pycti.entities.opencti_indicator ================================ .. py:module:: pycti.entities.opencti_indicator Classes ------- .. autoapisummary:: pycti.entities.opencti_indicator.Indicator Module Contents --------------- .. py:class:: Indicator(opencti) Main Indicator class for OpenCTI Manages threat indicators and detection patterns in the OpenCTI platform. :param opencti: instance of :py:class:`~pycti.api.opencti_api_client.OpenCTIApiClient` :type opencti: OpenCTIApiClient Initialize the Indicator instance. :param opencti: OpenCTI API client instance :type opencti: OpenCTIApiClient .. py:attribute:: opencti .. py:attribute:: properties :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } revoked confidence created modified pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type x_opencti_observable_values { type value hashes { algorithm hash } } x_mitre_platforms observables { edges { node { id entity_type observable_value } } } killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } """ .. raw:: html
.. py:attribute:: properties_with_files :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } revoked confidence created modified pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type x_opencti_observable_values { type value hashes { algorithm hash } } x_mitre_platforms observables { edges { node { id entity_type observable_value } } } killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """ .. raw:: html
.. py:method:: generate_id(pattern) :staticmethod: Generate a STIX ID for an Indicator. :param pattern: The STIX pattern :type pattern: str :return: STIX ID for the indicator :rtype: str .. py:method:: generate_id_from_data(data) :staticmethod: Generate a STIX ID from indicator data. :param data: Dictionary containing 'pattern' key :type data: dict :return: STIX ID for the indicator :rtype: str .. py:method:: list(**kwargs) List Indicator objects. :param filters: (optional) the filters to apply :type filters: dict :param search: (optional) a search keyword to apply for the listing :type search: str :param first: (optional) return the first n rows from the `after` ID or the beginning if not set :type first: int :param after: (optional) OpenCTI object ID of the first row for pagination :type after: str :param orderBy: (optional) the field to order the response on :type orderBy: str :param orderMode: (optional) either "asc" or "desc" :type orderMode: str :param customAttributes: (optional) list of attributes keys to return :type customAttributes: str :param getAll: (optional) switch to return all entries (be careful to use this without any other filters) :type getAll: bool :param withPagination: (optional) switch to use pagination :type withPagination: bool :param withFiles: (optional) include files in response :type withFiles: bool :param toStix: (optional) get in STIX format :type toStix: bool :return: List of Indicators :rtype: list .. py:method:: read(**kwargs) Read an Indicator object. Read can be either used with a known OpenCTI entity `id` or by using a valid filter to search and return a single Indicator entity or None. Note: either `id` or `filters` is required. :param id: the id of the Indicator :type id: str :param filters: the filters to apply if no id provided :type filters: dict :param customAttributes: custom attributes to return :type customAttributes: str :param withFiles: whether to include files :type withFiles: bool :return: Indicator object :rtype: dict or None .. py:method:: create(**kwargs) Create an Indicator object. :param stix_id: (optional) the STIX ID :type stix_id: str :param createdBy: (optional) the author ID :type createdBy: str :param objectMarking: (optional) list of marking definition IDs :type objectMarking: list :param objectLabel: (optional) list of label IDs :type objectLabel: list :param externalReferences: (optional) list of external reference IDs :type externalReferences: list :param revoked: (optional) whether the indicator is revoked :type revoked: bool :param confidence: (optional) confidence level (0-100) :type confidence: int :param lang: (optional) language :type lang: str :param created: (optional) creation date :type created: str :param modified: (optional) modification date :type modified: str :param pattern_type: the pattern type (required) :type pattern_type: str :param pattern_version: (optional) the pattern version :type pattern_version: str :param pattern: the indicator pattern (required) :type pattern: str :param name: the name of the Indicator (defaults to pattern) :type name: str :param description: (optional) description :type description: str :param indicator_types: (optional) list of indicator types :type indicator_types: list :param valid_from: (optional) valid from date :type valid_from: str :param valid_until: (optional) valid until date :type valid_until: str :param x_opencti_score: (optional) score (default: 50) :type x_opencti_score: int :param x_opencti_detection: (optional) detection flag (default: False) :type x_opencti_detection: bool :param x_opencti_main_observable_type: the main observable type (required) :type x_opencti_main_observable_type: str :param x_mitre_platforms: (optional) list of MITRE platforms :type x_mitre_platforms: list :param killChainPhases: (optional) list of kill chain phase IDs :type killChainPhases: list :param x_opencti_stix_ids: (optional) list of additional STIX IDs :type x_opencti_stix_ids: list :param x_opencti_create_observables: (optional) create observables (default: False) :type x_opencti_create_observables: bool :param objectOrganization: (optional) list of organization IDs :type objectOrganization: list :param x_opencti_workflow_id: (optional) workflow ID :type x_opencti_workflow_id: str :param x_opencti_modified_at: (optional) custom modification date :type x_opencti_modified_at: str :param update: (optional) whether to update if exists (default: False) :type update: bool :param files: (optional) list of File objects to attach :type files: list :param filesMarkings: (optional) list of lists of marking definition IDs for each file :type filesMarkings: list :return: Indicator object :rtype: dict or None .. py:method:: update_field(**kwargs) Update an Indicator object field. :param id: the Indicator id :type id: str :param input: the input of the field :type input: list :return: Updated indicator object :rtype: dict or None .. py:method:: add_stix_cyber_observable(**kwargs) Add a Stix-Cyber-Observable object to Indicator object (based-on). :param id: the id of the Indicator :type id: str :param indicator: Indicator object :type indicator: dict :param stix_cyber_observable_id: the id of the Stix-Observable :type stix_cyber_observable_id: str :return: True if there has been no import error :rtype: bool .. py:method:: import_from_stix2(**kwargs) Import an Indicator object from a STIX2 object. :param stixObject: the Stix-Object Indicator :type stixObject: dict :param extras: extra dict :type extras: dict :param update: set the update flag on import :type update: bool :return: Indicator object :rtype: dict or None