From 88bd8adb896bb5d5627d1d80c48cbfbaf49ab7b5 Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Mon, 22 Jan 2024 10:47:52 +0100
Subject: [PATCH] Use filter mode 'and' for stix pattern type + values

When converting to the new filter syntax, an incorrect mode was used for
the indicator filter. Now the stix pattern type must match along with
the values queried.
---
 custom-opencti.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/custom-opencti.py b/custom-opencti.py
index 23725cd..1d7bc03 100755
--- a/custom-opencti.py
+++ b/custom-opencti.py
@@ -545,14 +545,14 @@ def query_opencti(alert, url, token):
                     'obs': {
                         "mode": "or",
                         "filterGroups": [],
-                        "filters": [{'key': filter_key, 'values': filter_values}]
+                        "filters": [{"key": filter_key, "values": filter_values}]
                     },
                     'ind': {
-                        "mode": "or",
+                        "mode": "and",
                         "filterGroups": [],
                         "filters": [
-                            {'key': 'pattern_type', 'values': ['stix']},
-                            {'key': 'pattern', 'values': ind_filter},
+                            {"key": "pattern_type", "values": ["stix"]},
+                            {"mode": "or", "key": "pattern", "values": ind_filter},
                         ]
                     }
                     }}