pycti.utils.constants ===================== .. py:module:: pycti.utils.constants .. autoapi-nested-parse:: These are the custom STIX properties and observation types used internally by OpenCTI. Classes ------- .. autoapisummary:: pycti.utils.constants.CaseInsensitiveEnum pycti.utils.constants.StixCyberObservableTypes pycti.utils.constants.IdentityTypes pycti.utils.constants.ThreatActorTypes pycti.utils.constants.LocationTypes pycti.utils.constants.ContainerTypes pycti.utils.constants.StixMetaTypes pycti.utils.constants.MultipleRefRelationship pycti.utils.constants.CustomObjectCaseIncident pycti.utils.constants.CustomObjectCaseRfi pycti.utils.constants.CustomObjectTask pycti.utils.constants.CustomObjectChannel pycti.utils.constants.CustomObservableHostname pycti.utils.constants.CustomObservableText pycti.utils.constants.CustomObservablePaymentCard pycti.utils.constants.CustomObservableBankAccount pycti.utils.constants.CustomObservableCredential pycti.utils.constants.CustomObservableCryptocurrencyWallet pycti.utils.constants.CustomObservablePhoneNumber pycti.utils.constants.CustomObservableTrackingNumber pycti.utils.constants.CustomObservableUserAgent pycti.utils.constants.CustomObservableMediaContent pycti.utils.constants.CustomObservablePersona pycti.utils.constants.CustomObservableCryptographicKey pycti.utils.constants.CustomObservableSshKey pycti.utils.constants.CustomObservableAIPrompt pycti.utils.constants.CustomObservableIMEI pycti.utils.constants.CustomObservableICCID pycti.utils.constants.CustomObservableIMSI Module Contents --------------- .. py:class:: CaseInsensitiveEnum(*args, **kwds) Bases: :py:obj:`enum.Enum` Base Enum class with case-insensitive value lookup. .. py:method:: has_value(value: str) -> bool :classmethod: Check if the enum contains the given value (case-insensitive). :param value: Value to check :type value: str :return: True if value exists in enum, False otherwise :rtype: bool .. py:class:: StixCyberObservableTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of STIX Cyber Observable types supported by OpenCTI. .. py:attribute:: AUTONOMOUS_SYSTEM :value: 'Autonomous-System' .. py:attribute:: DIRECTORY :value: 'Directory' .. py:attribute:: DOMAIN_NAME :value: 'Domain-Name' .. py:attribute:: EMAIL_ADDR :value: 'Email-Addr' .. py:attribute:: EMAIL_MESSAGE :value: 'Email-Message' .. py:attribute:: EMAIL_MIME_PART_TYPE :value: 'Email-Mime-Part-Type' .. py:attribute:: ARTIFACT :value: 'Artifact' .. py:attribute:: FILE :value: 'File' .. py:attribute:: X509_CERTIFICATE :value: 'X509-Certificate' .. py:attribute:: IPV4_ADDR :value: 'IPv4-Addr' .. py:attribute:: IPV6_ADDR :value: 'IPv6-Addr' .. py:attribute:: MAC_ADDR :value: 'Mac-Addr' .. py:attribute:: MUTEX :value: 'Mutex' .. py:attribute:: NETWORK_TRAFFIC :value: 'Network-Traffic' .. py:attribute:: PROCESS :value: 'Process' .. py:attribute:: SOFTWARE :value: 'Software' .. py:attribute:: URL :value: 'Url' .. py:attribute:: USER_ACCOUNT :value: 'User-Account' .. py:attribute:: WINDOWS_REGISTRY_KEY :value: 'Windows-Registry-Key' .. py:attribute:: WINDOWS_REGISTRY_VALUE_TYPE :value: 'Windows-Registry-Value-Type' .. py:attribute:: HOSTNAME :value: 'Hostname' .. py:attribute:: CRYPTOGRAPHIC_KEY :value: 'Cryptographic-Key' .. py:attribute:: CRYPTOCURRENCY_WALLET :value: 'Cryptocurrency-Wallet' .. py:attribute:: TEXT :value: 'Text' .. py:attribute:: USER_AGENT :value: 'User-Agent' .. py:attribute:: BANK_ACCOUNT :value: 'Bank-Account' .. py:attribute:: PHONE_NUMBER :value: 'Phone-Number' .. py:attribute:: CREDENTIAL :value: 'Credential' .. py:attribute:: TRACKING_NUMBER :value: 'Tracking-Number' .. py:attribute:: PAYMENT_CARD :value: 'Payment-Card' .. py:attribute:: MEDIA_CONTENT :value: 'Media-Content' .. py:attribute:: SIMPLE_OBSERVABLE :value: 'Simple-Observable' .. py:attribute:: PERSONA :value: 'Persona' .. py:attribute:: SSH_KEY :value: 'SSH-Key' .. py:attribute:: AI_PROMPT :value: 'AI-Prompt' .. py:attribute:: IMEI :value: 'IMEI' .. py:attribute:: ICCID :value: 'ICCID' .. py:attribute:: IMSI :value: 'IMSI' .. py:class:: IdentityTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of Identity types supported by OpenCTI. .. py:attribute:: SECTOR :value: 'Sector' .. py:attribute:: ORGANIZATION :value: 'Organization' .. py:attribute:: INDIVIDUAL :value: 'Individual' .. py:attribute:: SYSTEM :value: 'System' .. py:attribute:: SECURITYPLATFORM :value: 'SecurityPlatform' .. py:class:: ThreatActorTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of Threat Actor types supported by OpenCTI. .. py:attribute:: THREAT_ACTOR_GROUP :value: 'Threat-Actor-Group' .. py:attribute:: THREAT_ACTOR_INDIVIDUAL :value: 'Threat-Actor-Individual' .. py:class:: LocationTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of Location types supported by OpenCTI. .. py:attribute:: REGION :value: 'Region' .. py:attribute:: COUNTRY :value: 'Country' .. py:attribute:: ADMINISTRATIVE_AREA :value: 'Administrative-Area' .. py:attribute:: CITY :value: 'City' .. py:attribute:: POSITION :value: 'Position' .. py:class:: ContainerTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of Container types supported by OpenCTI. .. py:attribute:: NOTE :value: 'Note' .. py:attribute:: OBSERVED_DATA :value: 'Observed-Data' .. py:attribute:: OPINION :value: 'Opinion' .. py:attribute:: REPORT :value: 'Report' .. py:attribute:: GROUPING :value: 'Grouping' .. py:attribute:: CASE :value: 'Case' .. py:class:: StixMetaTypes(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of STIX Meta Object types supported by OpenCTI. .. py:attribute:: MARKING_DEFINITION :value: 'Marking-Definition' .. py:attribute:: LABEL :value: 'Label' .. py:attribute:: EXTERNAL_REFERENCE :value: 'External-Reference' .. py:attribute:: KILL_CHAIN_PHASE :value: 'Kill-Chain-Phase' .. py:class:: MultipleRefRelationship(*args, **kwds) Bases: :py:obj:`CaseInsensitiveEnum` Enumeration of relationship types that can have multiple references. .. py:attribute:: OPERATING_SYSTEM :value: 'operating-system' .. py:attribute:: SAMPLE :value: 'sample' .. py:attribute:: CONTAINS :value: 'contains' .. py:attribute:: RESOLVES_TO :value: 'obs_resolves-to' .. py:attribute:: BELONGS_TO :value: 'obs_belongs-to' .. py:attribute:: TO :value: 'to' .. py:attribute:: CC :value: 'cc' .. py:attribute:: BCC :value: 'bcc' .. py:attribute:: ENCAPSULATES :value: 'encapsulates' .. py:attribute:: OPENED_CONNECTION :value: 'opened-connection' .. py:attribute:: CHILD :value: 'child' .. py:attribute:: BODY_MULTIPART :value: 'body-multipart' .. py:attribute:: VALUES :value: 'values' .. py:attribute:: SERVICE_DLL :value: 'service-dll' .. py:attribute:: INSTALLED_SOFTWARE :value: 'installed-software' .. py:attribute:: RELATION_ANALYSIS_SCO :value: 'analysis-sco' .. py:class:: CustomObjectCaseIncident Custom STIX2 Case-Incident object for OpenCTI. Represents a case-incident container with associated metadata including name, description, severity, priority, and response types. :param name: Name of the case incident (required) :type name: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param description: Description of the case incident :type description: str :param severity: Severity level of the incident :type severity: str :param priority: Priority level of the incident :type priority: str :param response_types: List of response types :type response_types: list :param x_opencti_workflow_id: OpenCTI workflow identifier :type x_opencti_workflow_id: str :param x_opencti_assignee_ids: List of assignee identifiers :type x_opencti_assignee_ids: list :param external_references: List of external references :type external_references: list :param object_refs: List of referenced STIX objects :type object_refs: list .. py:class:: CustomObjectCaseRfi Custom STIX2 Case-RFI (Request For Information) object for OpenCTI. Represents a request for information container with associated metadata including name, description, severity, priority, and information types. :param name: Name of the RFI case (required) :type name: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param description: Description of the RFI case :type description: str :param severity: Severity level of the RFI :type severity: str :param priority: Priority level of the RFI :type priority: str :param information_types: List of information types requested :type information_types: list :param x_opencti_workflow_id: OpenCTI workflow identifier :type x_opencti_workflow_id: str :param x_opencti_assignee_ids: List of assignee identifiers :type x_opencti_assignee_ids: list :param external_references: List of external references :type external_references: list :param object_refs: List of referenced STIX objects :type object_refs: list .. py:class:: CustomObjectTask Custom STIX2 Task object for OpenCTI. Represents a task with associated metadata including name, description, due date, and assignees. :param name: Name of the task (required) :type name: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param description: Description of the task :type description: str :param due_date: Due date timestamp for the task :type due_date: datetime :param x_opencti_workflow_id: OpenCTI workflow identifier :type x_opencti_workflow_id: str :param x_opencti_assignee_ids: List of assignee identifiers :type x_opencti_assignee_ids: list :param object_refs: List of referenced STIX objects :type object_refs: list .. py:class:: CustomObjectChannel Custom STIX2 Channel object for OpenCTI. Represents a communication channel with associated metadata including name, description, aliases, and channel types. :param name: Name of the channel (required) :type name: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param description: Description of the channel :type description: str :param aliases: List of alternative names for the channel :type aliases: list :param channel_types: List of channel types :type channel_types: list :param x_opencti_workflow_id: OpenCTI workflow identifier :type x_opencti_workflow_id: str :param x_opencti_assignee_ids: List of assignee identifiers :type x_opencti_assignee_ids: list :param external_references: List of external references :type external_references: list .. py:class:: CustomObservableHostname Custom STIX2 Hostname observable for OpenCTI. Represents a hostname cyber observable with its associated value. :param value: The hostname value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableText Custom STIX2 Text observable for OpenCTI. Represents a generic text cyber observable with its associated value. :param value: The text value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservablePaymentCard Custom STIX2 Payment Card observable for OpenCTI. Represents a payment card cyber observable with card details. :param value: Display value for the payment card (required) :type value: str :param card_number: The payment card number (required) :type card_number: str :param expiration_date: Card expiration date :type expiration_date: str :param cvv: Card verification value :type cvv: str :param holder_name: Name of the card holder :type holder_name: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableBankAccount Custom STIX2 Bank Account observable for OpenCTI. Represents a bank account cyber observable with account details. :param value: Display value for the bank account (required) :type value: str :param iban: International Bank Account Number (required) :type iban: str :param bic: Bank Identifier Code :type bic: str :param account_number: Bank account number :type account_number: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableCredential Custom STIX2 Credential observable for OpenCTI. Represents a credential cyber observable such as a password or access token. :param value: The credential value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableCryptocurrencyWallet Custom STIX2 Cryptocurrency Wallet observable for OpenCTI. Represents a cryptocurrency wallet address cyber observable. :param value: The wallet address value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservablePhoneNumber Custom STIX2 Phone Number observable for OpenCTI. Represents a phone number cyber observable. :param value: The phone number value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableTrackingNumber Custom STIX2 Tracking Number observable for OpenCTI. Represents a tracking number cyber observable (e.g., package tracking). :param value: The tracking number value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableUserAgent Custom STIX2 User-Agent observable for OpenCTI. Represents a User-Agent string cyber observable from HTTP headers. :param value: The User-Agent string value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableMediaContent Custom STIX2 Media-Content observable for OpenCTI. Represents a media content cyber observable such as articles or posts. :param title: Title of the media content :type title: str :param description: Description of the media content :type description: str :param content: The actual content body :type content: str :param media_category: Category of the media :type media_category: str :param url: URL of the media content (required) :type url: str :param publication_date: Publication date timestamp :type publication_date: datetime :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservablePersona Custom STIX2 Persona observable for OpenCTI. Represents a persona or online identity cyber observable. :param persona_name: Name of the persona (required) :type persona_name: str :param persona_type: Type of the persona (required) :type persona_type: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableCryptographicKey Custom STIX2 Cryptographic-Key observable for OpenCTI. Represents a cryptographic key cyber observable such as API keys or encryption keys. :param value: The cryptographic key value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableSshKey Custom STIX2 SSH-Key observable for OpenCTI. Represents an SSH key cyber observable such as public or private SSH keys. :param value: The SSH key value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableAIPrompt Custom STIX2 AI Prompt observable for OpenCTI. Represents an AI prompt cyber observable used in AI-related threat intelligence. :param value: The AI prompt value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableIMEI IMEI observable. Represents an International Mobile Equipment Identity which is a phone serial number. Format: 14 digits + 1 check digit, numeric only, (can be 16 for legacy digits total). :param value: The IMEI value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableICCID ICCID observable. Represents an unique serial number of a SIM card, printed on the SIM itself. Format: up to 18-20 digits, numeric only. :param value: The ICCID value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list .. py:class:: CustomObservableIMSI IMSI observable. Identifies the user as a subscriber in the mobile network. Format: usually 15 digits (can be 14-15), numeric only Composed of MCC+MNC+MSIN :param value: The IMSI value (required) :type value: str :param spec_version: STIX specification version, fixed to "2.1" :type spec_version: str :param object_marking_refs: List of marking definition references :type object_marking_refs: list