pycti.entities.opencti_stix_core_object
Classes
Main StixCoreObject class for OpenCTI |
Module Contents
- class pycti.entities.opencti_stix_core_object.StixCoreObject(opencti)[source]
Main StixCoreObject class for OpenCTI
Base class for managing STIX core objects in the OpenCTI platform.
- Parameters:
opencti (OpenCTIApiClient) – instance of
OpenCTIApiClient
Initialize the StixCoreObject instance.
- Parameters:
opencti (OpenCTIApiClient) – OpenCTI API client instance
- properties = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } ... on StixDomainObject { revoked confidence created modified } ... on AttackPattern { name description aliases x_mitre_platforms x_mitre_permissions_required x_mitre_detection x_mitre_id killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on Campaign { name description aliases first_seen last_seen objective } ... on Note { attribute_abstract content authors note_types likelihood } ... on ObservedData { first_observed last_observed number_observed } ... on Opinion { explanation authors opinion } ... on Report { name description report_types published } ... on Grouping { name description context objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on CourseOfAction { name description x_opencti_aliases } ... on DataComponent { name description dataSource { id standard_id entity_type parent_types spec_version created_at updated_at revoked confidence created modified name description x_mitre_platforms collection_layers } } ... on DataSource { name description x_mitre_platforms collection_layers } ... on Individual { name description contact_information x_opencti_aliases x_opencti_firstname x_opencti_lastname } ... on Organization { name description contact_information x_opencti_aliases x_opencti_organization_type x_opencti_reliability } ... on Sector { name description contact_information x_opencti_aliases } ... on System { name description contact_information x_opencti_aliases } ... on Indicator { pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type } ... on Infrastructure { name description aliases infrastructure_types first_seen last_seen } ... on IntrusionSet { name description aliases first_seen last_seen goals resource_level primary_motivation secondary_motivations } ... on City { name description latitude longitude precision x_opencti_aliases } ... on Country { name description latitude longitude precision x_opencti_aliases } ... on Region { name description latitude longitude precision x_opencti_aliases } ... on Position { name description latitude longitude precision x_opencti_aliases street_address postal_code } ... on Malware { name description aliases malware_types is_family first_seen last_seen architecture_execution_envs implementation_languages capabilities killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on MalwareAnalysis { product version configuration_version modules analysis_engine_version analysis_definition_version submitted analysis_started analysis_ended result_name result } ... on ThreatActor { name description aliases threat_actor_types first_seen last_seen roles goals sophistication resource_level primary_motivation secondary_motivations personal_motivations } ... on Tool { name description aliases tool_types tool_version killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on Vulnerability { name description x_opencti_aliases x_opencti_cvss_vector_string x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector x_opencti_cvss_attack_complexity x_opencti_cvss_privileges_required x_opencti_cvss_user_interaction x_opencti_cvss_scope x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact x_opencti_cvss_exploit_code_maturity x_opencti_cvss_remediation_level x_opencti_cvss_report_confidence x_opencti_cvss_temporal_score x_opencti_cvss_v2_vector_string x_opencti_cvss_v2_base_score x_opencti_cvss_v2_access_vector x_opencti_cvss_v2_access_complexity x_opencti_cvss_v2_authentication x_opencti_cvss_v2_confidentiality_impact x_opencti_cvss_v2_integrity_impact x_opencti_cvss_v2_availability_impact x_opencti_cvss_v2_exploitability x_opencti_cvss_v2_remediation_level x_opencti_cvss_v2_report_confidence x_opencti_cvss_v2_temporal_score x_opencti_cvss_v4_vector_string x_opencti_cvss_v4_base_score x_opencti_cvss_v4_base_severity x_opencti_cvss_v4_attack_vector x_opencti_cvss_v4_attack_complexity x_opencti_cvss_v4_attack_requirements x_opencti_cvss_v4_privileges_required x_opencti_cvss_v4_user_interaction x_opencti_cvss_v4_confidentiality_impact_v x_opencti_cvss_v4_confidentiality_impact_s x_opencti_cvss_v4_integrity_impact_v x_opencti_cvss_v4_integrity_impact_s x_opencti_cvss_v4_availability_impact_v x_opencti_cvss_v4_availability_impact_s x_opencti_cvss_v4_exploit_maturity x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile x_opencti_score } ... on Incident { name description aliases first_seen last_seen objective } ... on Event { name description } ... on Channel { name description aliases channel_types } ... on Narrative { name description aliases narrative_types } ... on Case { name description objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on Feedback { name description objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on StixCyberObservable { observable_value indicators { edges { node { id pattern pattern_type } } } } ... on AutonomousSystem { number name_alt: name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size } } } } ... on StixFile { extensions size name_alt: name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name_alt: name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name_alt: name cpe swid languages vendor version } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name_alt: name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content_alt: content media_category url publication_date } """
- properties_with_files = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } ... on StixDomainObject { revoked confidence created modified } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } ... on AttackPattern { name description aliases x_mitre_platforms x_mitre_permissions_required x_mitre_detection x_mitre_id killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on Campaign { name description aliases first_seen last_seen objective } ... on Note { attribute_abstract content authors note_types likelihood } ... on ObservedData { first_observed last_observed number_observed } ... on Opinion { explanation authors opinion } ... on Report { name description report_types published } ... on Grouping { name description context objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on CourseOfAction { name description x_opencti_aliases } ... on DataComponent { name description dataSource { id standard_id entity_type parent_types spec_version created_at updated_at revoked confidence created modified name description x_mitre_platforms collection_layers } } ... on DataSource { name description x_mitre_platforms collection_layers } ... on Individual { name description contact_information x_opencti_aliases x_opencti_firstname x_opencti_lastname } ... on Organization { name description contact_information x_opencti_aliases x_opencti_organization_type x_opencti_reliability } ... on Sector { name description contact_information x_opencti_aliases } ... on System { name description contact_information x_opencti_aliases } ... on Indicator { pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type } ... on Infrastructure { name description aliases infrastructure_types first_seen last_seen } ... on IntrusionSet { name description aliases first_seen last_seen goals resource_level primary_motivation secondary_motivations } ... on City { name description latitude longitude precision x_opencti_aliases } ... on Country { name description latitude longitude precision x_opencti_aliases } ... on Region { name description latitude longitude precision x_opencti_aliases } ... on Position { name description latitude longitude precision x_opencti_aliases street_address postal_code } ... on Malware { name description aliases malware_types is_family first_seen last_seen architecture_execution_envs implementation_languages capabilities killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on MalwareAnalysis { product version configuration_version modules analysis_engine_version analysis_definition_version submitted analysis_started analysis_ended result_name result } ... on ThreatActor { name description aliases threat_actor_types first_seen last_seen roles goals sophistication resource_level primary_motivation secondary_motivations personal_motivations } ... on Tool { name description aliases tool_types tool_version killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } } ... on Vulnerability { name description x_opencti_aliases x_opencti_cvss_vector_string x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector x_opencti_cvss_attack_complexity x_opencti_cvss_privileges_required x_opencti_cvss_user_interaction x_opencti_cvss_scope x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact x_opencti_cvss_exploit_code_maturity x_opencti_cvss_remediation_level x_opencti_cvss_report_confidence x_opencti_cvss_temporal_score x_opencti_cvss_v2_vector_string x_opencti_cvss_v2_base_score x_opencti_cvss_v2_access_vector x_opencti_cvss_v2_access_complexity x_opencti_cvss_v2_authentication x_opencti_cvss_v2_confidentiality_impact x_opencti_cvss_v2_integrity_impact x_opencti_cvss_v2_availability_impact x_opencti_cvss_v2_exploitability x_opencti_cvss_v2_remediation_level x_opencti_cvss_v2_report_confidence x_opencti_cvss_v2_temporal_score x_opencti_cvss_v4_vector_string x_opencti_cvss_v4_base_score x_opencti_cvss_v4_base_severity x_opencti_cvss_v4_attack_vector x_opencti_cvss_v4_attack_complexity x_opencti_cvss_v4_attack_requirements x_opencti_cvss_v4_privileges_required x_opencti_cvss_v4_user_interaction x_opencti_cvss_v4_confidentiality_impact_v x_opencti_cvss_v4_confidentiality_impact_s x_opencti_cvss_v4_integrity_impact_v x_opencti_cvss_v4_integrity_impact_s x_opencti_cvss_v4_availability_impact_v x_opencti_cvss_v4_availability_impact_s x_opencti_cvss_v4_exploit_maturity x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile x_opencti_score } ... on Incident { name description aliases first_seen last_seen objective } ... on Event { name description } ... on Channel { name description aliases channel_types } ... on Narrative { name description aliases narrative_types } ... on Case { name description objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on Feedback { name description objects { edges { node { ... on BasicObject { id entity_type standard_id } ... on BasicRelationship { id entity_type standard_id } } } } } ... on StixCyberObservable { observable_value indicators { edges { node { id pattern pattern_type } } } } ... on AutonomousSystem { number name_alt: name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size } } } } ... on StixFile { extensions size name_alt: name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name_alt: name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name_alt: name cpe swid languages vendor version } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name_alt: name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content_alt: content media_category url publication_date } """
- list(**kwargs)[source]
List Stix-Core-Object objects.
- Parameters:
types (list) – the list of types
filters (dict) – the filters to apply
search (str) – the search keyword
first (int) – return the first n rows from the after ID (or the beginning if not set)
after (str) – ID of the first row for pagination
orderBy (str) – field to order results by
orderMode (str) – ordering mode (asc/desc)
customAttributes (str) – custom attributes to return
getAll (bool) – whether to retrieve all results
withPagination (bool) – whether to include pagination info
withFiles (bool) – whether to include files
- Returns:
List of Stix-Core-Object objects
- Return type:
list
- read(**kwargs)[source]
Read a Stix-Core-Object object.
- Parameters:
id (str) – the id of the Stix-Core-Object
types (list) – list of Stix Core Entity types
filters (dict) – the filters to apply if no id provided
customAttributes (str) – custom attributes to return
withFiles (bool) – whether to include files
- Returns:
Stix-Core-Object object
- Return type:
dict or None
- list_files(**kwargs)[source]
List files of a Stix-Core-Object.
- Parameters:
id (str) – the id of the Stix-Core-Object
- Returns:
List of files associated with the object
- Return type:
list
- push_list_export(entity_id, entity_type, file_name, file_markings, data, list_filters='', mime_type=None)[source]
Push a list export file for Stix-Core-Objects.
- Parameters:
entity_id (str or None) – the id of the entity (optional)
entity_type (str) – the type of the entity
file_name (str) – the name of the file to export
file_markings (list) – list of marking definition ids to apply
data (str) – the data content to export
list_filters (str) – filters to apply on the list (default: “”)
mime_type (str or None) – the MIME type of the file (optional)
- push_analysis(entity_id, file_name, data, content_source, content_type, analysis_type)[source]
Push an analysis file for a Stix-Core-Object.
- Parameters:
entity_id (str) – the id of the Stix-Core-Object
file_name (str) – the name of the analysis file
data (str) – the analysis data content
content_source (str) – the source of the content
content_type (str) – the type of analysis content
analysis_type (str) – the type of analysis
- reports(**kwargs)[source]
Get the reports about a Stix-Core-Object object.
- Parameters:
id (str) – the id of the Stix-Core-Object
- Returns:
List of reports
- Return type:
list or None
- rule_apply(**kwargs)[source]
Apply rule to Stix-Core-Object object.
- Parameters:
element_id (str) – the Stix-Core-Object id
rule_id (str) – the rule to apply
- rule_apply_async(**kwargs)[source]
Apply rule to Stix-Core-Object object.
- Parameters:
element_id (str) – the Stix-Core-Object id
rule_id (str) – the rule to apply
- rule_clear(**kwargs)[source]
Apply rule clear to Stix-Core-Object object.
- Parameters:
element_id (str) – the Stix-Core-Object id
rule_id (str) – the rule to clear
- rules_rescan(**kwargs)[source]
Apply rules rescan to Stix-Core-Object object.
- Parameters:
element_id (str) – the Stix-Core-Object id
- rule_rescan_async(**kwargs)[source]
Apply rules rescan to Stix-Core-Object object.
- Parameters:
element_id (str) – the Stix-Core-Object id
- clear_access_restriction(**kwargs)[source]
Ask clear restriction on a Stix-Core-Object.
- Parameters:
element_id (str) – the Stix-Core-Object id
- ask_enrichment(**kwargs)[source]
Ask enrichment with a single connector.
- Parameters:
element_id (str) – the Stix-Core-Object id
connector_id (str) – the connector id
- ask_enrichments(**kwargs)[source]
Ask enrichment with multiple connectors.
- Parameters:
element_id (str) – the Stix-Core-Object id
connector_ids (list) – list of connector ids
Share element to multiple organizations.
- Parameters:
entity_id (str) – the Stix-Core-Object id
organization_ids (list) – list of organization ids to share with
sharing_direct_container (bool) – whether to share direct containers
Unshare element from multiple organizations.
- Parameters:
entity_id (str) – the Stix-Core-Object id
organization_ids (list) – list of organization ids to unshare from
sharing_direct_container (bool) – whether to unshare direct containers