Description

When enriching Case, like Incident Response, the python client crashes in the _process_message function. Here's the problem flow:

1. In the _process_message function, the _data_handler function is called on line 274.
2. Inside the _data_handler function, we call a generate_export function that will process the entity to be enriched, on line 365.
3. This function will rewrite the entity ID by adding "x-opencti-" at the beginning, on line 1470.
4. Then, back in the _data_handler function, we will loop to keep only the entities that have e[”id“] == opencti_entity[”standard_id“], on line 372.
   • However, having added “x-opencti-” to the beginning of the ID, this condition is no longer satisfied.
   • As a result, the list "stix_entity" on line 369 remains empty.
5. Finally, we try to retrieve the first element of the "stix_entity" list on line 373.

-> As the list is necessarily empty, we get the error:

{ "timestamp": "2025-03-18T00:30:01.171407Z", "level": "ERROR", "name": "internal-opencti-to-fire", "message": "Error in message processing, reporting error to API", "exc_info": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.12/site-packages/pycti/connector/opencti_connector_helper.py\", line 325, in _data_handler\n stix_entity = [\n ^\nIndexError: list index out of range", "taskName": null }

Environment

OCTI 6.5.8

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Try to run an enrichment connector on an Incident Response Case entity

Expected Output

I'd like the python client to be adapted so that we can create and use enrichment connectors on Cases (and on any other entities that might be affected by the same behavior).

Note

Since I didn't know whether this issue should be opened on the “opencti” or “client-python” repo, I opened it on both. I'll let you close one of them if necessary. Here's the issue on the “client-python” repo: OpenCTI-Platform/client-python#861