424c-7012-56b0-84d5-01d076fc547b"}, {"name": "user account", "type": "embedded", "source": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "target": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe-user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b", "target": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3", "id": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b-user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3"}, {"name": "email address", "type": "embedded", "source": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe", "target": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b", "id": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe-email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b"}, {"name": "user account", "type": "embedded", "source": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe", "target": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3", "id": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe-user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5", "target": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e", "id": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5-user-account--113460bd-67f7-5611-bbbb-158d5c45255e"}, {"name": "email address", "type": "embedded", "source": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344", "target": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5", "id": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344-email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5"}, {"name": "user account", "type": "embedded", "source": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344", "target": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e", "id": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344-user-account--113460bd-67f7-5611-bbbb-158d5c45255e"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "target": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4", "id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5-user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4"}, {"name": "email address", "type": "embedded", "source": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12", "target": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "id": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12-email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, {"name": "user account", "type": "embedded", "source": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12", "target": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4", "id": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12-user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "target": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832", "id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e-user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832"}, {"name": "email address", "type": "embedded", "source": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e", "target": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "id": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e-email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}, {"name": "user account", "type": "embedded", "source": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e", "target": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832", "id": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e-user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/systems.json b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/systems.json
new file mode 100644
index 000000000..f2eeb47fb
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/systems.json
@@ -0,0 +1 @@
+[{"id": "identity--9978194c-6376-4e30-aed3-643fcb6000ec", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--9978194c-6376-4e30-aed3-643fcb6000ec", "created": "2024-09-01T06:49:33.776Z", "modified": "2024-09-01T06:49:33.776Z", "name": "Microsoft Exchange", "description": "My Local Exchange Server", "roles": ["server"], "identity_class": "system", "sectors": ["technology"], "external_references": [{"source_name": "Exchange Server", "description": "our email server", "url": "https://mail.echange.microsoft.com", "external_id": "admin"}]}, "icon": "identity-system", "name": "Software System", "heading": "Software System - Microsoft Exchange", "description": "
My Local Exchange Server
Exchange Server
our email server"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/users.json b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/users.json
new file mode 100644
index 000000000..3a6e2004a
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/identity--86f326c5-0e44-4c3d-9170-da08a77bbcda/users.json
@@ -0,0 +1 @@
+[{"id": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "user_id": "79563902", "account_login": "nsmith", "account_type": "sales,", "display_name": "Naive Smith"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> Naive Smith
Account Type -> sales,, User ID -> 79563902
Login String ->nsmith"}, {"id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "value": "naive@example.com", "display_name": "Naive Smith", "belongs_to_ref": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Naive Smith", "description": "
Value -> naive@example.com"}, {"id": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "created": "2024-09-01T06:49:33.339Z", "modified": "2024-09-01T06:49:33.339Z", "name": "Naive Smith", "description": "A Naive Individual", "roles": ["user", "sales"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0499-999-109"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b"}], "first_name": "Naive", "last_name": "Smith", "middle_name": "Weakling", "prefix": "Mr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}], "team": "Sales"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Naive Smith", "description": "
A Naive Individual"}, {"id": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3", "user_id": "79563143", "account_login": "sbilly", "account_type": "sales,", "display_name": "Strange Billy"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> Strange Billy
Account Type -> sales,, User ID -> 79563143
Login String ->sbilly"}, {"id": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b", "value": "sbilly@example.com", "display_name": "Strange Billy", "belongs_to_ref": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Strange Billy", "description": "
Value -> sbilly@example.com"}, {"id": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--a1c58996-e3e6-43c1-a3ae-91da077a49fe", "created": "2024-09-01T06:49:33.436Z", "modified": "2024-09-01T06:49:33.436Z", "name": "Strange", "description": "A Strange Individual", "roles": ["user", "sales"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0422-222-122"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--b0708db8-71e9-50f9-950c-610fccd2c30b"}], "first_name": "Strange", "last_name": "Billy", "middle_name": "One", "prefix": "Mr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--5c0dcb9b-5784-5aaf-b393-d990a4d68dd3"}], "team": "Sales"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Strange", "description": "
A Strange Individual"}, {"id": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e", "user_id": "79563902", "account_login": "wwhilly", "account_type": "sales,", "display_name": "Whooping Whilly"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> Whooping Whilly
Account Type -> sales,, User ID -> 79563902
Login String ->wwhilly"}, {"id": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5", "value": "wwhilly@example.com", "display_name": "Whooping Willy", "belongs_to_ref": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Whooping Willy", "description": "
Value -> wwhilly@example.com"}, {"id": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--e6782443-50ad-483d-8490-ba6d2e7a0344", "created": "2024-09-01T06:49:33.527Z", "modified": "2024-09-01T06:49:33.527Z", "name": "Whooping", "description": "A Whooping Individual", "roles": ["user", "sales"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0455-555-155"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--72fa6570-cce5-5be5-916d-452de0e1adb5"}], "first_name": "Whooping", "last_name": "Whilly", "middle_name": "Wee", "prefix": "Mr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--113460bd-67f7-5611-bbbb-158d5c45255e"}], "team": "Sales"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Whooping", "description": "
A Whooping Individual"}, {"id": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4", "user_id": "79563902", "account_login": "sguy", "account_type": "sales,", "display_name": "strange guy"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> strange guy
Account Type -> sales,, User ID -> 79563902
Login String ->sguy"}, {"id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "value": "strange@mycompany.com", "display_name": "Strange Guy", "belongs_to_ref": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Strange Guy", "description": "
Value -> strange@mycompany.com"}, {"id": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--6c37e812-0738-461d-aa5b-cd7cee0f3f12", "created": "2024-09-01T06:49:33.623Z", "modified": "2024-09-01T06:49:33.623Z", "name": "Strange", "description": "A Strange Individual", "roles": ["user", "sales"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0455-555-155"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}], "first_name": "Strange", "last_name": "Guy", "middle_name": "Wee", "prefix": "Mr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--2b87df75-b95c-5808-bcc7-f6d23471b9b4"}], "team": "Sales"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Strange", "description": "
A Strange Individual"}, {"id": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832", "user_id": "79563902", "account_login": "dguy", "account_type": "sales,", "display_name": "dumbo guy"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> dumbo guy
Account Type -> sales,, User ID -> 79563902
Login String ->dguy"}, {"id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "value": "dumbo@mycompany.com", "display_name": "Strange Guy", "belongs_to_ref": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Strange Guy", "description": "
Value -> dumbo@mycompany.com"}, {"id": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--8b9349c3-0abf-43f0-9084-c58a4e538e2e", "created": "2024-09-01T06:49:33.706Z", "modified": "2024-09-01T06:49:33.706Z", "name": "Dumbo", "description": "A Dumb Individual", "roles": ["user", "sales"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0455-555-155"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}], "first_name": "Dumbo", "last_name": "Guy", "middle_name": "Waxed", "prefix": "Mr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--9a5926a5-b2e9-56c0-82fd-3c858bf14832"}], "team": "Sales"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Dumbo", "description": "
A Dumb Individual"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/event_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/event_refs.json
new file mode 100644
index 000000000..334201206
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/event_refs.json
@@ -0,0 +1 @@
+[{"id": "event--7b9ad6fd-965d-4b7d-93e6-c85890a188b8", "type": "event", "original": {"type": "event", "spec_version": "2.1", "id": "event--7b9ad6fd-965d-4b7d-93e6-c85890a188b8", "created": "2024-09-01T06:55:27.895Z", "modified": "2024-09-01T06:55:27.895Z", "description": "Suspicious email reported by user", "end_time": "2024-09-01T06:55:27.895Z", "event_types": ["dissemination-phishing-emails"], "name": "Potential Phishing Email", "start_time": "2024-09-01T06:55:27.895Z", "extensions": {"extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e": {"extension_type": "new-sdo"}}}, "icon": "event", "name": "Event", "heading": "Event -> Potential Phishing Email, Status -> ", "description": "
Suspicious email reported by user"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/impact_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/impact_refs.json
new file mode 100644
index 000000000..474f63f22
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/impact_refs.json
@@ -0,0 +1 @@
+[{"id": "impact--083ee9e8-0699-490c-9f8c-7393de607d39", "type": "impact", "original": {"type": "impact", "spec_version": "2.1", "id": "impact--083ee9e8-0699-490c-9f8c-7393de607d39", "created": "2024-09-01T07:12:12.865Z", "modified": "2024-09-01T07:12:12.865Z", "impact_category": "availability", "criticality": 99, "description": "Laptop is stuffed", "end_time": "2024-09-01T07:12:12.865Z", "impacted_entity_counts": {"computers-mobile": 1}, "impacted_refs": ["identity--9cfa0d8d-5033-476e-b32f-49845fb2033c"], "recoverability": "regular", "start_time": "2024-09-01T07:12:12.865Z", "extensions": {"availability": {"availability_impact": 99}, "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {"extension_type": "new-sdo"}}}, "icon": "impact-availability", "name": "Availability Impact", "heading": "Availability Impact", "description": "
Laptop is stuffed
Total Impact ->99
Impacted Entities ->
Laptop is stuffed
Variety -> 99computers-mobile -> 1"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident.json
new file mode 100644
index 000000000..9a54a57d4
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident.json
@@ -0,0 +1 @@
+[{"id": "incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a", "type": "incident", "original": {"type": "incident", "spec_version": "2.1", "id": "incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a", "created": "2024-09-01T06:52:23.246Z", "modified": "2024-09-01T06:52:23.246Z", "name": "potential phishing", "extensions": {"extension-definition--ef765651-680c-498d-9894-99799f2fa126": {"extension_type": "property-extension", "investigation_status": "new", "incident_types": ["dissemination-phishing-emails"]}}}, "icon": "incident-ext", "name": "Incident Extension", "heading": "Incident Extension", "description": ""}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_edges.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_edges.json
new file mode 100644
index 000000000..de85187ed
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_edges.json
@@ -0,0 +1 @@
+[{"name": "belongs-to", "type": "embedded", "source": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "target": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b-user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, {"name": "email address", "type": "embedded", "source": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "target": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe-email-addr--4722424c-7012-56b0-84d5-01d076fc547b"}, {"name": "user account", "type": "embedded", "source": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "target": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe-user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, {"name": "email address", "type": "embedded", "source": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "target": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3", "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645-email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3"}, {"name": "user account", "type": "embedded", "source": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "target": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3", "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645-user-account--83658594-537d-5c32-b9f0-137354bd9bc3"}, {"name": "from", "type": "embedded", "source": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "target": "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212", "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d-email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212"}, {"name": "to", "type": "embedded", "source": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "target": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d-email-addr--4722424c-7012-56b0-84d5-01d076fc547b"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "target": "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212", "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7-email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "target": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b", "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7-user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "target": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b", "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7-email-addr--4722424c-7012-56b0-84d5-01d076fc547b"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "target": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7-email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d"}, {"stix-id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "type": "sighting", "name": "Sighting of indicator", "source": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "target": "indicator--d04624e7-9b45-4ce9-a0bc-95bfdceac1e8", "id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2-indicator--d04624e7-9b45-4ce9-a0bc-95bfdceac1e8"}, {"stix-id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "type": "sighting", "name": "Observed Data", "source": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "target": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7", "id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2-observed-data--495cf864-807e-49cb-bed3-13b60a9925c7"}, {"stix-id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "type": "sighting", "name": "Where Sighted -> identity", "source": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2", "target": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2-identity--ab48e338-adef-4407-8902-682d789a0bfe"}, {"name": "sequenced object", "type": "embedded", "source": "sequence--ff976873-5120-42a7-b76f-980272459cbf", "target": "event--7b9ad6fd-965d-4b7d-93e6-c85890a188b8", "id": "sequence--ff976873-5120-42a7-b76f-980272459cbf-event--7b9ad6fd-965d-4b7d-93e6-c85890a188b8"}, {"name": "on completion", "type": "embedded", "source": "sequence--419f0ac4-2836-46f0-9985-820f7a4b7abc", "target": "sequence--ff976873-5120-42a7-b76f-980272459cbf", "id": "sequence--419f0ac4-2836-46f0-9985-820f7a4b7abc-sequence--ff976873-5120-42a7-b76f-980272459cbf"}, {"name": "sequenced object", "type": "embedded", "source": "sequence--efebf290-59f0-4608-8433-48692fac6a21", "target": "task--fec3de6d-bfc4-4ef3-9f4b-c21aa2d57e7a", "id": "sequence--efebf290-59f0-4608-8433-48692fac6a21-task--fec3de6d-bfc4-4ef3-9f4b-c21aa2d57e7a"}, {"name": "on completion", "type": "embedded", "source": "sequence--7c224b7c-2964-4722-9939-a637dac8d856", "target": "sequence--efebf290-59f0-4608-8433-48692fac6a21", "id": "sequence--7c224b7c-2964-4722-9939-a637dac8d856-sequence--efebf290-59f0-4608-8433-48692fac6a21"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04", "target": "anecdote--e1298bc0-818e-5cdb-9154-eac37c8e260f", "id": "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04-anecdote--e1298bc0-818e-5cdb-9154-eac37c8e260f"}, {"stix-id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "type": "sighting", "name": "Sighting of identity", "source": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "target": "identity--ab48e338-adef-4407-8902-682d789a0bfe", "id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3-identity--ab48e338-adef-4407-8902-682d789a0bfe"}, {"stix-id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "type": "sighting", "name": "Observed Data", "source": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "target": "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04", "id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3-observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04"}, {"stix-id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "type": "sighting", "name": "Where Sighted -> identity", "source": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3", "target": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3-identity--482d64aa-9e57-410a-b4c1-97362f0f0645"}, {"name": "impacted things", "type": "embedded", "source": "impact--083ee9e8-0699-490c-9f8c-7393de607d39", "target": "identity--9cfa0d8d-5033-476e-b32f-49845fb2033c", "id": "impact--083ee9e8-0699-490c-9f8c-7393de607d39-identity--9cfa0d8d-5033-476e-b32f-49845fb2033c"}, {"name": "sequenced object", "type": "embedded", "source": "sequence--01671e64-3a18-44e9-a9fc-5d91dc844aba", "target": "task--9bdcff08-a056-4e38-a785-4de36fbb6838", "id": "sequence--01671e64-3a18-44e9-a9fc-5d91dc844aba-task--9bdcff08-a056-4e38-a785-4de36fbb6838"}, {"name": "image-of", "type": "embedded", "source": "file--e7c7ddeb-d693-53e7-bcd8-f40951888120", "target": "process--561c2e4f-edaa-4fb2-813a-48535f495b4e", "id": "file--e7c7ddeb-d693-53e7-bcd8-f40951888120-process--561c2e4f-edaa-4fb2-813a-48535f495b4e"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target": "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b", "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8-user-account--47df6d33-0005-5b45-9875-e7a609b12e9b"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "target": "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109", "id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5-user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109"}, {"name": "belongs-to", "type": "embedded", "source": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "target": "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff", "id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e-user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff"}, {"name": "from", "type": "embedded", "source": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "target": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23-email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, {"name": "to", "type": "embedded", "source": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "target": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23-email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-user-account--47df6d33-0005-5b45-9875-e7a609b12e9b"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}, {"name": "refers-to", "type": "embedded", "source": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "target": "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff", "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc-user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff"}, {"stix-id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444", "type": "sighting", "name": "Sighting of indicator", "source": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444", "target": "indicator--fea6918c-6fd8-4f33-ac2c-9a68c61e568f", "id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444-indicator--fea6918c-6fd8-4f33-ac2c-9a68c61e568f"}, {"stix-id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444", "type": "sighting", "name": "Observed Data", "source": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444", "target": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc", "id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444-observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_relations.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_relations.json
new file mode 100644
index 000000000..08b9728a6
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/incident_relations.json
@@ -0,0 +1 @@
+[{"id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "original": {"type": "relationship", "spec_version": "2.1", "id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "created": "2024-09-01T06:52:23.542Z", "modified": "2024-09-01T06:52:23.542Z", "relationship_type": "derived-from", "source_ref": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "target_ref": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, "name": "Derived-From", "heading": "Derived-From - SRO", "description": "
Result -> Email-Message
Raw-Material -> Url", "type": "relationship", "icon": "relationship"}, {"id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "original": {"type": "relationship", "spec_version": "2.1", "id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "created": "2024-09-10T07:12:18.688016Z", "modified": "2024-09-10T07:12:18.688016Z", "relationship_type": "duplicate-of", "source_ref": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target_ref": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, "name": "Duplicate-Of", "heading": "Duplicate-Of - SRO", "description": "
Original -> Email-Addr
Duplicate -> Email-Addr", "type": "relationship", "icon": "relationship"}, {"id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "original": {"type": "relationship", "spec_version": "2.1", "id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "created": "2024-09-10T07:12:18.697034Z", "modified": "2024-09-10T07:12:18.697034Z", "relationship_type": "duplicate-of", "source_ref": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target_ref": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}, "name": "Duplicate-Of", "heading": "Duplicate-Of - SRO", "description": "
Original -> Email-Addr
Duplicate -> Email-Addr", "type": "relationship", "icon": "relationship"}, {"id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "original": {"type": "relationship", "spec_version": "2.1", "id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "created": "2024-09-10T07:12:18.728878Z", "modified": "2024-09-10T07:12:18.728878Z", "relationship_type": "derived-from", "source_ref": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "target_ref": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, "name": "Derived-From", "heading": "Derived-From - SRO", "description": "
Result -> Email-Message
Raw-Material -> Url", "type": "relationship", "icon": "relationship"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/other_object_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/other_object_refs.json
new file mode 100644
index 000000000..903901b8f
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/other_object_refs.json
@@ -0,0 +1,363 @@
+[
+ {
+ "id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2",
+ "type": "sighting",
+ "original": {
+ "type": "sighting",
+ "spec_version": "2.1",
+ "id": "sighting--375e14ce-ea38-4aaa-8f8d-0ea4e56abda2",
+ "created": "2024-09-01T06:55:18.998Z",
+ "modified": "2024-09-01T06:55:18.998Z",
+ "count": 1,
+ "sighting_of_ref": "indicator--d04624e7-9b45-4ce9-a0bc-95bfdceac1e8",
+ "observed_data_refs": [
+ "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7"
+ ],
+ "where_sighted_refs": [
+ "identity--ab48e338-adef-4407-8902-682d789a0bfe"
+ ],
+ "extensions": {
+ "sighting-alert": {
+ "name": "user-report",
+ "log": "I have found a suspicious email",
+ "system_id": "XYZ-1234",
+ "source": "user submission"
+ },
+ "extension-definition--0d76d6d9-16ca-43fd-bd41-4f800ba8fc43": {
+ "extension_type": "property-extension"
+ }
+ }
+ },
+ "icon": "sighting-alert",
+ "name": "Sighting-Alert",
+ "heading": "Sighting-Alert",
+ "description": "Sighting of indicator
Where Sighted -> identity"
+ },
+ {
+ "id": "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212",
+ "type": "email-addr",
+ "original": {
+ "type": "email-addr",
+ "spec_version": "2.1",
+ "id": "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212",
+ "value": "evil@northkorea.nk",
+ "display_name": "Bad Man"
+ },
+ "icon": "email-addr",
+ "name": "Email Address",
+ "heading": "Email Address -> Bad Man",
+ "description": "
Value -> evil@northkorea.nk"
+ },
+ {
+ "id": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b",
+ "type": "user-account",
+ "original": {
+ "type": "user-account",
+ "spec_version": "2.1",
+ "id": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b",
+ "user_id": "79563902",
+ "account_login": "nsmith",
+ "account_type": "sales,",
+ "display_name": "Naive Smith"
+ },
+ "icon": "user-account",
+ "name": "User Account",
+ "heading": "User Account",
+ "description": "
Display Name -> Naive Smith
Account Type -> sales,, User ID -> 79563902
Login String ->nsmith"
+ },
+ {
+ "id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b",
+ "type": "email-addr",
+ "original": {
+ "type": "email-addr",
+ "spec_version": "2.1",
+ "id": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b",
+ "value": "naive@example.com",
+ "display_name": "Naive Smith",
+ "belongs_to_ref": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"
+ },
+ "icon": "email-addr",
+ "name": "Email Address",
+ "heading": "Email Address -> Naive Smith",
+ "description": "
Value -> naive@example.com"
+ },
+ {
+ "id": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7",
+ "type": "url",
+ "original": {
+ "type": "url",
+ "spec_version": "2.1",
+ "id": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7",
+ "value": "https://www.northkorea.nk/we/are/mad/"
+ },
+ "icon": "url",
+ "name": "URL",
+ "heading": "URL",
+ "description": "
Value -> https://www.northkorea.nk/we/are/mad/"
+ },
+ {
+ "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d",
+ "type": "email-message",
+ "original": {
+ "type": "email-message",
+ "spec_version": "2.1",
+ "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d",
+ "is_multipart": false,
+ "date": "2020-10-19T01:01:01Z",
+ "from_ref": "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212",
+ "to_refs": [
+ "email-addr--4722424c-7012-56b0-84d5-01d076fc547b"
+ ],
+ "subject": "we are coming for you",
+ "body": "some bad stuff written here"
+ },
+ "icon": "email-message",
+ "name": "Email Message",
+ "heading": "Email Message",
+ "description": "
Subject -> we are coming for you, Date -> 2020-10-19T01:01:01Z
Body -> some bad stuff written here"
+ },
+ {
+ "id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6",
+ "original": {
+ "type": "relationship",
+ "spec_version": "2.1",
+ "id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6",
+ "created": "2024-09-01T06:52:23.542Z",
+ "modified": "2024-09-01T06:52:23.542Z",
+ "relationship_type": "derived-from",
+ "source_ref": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d",
+ "target_ref": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"
+ },
+ "name": "Derived-From",
+ "heading": "Derived-From - SRO",
+ "description": "
Result -> Email-Message
Raw-Material -> Url",
+ "type": "relationship",
+ "icon": "relationship"
+ },
+ {
+ "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7",
+ "type": "observed-data",
+ "original": {
+ "type": "observed-data",
+ "spec_version": "2.1",
+ "id": "observed-data--495cf864-807e-49cb-bed3-13b60a9925c7",
+ "created": "2024-09-01T06:52:23.573Z",
+ "modified": "2024-09-01T06:52:23.573Z",
+ "first_observed": "2020-10-19T01:01:01Z",
+ "last_observed": "2020-10-19T01:01:01Z",
+ "number_observed": 1,
+ "object_refs": [
+ "email-addr--eb38d07e-6ba8-56c1-b107-d4db4aacf212",
+ "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b",
+ "email-addr--4722424c-7012-56b0-84d5-01d076fc547b",
+ "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7",
+ "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d",
+ "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6"
+ ]
+ },
+ "icon": "observed-data",
+ "name": "Observed Data",
+ "heading": "Observed Data",
+ "description": "
First Observed -> 2020-10-19T01:01:01Z, Last Observed -> 2020-10-19T01:01:01Z"
+ },
+ {
+ "id": "indicator--d04624e7-9b45-4ce9-a0bc-95bfdceac1e8",
+ "type": "indicator",
+ "original": {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "id": "indicator--d04624e7-9b45-4ce9-a0bc-95bfdceac1e8",
+ "created": "2024-09-01T06:52:23.621Z",
+ "modified": "2024-09-01T06:52:23.621Z",
+ "name": "Potential Phishing Email",
+ "description": "Suspicious email reported by user",
+ "indicator_types": [
+ "unknown"
+ ],
+ "pattern": "[email-addr:value = 'evil@northkorea.nk' AND email:subject = 'we are coming for you']",
+ "pattern_type": "stix",
+ "pattern_version": "2.1",
+ "valid_from": "2024-09-01T06:52:23.621Z"
+ },
+ "icon": "indicator",
+ "name": "Indicator",
+ "heading": "Indicator - Potential Phishing Email",
+ "description": "
Suspicious email reported by user
Pattern Type -> stixIndicator Types -> ['unknown']
Pattern -> [email-addr:value = 'evil@northkorea.nk' AND email:subject = 'we are coming for you']"
+ },
+ {
+ "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe",
+ "type": "identity",
+ "original": {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--ab48e338-adef-4407-8902-682d789a0bfe",
+ "created": "2024-09-01T06:49:33.339Z",
+ "modified": "2024-09-01T06:49:33.339Z",
+ "name": "Naive Smith",
+ "description": "A Naive Individual",
+ "roles": [
+ "user",
+ "sales"
+ ],
+ "identity_class": "individual",
+ "sectors": [
+ "technology"
+ ],
+ "extensions": {
+ "extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {
+ "extension_type": "property-extension",
+ "contact_numbers": [
+ {
+ "contact_number_type": "work-phone",
+ "contact_number": "0499-999-109"
+ }
+ ],
+ "email_addresses": [
+ {
+ "digital_contact_type": "work",
+ "email_address_ref": "email-addr--4722424c-7012-56b0-84d5-01d076fc547b"
+ }
+ ],
+ "first_name": "Naive",
+ "last_name": "Smith",
+ "middle_name": "Weakling",
+ "prefix": "Mr",
+ "social_media_accounts": [
+ {
+ "digital_contact_type": "work",
+ "user_account_ref": "user-account--597ad4d4-35ba-585d-8f6d-134a75032f9b"
+ }
+ ],
+ "team": "Sales"
+ }
+ }
+ },
+ "icon": "identity-contact",
+ "name": "Individual",
+ "heading": "Individual - Naive Smith",
+ "description": "
A Naive Individual"
+ },
+ {
+ "id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3",
+ "type": "sighting",
+ "original": {
+ "type": "sighting",
+ "spec_version": "2.1",
+ "id": "sighting--db8909a7-7235-4ea0-bc81-d2f4c6e62dc3",
+ "created": "2024-09-01T07:12:12.677Z",
+ "modified": "2024-09-01T07:12:12.677Z",
+ "count": 1,
+ "sighting_of_ref": "identity--ab48e338-adef-4407-8902-682d789a0bfe",
+ "observed_data_refs": [
+ "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04"
+ ],
+ "where_sighted_refs": [
+ "identity--482d64aa-9e57-410a-b4c1-97362f0f0645"
+ ],
+ "extensions": {
+ "sighting-anecdote": {
+ "person_name": "user-report",
+ "person_context": "employee",
+ "report_submission": "interview"
+ },
+ "extension-definition--0d76d6d9-16ca-43fd-bd41-4f800ba8fc43": {
+ "extension_type": "property-extension"
+ }
+ }
+ },
+ "icon": "sighting-anecdote",
+ "name": "Sighting-Anecdote",
+ "heading": "Sighting-Anecdote",
+ "description": "Sighting of identity
Where Sighted -> identity"
+ },
+ {
+ "id": "anecdote--e1298bc0-818e-5cdb-9154-eac37c8e260f",
+ "type": "anecdote",
+ "original": {
+ "type": "anecdote",
+ "spec_version": "2.1",
+ "id": "anecdote--e1298bc0-818e-5cdb-9154-eac37c8e260f",
+ "value": "I clicked on the link, and my laptop screen went weird",
+ "report_date": "2024-09-01T07:12:12.597567Z",
+ "provided_by_ref": "identity--ab48e338-adef-4407-8902-682d789a0bfe"
+ },
+ "icon": "anecdote",
+ "name": "Anecdote",
+ "heading": "Anecdote -> 2024-09-01T07:12:12.597567Z",
+ "description": "/Statement -> I clicked on the link, and my laptop screen went weird"
+ },
+ {
+ "id": "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04",
+ "type": "observed-data",
+ "original": {
+ "type": "observed-data",
+ "spec_version": "2.1",
+ "id": "observed-data--a97b6b5b-e460-4e6e-ac7a-de5883329e04",
+ "created": "2024-09-01T07:12:12.629Z",
+ "modified": "2024-09-01T07:12:12.629Z",
+ "first_observed": "2020-10-19T01:01:01Z",
+ "last_observed": "2020-10-19T01:01:01Z",
+ "number_observed": 1,
+ "object_refs": [
+ "anecdote--e1298bc0-818e-5cdb-9154-eac37c8e260f"
+ ]
+ },
+ "icon": "observed-data",
+ "name": "Observed Data",
+ "heading": "Observed Data",
+ "description": "
First Observed -> 2020-10-19T01:01:01Z, Last Observed -> 2020-10-19T01:01:01Z"
+ },
+ {
+ "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645",
+ "type": "identity",
+ "original": {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645",
+ "created": "2024-09-01T06:49:33.195Z",
+ "modified": "2024-09-01T06:49:33.195Z",
+ "name": "Trusty Jones",
+ "description": "A Trusty Individual",
+ "roles": [
+ "soc",
+ "support"
+ ],
+ "identity_class": "individual",
+ "sectors": [
+ "technology"
+ ],
+ "extensions": {
+ "extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {
+ "extension_type": "property-extension",
+ "contact_numbers": [
+ {
+ "contact_number_type": "work-phone",
+ "contact_number": "0418-208-368"
+ }
+ ],
+ "email_addresses": [
+ {
+ "digital_contact_type": "work",
+ "email_address_ref": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3"
+ }
+ ],
+ "first_name": "Me",
+ "last_name": "Jones",
+ "middle_name": "Percival",
+ "prefix": "Dr",
+ "social_media_accounts": [
+ {
+ "digital_contact_type": "work",
+ "user_account_ref": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3"
+ }
+ ],
+ "team": "All_Stars"
+ }
+ }
+ },
+ "icon": "identity-contact",
+ "name": "Individual",
+ "heading": "Individual - Trusty Jones",
+ "description": "
A Trusty Individual"
+ }
+]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_edges.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_edges.json
new file mode 100644
index 000000000..cc07999f8
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_edges.json
@@ -0,0 +1 @@
+[{"stix-id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "type": "relationship", "name": "derived-from", "source": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "target": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d-relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6"}, {"stix-id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "type": "relationship", "name": "derived-from", "source": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, {"stix-id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "type": "relationship", "name": "duplicate-of", "source": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8-relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7"}, {"stix-id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "type": "relationship", "name": "duplicate-of", "source": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "target": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7-email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, {"stix-id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "type": "relationship", "name": "duplicate-of", "source": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8-relationship--e99b913a-d853-41e4-9bb5-89ead940f534"}, {"stix-id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "type": "relationship", "name": "duplicate-of", "source": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "target": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534-email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}, {"stix-id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "type": "relationship", "name": "derived-from", "source": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "target": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23-relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c"}, {"stix-id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "type": "relationship", "name": "derived-from", "source": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_replacement_edges.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_replacement_edges.json
new file mode 100644
index 000000000..2020df2d5
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/relation_replacement_edges.json
@@ -0,0 +1 @@
+[{"stix-id": "relationship--19a3bc45-9953-4650-bb90-9de1e7169dc6", "type": "relationship", "name": "derived-from", "source": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "email-message--6090e3d4-1fa8-5b36-9d2d-4a66d824995d-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}, {"stix-id": "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7", "type": "relationship", "name": "duplicate-of", "source": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5", "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8-email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5"}, {"stix-id": "relationship--e99b913a-d853-41e4-9bb5-89ead940f534", "type": "relationship", "name": "duplicate-of", "source": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8", "target": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e", "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8-email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e"}, {"stix-id": "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c", "type": "relationship", "name": "derived-from", "source": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23", "target": "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7", "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23-url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_refs.json
new file mode 100644
index 000000000..5452fd84d
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_refs.json
@@ -0,0 +1 @@
+[{"id": "sequence--ff976873-5120-42a7-b76f-980272459cbf", "type": "sequence", "original": {"type": "sequence", "spec_version": "2.1", "id": "sequence--ff976873-5120-42a7-b76f-980272459cbf", "created": "2024-09-01T06:55:30.580Z", "modified": "2024-09-01T06:55:30.580Z", "sequenced_object": "event--7b9ad6fd-965d-4b7d-93e6-c85890a188b8", "sequence_type": "event", "step_type": "single_step", "extensions": {"extension-definition--be0c7c79-1961-43db-afde-637066a87a64": {"extension_type": "new-sdo"}}}, "icon": "step-single", "name": "Single Step", "heading": "Single Step for Event", "description": ""}, {"id": "sequence--efebf290-59f0-4608-8433-48692fac6a21", "type": "sequence", "original": {"type": "sequence", "spec_version": "2.1", "id": "sequence--efebf290-59f0-4608-8433-48692fac6a21", "created": "2024-09-01T06:55:38.10Z", "modified": "2024-09-01T06:55:38.10Z", "sequenced_object": "task--fec3de6d-bfc4-4ef3-9f4b-c21aa2d57e7a", "sequence_type": "task", "step_type": "single_step", "extensions": {"extension-definition--be0c7c79-1961-43db-afde-637066a87a64": {"extension_type": "new-sdo"}}}, "icon": "step-single", "name": "Single Step", "heading": "Single Step for Task", "description": ""}, {"id": "sequence--01671e64-3a18-44e9-a9fc-5d91dc844aba", "type": "sequence", "original": {"type": "sequence", "spec_version": "2.1", "id": "sequence--01671e64-3a18-44e9-a9fc-5d91dc844aba", "created": "2024-09-01T07:12:12.989Z", "modified": "2024-09-01T07:12:12.989Z", "sequenced_object": "task--9bdcff08-a056-4e38-a785-4de36fbb6838", "sequence_type": "task", "step_type": "single_step", "extensions": {"extension-definition--be0c7c79-1961-43db-afde-637066a87a64": {"extension_type": "new-sdo"}}}, "icon": "step-single", "name": "Single Step", "heading": "Single Step for Task", "description": ""}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_start_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_start_refs.json
new file mode 100644
index 000000000..5181616ff
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/sequence_start_refs.json
@@ -0,0 +1 @@
+[{"id": "sequence--419f0ac4-2836-46f0-9985-820f7a4b7abc", "type": "sequence", "original": {"type": "sequence", "spec_version": "2.1", "id": "sequence--419f0ac4-2836-46f0-9985-820f7a4b7abc", "created": "2024-09-01T06:55:32.781Z", "modified": "2024-09-01T06:55:32.781Z", "sequence_type": "event", "step_type": "start_step", "on_completion": "sequence--ff976873-5120-42a7-b76f-980272459cbf", "extensions": {"extension-definition--be0c7c79-1961-43db-afde-637066a87a64": {"extension_type": "new-sdo"}}}, "icon": "step-terminal", "name": "Start Step", "heading": "Start Step for Event", "description": ""}, {"id": "sequence--7c224b7c-2964-4722-9939-a637dac8d856", "type": "sequence", "original": {"type": "sequence", "spec_version": "2.1", "id": "sequence--7c224b7c-2964-4722-9939-a637dac8d856", "created": "2024-09-01T06:55:40.266Z", "modified": "2024-09-01T06:55:40.266Z", "sequence_type": "task", "step_type": "start_step", "on_completion": "sequence--efebf290-59f0-4608-8433-48692fac6a21", "extensions": {"extension-definition--be0c7c79-1961-43db-afde-637066a87a64": {"extension_type": "new-sdo"}}}, "icon": "step-terminal", "name": "Start Step", "heading": "Start Step for Task", "description": ""}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/task_refs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/task_refs.json
new file mode 100644
index 000000000..a3d66f5e7
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/task_refs.json
@@ -0,0 +1 @@
+[{"id": "task--fec3de6d-bfc4-4ef3-9f4b-c21aa2d57e7a", "type": "task", "original": {"type": "task", "spec_version": "2.1", "id": "task--fec3de6d-bfc4-4ef3-9f4b-c21aa2d57e7a", "created": "2024-09-01T06:55:35.241Z", "modified": "2024-09-01T06:55:35.241Z", "description": "Suspicious email reported by user", "end_time": "2024-09-01T06:55:35.241Z", "name": "Potential Phishing Email", "start_time": "2024-09-01T06:55:35.241Z", "extensions": {"extension-definition--2074a052-8be4-4932-849e-f5e7798e0030": {"extension_type": "new-sdo"}}}, "icon": "task", "name": "Task", "heading": "Task -> Potential Phishing Email", "description": "
Suspicious email reported by user"}, {"id": "task--9bdcff08-a056-4e38-a785-4de36fbb6838", "type": "task", "original": {"type": "task", "spec_version": "2.1", "id": "task--9bdcff08-a056-4e38-a785-4de36fbb6838", "created": "2024-09-01T07:12:12.941Z", "modified": "2024-09-01T07:12:12.941Z", "description": "Find out who else got the email", "end_time": "2024-09-01T07:12:12.941Z", "name": "Query Exchange Server", "start_time": "2024-09-01T07:12:12.941Z", "extensions": {"extension-definition--2074a052-8be4-4932-849e-f5e7798e0030": {"extension_type": "new-sdo"}}}, "icon": "task", "name": "Task", "heading": "Task -> Query Exchange Server", "description": "
Find out who else got the email"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/unattached_objs.json b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/unattached_objs.json
new file mode 100644
index 000000000..13a81cc92
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/incident--0c3984f2-03b0-4a6e-8568-b0f678aee83a/unattached_objs.json
@@ -0,0 +1,264 @@
+[
+ {
+ "id": "software--3974613c-1980-5209-8f08-17920a04da04",
+ "type": "software",
+ "original": {
+ "type": "software",
+ "spec_version": "2.1",
+ "id": "software--3974613c-1980-5209-8f08-17920a04da04",
+ "name": "evil.exe"
+ },
+ "icon": "software",
+ "name": "Software",
+ "heading": "Software -> evil.exe",
+ "description": ""
+ },
+ {
+ "id": "file--e7c7ddeb-d693-53e7-bcd8-f40951888120",
+ "type": "file",
+ "original": {
+ "type": "file",
+ "spec_version": "2.1",
+ "id": "file--e7c7ddeb-d693-53e7-bcd8-f40951888120",
+ "hashes": {
+ "SHA-256": "fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
+ },
+ "name": "evil.exe"
+ },
+ "icon": "file",
+ "name": "File",
+ "heading": "File -> evil.exe",
+ "description": "
Hashes ->
- SHA-256 -> fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
+ },
+ {
+ "id": "process--561c2e4f-edaa-4fb2-813a-48535f495b4e",
+ "type": "process",
+ "original": {
+ "type": "process",
+ "spec_version": "2.1",
+ "id": "process--561c2e4f-edaa-4fb2-813a-48535f495b4e",
+ "pid": 1221,
+ "created_time": "2023-01-20T14:11:25.55Z",
+ "command_line": "./gedit-bin --destroy-alll",
+ "image_ref": "file--e7c7ddeb-d693-53e7-bcd8-f40951888120"
+ },
+ "icon": "process",
+ "name": "Process",
+ "heading": "Process",
+ "description": "Process ID -> 1221, Command Line -> ./gedit-bin --destroy-alll"
+ },
+ {
+ "id": "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b",
+ "type": "user-account",
+ "original": {
+ "type": "user-account",
+ "spec_version": "2.1",
+ "id": "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b",
+ "account_login": "sthor",
+ "account_type": "unix",
+ "display_name": "silly thor"
+ },
+ "icon": "user-account",
+ "name": "User Account",
+ "heading": "User Account",
+ "description": "
Display Name -> silly thor
Account Type -> unix
Login String ->sthor"
+ },
+ {
+ "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8",
+ "type": "email-addr",
+ "original": {
+ "type": "email-addr",
+ "spec_version": "2.1",
+ "id": "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8",
+ "value": "silly@mycompany.com",
+ "belongs_to_ref": "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b"
+ },
+ "icon": "email-addr",
+ "name": "Email Address",
+ "heading": "Email Address",
+ "description": "
Value -> silly@mycompany.com"
+ },
+ {
+ "id": "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109",
+ "type": "user-account",
+ "original": {
+ "type": "user-account",
+ "spec_version": "2.1",
+ "id": "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109",
+ "account_login": "sguy",
+ "account_type": "unix",
+ "display_name": "strange guy"
+ },
+ "icon": "user-account",
+ "name": "User Account",
+ "heading": "User Account",
+ "description": "
Display Name -> strange guy
Account Type -> unix
Login String ->sguy"
+ },
+ {
+ "id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5",
+ "type": "email-addr",
+ "original": {
+ "type": "email-addr",
+ "spec_version": "2.1",
+ "id": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5",
+ "value": "strange@mycompany.com",
+ "belongs_to_ref": "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109"
+ },
+ "icon": "email-addr",
+ "name": "Email Address",
+ "heading": "Email Address",
+ "description": "
Value -> strange@mycompany.com"
+ },
+ {
+ "id": "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff",
+ "type": "user-account",
+ "original": {
+ "type": "user-account",
+ "spec_version": "2.1",
+ "id": "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff",
+ "account_login": "dguy",
+ "account_type": "unix",
+ "display_name": "dumbo guy"
+ },
+ "icon": "user-account",
+ "name": "User Account",
+ "heading": "User Account",
+ "description": "
Display Name -> dumbo guy
Account Type -> unix
Login String ->dguy"
+ },
+ {
+ "id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e",
+ "type": "email-addr",
+ "original": {
+ "type": "email-addr",
+ "spec_version": "2.1",
+ "id": "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e",
+ "value": "dumbo@mycompany.com",
+ "belongs_to_ref": "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff"
+ },
+ "icon": "email-addr",
+ "name": "Email Address",
+ "heading": "Email Address",
+ "description": "
Value -> dumbo@mycompany.com"
+ },
+ {
+ "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23",
+ "type": "email-message",
+ "original": {
+ "type": "email-message",
+ "spec_version": "2.1",
+ "id": "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23",
+ "is_multipart": false,
+ "date": "2020-10-19T01:01:01Z",
+ "from_ref": "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5",
+ "to_refs": [
+ "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8"
+ ],
+ "subject": "we are coming for you"
+ },
+ "icon": "email-message",
+ "name": "Email Message",
+ "heading": "Email Message",
+ "description": "
Subject -> we are coming for you, Date -> 2020-10-19T01:01:01Z"
+ },
+ {
+ "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc",
+ "type": "observed-data",
+ "original": {
+ "type": "observed-data",
+ "spec_version": "2.1",
+ "id": "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc",
+ "created": "2024-09-10T07:12:18.732958Z",
+ "modified": "2024-09-10T07:12:18.732958Z",
+ "first_observed": "2020-10-19T01:01:01Z",
+ "last_observed": "2020-10-19T01:01:01Z",
+ "number_observed": 1,
+ "object_refs": [
+ "email-addr--a7155ffe-8ea7-563a-a54c-e94e23ec50c8",
+ "user-account--47df6d33-0005-5b45-9875-e7a609b12e9b",
+ "url--3279c7de-8f91-5c1a-99d9-d6546c6c41f7",
+ "relationship--45423e23-b53e-4c31-9c0d-aefd2663d16c",
+ "email-message--a9579bb2-e221-5df3-92bd-d452bd9b6d23",
+ "email-addr--b8048a91-def8-5ef7-8cd3-a7b3db9278e5",
+ "user-account--74f5352e-ea3f-526c-8430-1cbb9ccd3109",
+ "email-addr--30d9a416-203b-55c8-b796-8eb65ab5275e",
+ "user-account--5aaaa4e2-0974-5ab4-9069-41a16197f0ff",
+ "relationship--0371e7c0-b837-4464-b571-056b6b1e0ae7",
+ "relationship--e99b913a-d853-41e4-9bb5-89ead940f534"
+ ]
+ },
+ "icon": "observed-data",
+ "name": "Observed Data",
+ "heading": "Observed Data",
+ "description": "
First Observed -> 2020-10-19T01:01:01Z, Last Observed -> 2020-10-19T01:01:01Z"
+ },
+ {
+ "id": "identity--7eed84d7-28db-425a-8808-7935e7560ca9",
+ "type": "identity",
+ "original": {
+ "type": "identity",
+ "spec_version": "2.1",
+ "id": "identity--7eed84d7-28db-425a-8808-7935e7560ca9",
+ "created": "2024-09-10T07:12:18.745951Z",
+ "modified": "2024-09-10T07:12:18.745951Z",
+ "name": "Microsoft Exchange",
+ "description": "Microsoft Exchange Server",
+ "identity_class": "system"
+ },
+ "icon": "identity-system",
+ "name": "Software System",
+ "heading": "Software System - Microsoft Exchange",
+ "description": "
Microsoft Exchange Server
"
+ },
+ {
+ "id": "indicator--fea6918c-6fd8-4f33-ac2c-9a68c61e568f",
+ "type": "indicator",
+ "original": {
+ "type": "indicator",
+ "spec_version": "2.1",
+ "id": "indicator--fea6918c-6fd8-4f33-ac2c-9a68c61e568f",
+ "created": "2024-09-10T07:12:18.75496Z",
+ "modified": "2024-09-10T07:12:18.75496Z",
+ "name": "Suspicious Email",
+ "indicator_types": [
+ "unknown"
+ ],
+ "pattern": "[email-addr:value = 'silly@mycompany.com' AND email:subject = 'we are coming for you']",
+ "pattern_type": "stix",
+ "pattern_version": "2.1",
+ "valid_from": "2024-09-10T07:12:18.75496Z"
+ },
+ "icon": "indicator",
+ "name": "Indicator",
+ "heading": "Indicator - Suspicious Email",
+ "description": "
Pattern Type -> stixIndicator Types -> ['unknown']
Pattern -> [email-addr:value = 'silly@mycompany.com' AND email:subject = 'we are coming for you']"
+ },
+ {
+ "id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444",
+ "type": "sighting",
+ "original": {
+ "type": "sighting",
+ "spec_version": "2.1",
+ "id": "sighting--95e54efd-3b3a-4ed2-9645-9ef11b550444",
+ "created": "2024-09-10T07:12:18.771654Z",
+ "modified": "2024-09-10T07:12:18.771654Z",
+ "sighting_of_ref": "indicator--fea6918c-6fd8-4f33-ac2c-9a68c61e568f",
+ "observed_data_refs": [
+ "observed-data--58b23029-49bc-474a-9e66-f0d30dd5f6cc"
+ ],
+ "extensions": {
+ "extension-definition--0d76d6d9-16ca-43fd-bd41-4f800ba8fc43": {
+ "extension_type": "property-extension"
+ },
+ "sighting-context": {
+ "name": "Exchange",
+ "description": "query from:silly@mycompany.com, subject:we are coming for you",
+ "value": "[silly@mycompany.com, strange@mycompany.com, dumbo@mycompany.com]"
+ }
+ }
+ },
+ "icon": "sighting-context",
+ "name": "Sighting-Context",
+ "heading": "Sighting-Context",
+ "description": "Sighting of indicator
"
+ }
+]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/usr/cache_me.json b/services/fastapi/generated/os-triage/context_mem/usr/cache_me.json
new file mode 100644
index 000000000..6cfd649cf
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/usr/cache_me.json
@@ -0,0 +1 @@
+[{"id": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3", "type": "user-account", "original": {"type": "user-account", "spec_version": "2.1", "id": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3", "user_id": "79563902", "account_login": "tjones", "account_type": "soc,", "display_name": "Trusty Jones"}, "icon": "user-account", "name": "User Account", "heading": "User Account", "description": "
Display Name -> Trusty Jones
Account Type -> soc,, User ID -> 79563902
Login String ->tjones"}, {"id": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3", "type": "email-addr", "original": {"type": "email-addr", "spec_version": "2.1", "id": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3", "value": "trusty@example.com", "display_name": "Trusty Jones", "belongs_to_ref": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3"}, "icon": "email-addr", "name": "Email Address", "heading": "Email Address -> Trusty Jones", "description": "
Value -> trusty@example.com"}, {"id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "type": "identity", "original": {"type": "identity", "spec_version": "2.1", "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "created": "2024-09-01T06:49:33.195Z", "modified": "2024-09-01T06:49:33.195Z", "name": "Trusty Jones", "description": "A Trusty Individual", "roles": ["soc", "support"], "identity_class": "individual", "sectors": ["technology"], "extensions": {"extension-definition--66e2492a-bbd3-4be6-88f5-cc91a017a498": {"extension_type": "property-extension", "contact_numbers": [{"contact_number_type": "work-phone", "contact_number": "0418-208-368"}], "email_addresses": [{"digital_contact_type": "work", "email_address_ref": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3"}], "first_name": "Me", "last_name": "Jones", "middle_name": "Percival", "prefix": "Dr", "social_media_accounts": [{"digital_contact_type": "work", "user_account_ref": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3"}], "team": "All_Stars"}}}, "icon": "identity-contact", "name": "Individual", "heading": "Individual - Trusty Jones", "description": "
A Trusty Individual"}]
\ No newline at end of file
diff --git a/services/fastapi/generated/os-triage/context_mem/usr/edges.json b/services/fastapi/generated/os-triage/context_mem/usr/edges.json
new file mode 100644
index 000000000..69c7e3bb7
--- /dev/null
+++ b/services/fastapi/generated/os-triage/context_mem/usr/edges.json
@@ -0,0 +1 @@
+[{"name": "belongs-to", "type": "embedded", "source": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3", "target": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3", "id": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3-user-account--83658594-537d-5c32-b9f0-137354bd9bc3"}, {"name": "email address", "type": "embedded", "source": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "target": "email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3", "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645-email-addr--c99b87bd-f0a8-50ca-9f84-68072efc61e3"}, {"name": "user account", "type": "embedded", "source": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645", "target": "user-account--83658594-537d-5c32-b9f0-137354bd9bc3", "id": "identity--482d64aa-9e57-410a-b4c1-97362f0f0645-user-account--83658594-537d-5c32-b9f0-137354bd9bc3"}]
\ No newline at end of file