pycti.entities.opencti_stix_cyber_observable ============================================ .. py:module:: pycti.entities.opencti_stix_cyber_observable Classes ------- .. autoapisummary:: pycti.entities.opencti_stix_cyber_observable.StixCyberObservable Module Contents --------------- .. py:class:: StixCyberObservable(opencti) Bases: :py:obj:`pycti.entities.stix_cyber_observable.opencti_stix_cyber_observable_deprecated.StixCyberObservableDeprecatedMixin` Main StixCyberObservable class for OpenCTI Manages STIX cyber observables (indicators of compromise) in the OpenCTI platform. Note: Deprecated methods are available through StixCyberObservableDeprecatedMixin. :param opencti: instance of :py:class:`~pycti.api.opencti_api_client.OpenCTIApiClient` :type opencti: OpenCTIApiClient Initialize the StixCyberObservable instance. :param opencti: OpenCTI API client instance :type opencti: OpenCTIApiClient .. py:attribute:: opencti .. py:attribute:: properties :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } observable_value x_opencti_description x_opencti_score indicators { edges { node { id pattern pattern_type } } } ... on AutonomousSystem { number name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size metaData { mimetype version } } } } } ... on StixFile { extensions size name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on SSHKey { key_type public_key fingerprint_sha256 fingerprint_md5 key_length expiration_date comment created } ... on AIPrompt { value } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name cpe swid languages vendor version x_opencti_product } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content media_category url publication_date } ... on IMEI { value } ... on ICCID { value } ... on IMSI { value } """ .. raw:: html
.. py:attribute:: properties_with_files :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } observable_value x_opencti_description x_opencti_score indicators { edges { node { id pattern pattern_type } } } ... on AutonomousSystem { number name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size metaData { mimetype version } } } } } ... on StixFile { extensions size name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on SSHKey { key_type public_key fingerprint_sha256 fingerprint_md5 key_length expiration_date comment created } ... on AIPrompt { value } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name cpe swid languages vendor version x_opencti_product } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content media_category url publication_date } ... on IMEI { value } ... on ICCID { value } ... on IMSI { value } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """ .. raw:: html
.. py:method:: list(**kwargs) List StixCyberObservable objects. :param types: the array of types :type types: list :param filters: the filters to apply :type filters: dict :param search: the search keyword :type search: str :param first: return the first n rows from the after ID (or the beginning if not set) :type first: int :param after: ID of the first row for pagination :type after: str :param orderBy: field to order results by :type orderBy: str :param orderMode: ordering mode (asc/desc) :type orderMode: str :param customAttributes: custom attributes to return :type customAttributes: str :param getAll: whether to retrieve all results :type getAll: bool :param withPagination: whether to include pagination info :type withPagination: bool :param withFiles: whether to include files :type withFiles: bool :return: List of StixCyberObservable objects :rtype: list .. py:method:: read(**kwargs) Read a StixCyberObservable object. :param id: the id of the StixCyberObservable :type id: str :param filters: the filters to apply if no id provided :type filters: dict :param customAttributes: custom attributes to return :type customAttributes: str :param withFiles: whether to include files :type withFiles: bool :return: StixCyberObservable object :rtype: dict or None .. py:method:: add_file(**kwargs) Upload a file in this Observable. :param id: the Stix-Cyber-Observable id :type id: str :param file_name: name of the file to upload :type file_name: str :param data: the file data :type data: bytes or str :param fileMarkings: list of marking definition IDs for the file :type fileMarkings: list :param version: file version :type version: str :param mime_type: MIME type of the file (default: text/plain) :type mime_type: str :param no_trigger_import: whether to skip import trigger :type no_trigger_import: bool :param embedded: whether the file is embedded :type embedded: bool :return: updated StixCyberObservable object :rtype: dict or None .. py:method:: create(**kwargs) Create a Stix-Cyber-Observable object. :param observableData: the data of the observable (STIX2 structure) :type observableData: dict :param simple_observable_id: (optional) simple observable STIX ID :type simple_observable_id: str :param simple_observable_key: (optional) simple observable key (e.g., "IPv4-Addr.value") :type simple_observable_key: str :param simple_observable_value: (optional) simple observable value :type simple_observable_value: str :param simple_observable_description: (optional) simple observable description :type simple_observable_description: str :param x_opencti_score: (optional) score (0-100) :type x_opencti_score: int :param createdBy: (optional) the author ID :type createdBy: str :param objectMarking: (optional) list of marking definition IDs :type objectMarking: list :param objectLabel: (optional) list of label IDs :type objectLabel: list :param externalReferences: (optional) list of external reference IDs :type externalReferences: list :param objectOrganization: (optional) list of organization IDs :type objectOrganization: list :param update: (optional) whether to update if exists (default: False) :type update: bool :param resolve_result_indicators: (optional) resolve result indicators (default: True) :type resolve_result_indicators: bool :param files: (optional) list of File objects to attach :type files: list :param filesMarkings: (optional) list of lists of marking definition IDs for each file :type filesMarkings: list :return: Stix-Cyber-Observable object :rtype: dict or None .. py:method:: upload_artifact(**kwargs) Upload an artifact. :param file_name: the file name or path :type file_name: str :param data: the file data (optional, reads from file_name if not provided) :type data: bytes :param mime_type: the MIME type (default: text/plain) :type mime_type: str :param x_opencti_description: description for the artifact :type x_opencti_description: str :param createdBy: the author ID :type createdBy: str :param objectMarking: list of marking definition IDs :type objectMarking: list :param objectLabel: list of label IDs :type objectLabel: list :param createIndicator: whether to create an indicator (default: False) :type createIndicator: bool :return: Stix-Observable object :rtype: dict or None .. py:method:: update_field(**kwargs) Update a Stix-Observable object field. :param id: the Stix-Observable id :type id: str :param input: the input of the field to update :type input: list :return: The updated Stix-Observable object :rtype: dict or None .. py:method:: promote_to_indicator_v2(**kwargs) Promote a Stix-Observable to an Indicator. :param id: the Stix-Observable id :type id: str :param customAttributes: custom attributes to return for the indicator :type customAttributes: str :return: The newly created indicator :rtype: dict or None .. py:method:: delete(**kwargs) Delete a Stix-Observable. :param id: the Stix-Observable id :type id: str :return: None :rtype: None .. py:method:: update_created_by(**kwargs) Update the Identity author of a Stix-Cyber-Observable object (created_by). :param id: the id of the Stix-Cyber-Observable :type id: str :param identity_id: the id of the Identity :type identity_id: str :return: True on success, False on failure :rtype: bool .. py:method:: add_marking_definition(**kwargs) Add a Marking-Definition object to Stix-Cyber-Observable object (object_marking_refs). :param id: the id of the Stix-Cyber-Observable :type id: str :param marking_definition_id: the id of the Marking-Definition :type marking_definition_id: str :return: True on success, False on failure :rtype: bool .. py:method:: remove_marking_definition(**kwargs) Remove a Marking-Definition object from Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :param marking_definition_id: the id of the Marking-Definition :type marking_definition_id: str :return: True on success, False on failure :rtype: bool .. py:method:: add_label(**kwargs) Add a Label object to Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :param label_id: the id of the Label :type label_id: str :param label_name: the name of the Label (will create if not exists) :type label_name: str :return: True on success, False on failure :rtype: bool .. py:method:: remove_label(**kwargs) Remove a Label object from Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :param label_id: the id of the Label :type label_id: str :param label_name: the name of the Label (alternative to label_id) :type label_name: str :return: True on success, False on failure :rtype: bool .. py:method:: add_external_reference(**kwargs) Add an External-Reference object to Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :param external_reference_id: the id of the External-Reference :type external_reference_id: str :return: True on success, False on failure :rtype: bool .. py:method:: remove_external_reference(**kwargs) Remove an External-Reference object from Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :param external_reference_id: the id of the External-Reference :type external_reference_id: str :return: True on success, False on failure :rtype: bool .. py:method:: push_list_export(entity_id, entity_type, file_name, file_markings, data, list_filters='', mime_type=None) Push a list export for Stix-Cyber-Observables. :param entity_id: the entity ID :type entity_id: str :param entity_type: the entity type :type entity_type: str :param file_name: the file name :type file_name: str :param file_markings: list of marking definition IDs for the file :type file_markings: list :param data: the file data :type data: bytes :param list_filters: the list filters (default: "") :type list_filters: str :param mime_type: the MIME type (optional) :type mime_type: str :return: None :rtype: None .. py:method:: ask_for_enrichment(**kwargs) -> str Ask for enrichment of a Stix-Cyber-Observable. :param id: the id of the Stix-Cyber-Observable :type id: str :param connector_id: the id of the enrichment connector :type connector_id: str :return: The work ID :rtype: str .. py:method:: reports(**kwargs) Get the reports about a Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :return: List of reports :rtype: list or None .. py:method:: notes(**kwargs) Get the notes about a Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :return: List of notes :rtype: list or None .. py:method:: observed_data(**kwargs) Get the observed data of a Stix-Cyber-Observable object. :param id: the id of the Stix-Cyber-Observable :type id: str :return: List of observed data :rtype: list or None