pycti.entities.opencti_stix_cyber_observable
Classes
Main StixCyberObservable class for OpenCTI |
Module Contents
- class pycti.entities.opencti_stix_cyber_observable.StixCyberObservable(opencti)[source]
-
Main StixCyberObservable class for OpenCTI
Manages STIX cyber observables (indicators of compromise) in the OpenCTI platform. Note: Deprecated methods are available through StixCyberObservableDeprecatedMixin.
- Parameters:
opencti (OpenCTIApiClient) – instance of
OpenCTIApiClient
Initialize the StixCyberObservable instance.
- Parameters:
opencti (OpenCTIApiClient) – OpenCTI API client instance
- properties = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } observable_value x_opencti_description x_opencti_score indicators { edges { node { id pattern pattern_type } } } ... on AutonomousSystem { number name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size metaData { mimetype version } } } } } ... on StixFile { extensions size name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on SSHKey { key_type public_key fingerprint_sha256 fingerprint_md5 key_length expiration_date comment created } ... on AIPrompt { value } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name cpe swid languages vendor version x_opencti_product } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content media_category url publication_date } ... on IMEI { value } ... on ICCID { value } ... on IMSI { value } """
- properties_with_files = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at objectOrganization { id standard_id name } creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } observable_value x_opencti_description x_opencti_score indicators { edges { node { id pattern pattern_type } } } ... on AutonomousSystem { number name rir } ... on Directory { path path_enc ctime mtime atime } ... on DomainName { value } ... on EmailAddr { value display_name } ... on EmailMessage { is_multipart attribute_date content_type message_id subject received_lines body } ... on Artifact { mime_type payload_bin url encryption_algorithm decryption_key hashes { algorithm hash } importFiles { edges { node { id name size metaData { mimetype version } } } } } ... on StixFile { extensions size name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes { algorithm hash } } ... on X509Certificate { is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes { algorithm hash } basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings } ... on SSHKey { key_type public_key fingerprint_sha256 fingerprint_md5 key_length expiration_date comment created } ... on AIPrompt { value } ... on IPv4Addr { value } ... on IPv6Addr { value } ... on MacAddr { value } ... on Mutex { name } ... on NetworkTraffic { extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets } ... on Process { extensions is_hidden pid created_time cwd command_line environment_variables } ... on Software { name cpe swid languages vendor version x_opencti_product } ... on Url { value } ... on UserAccount { extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login } ... on WindowsRegistryKey { attribute_key modified_time number_of_subkeys } ... on WindowsRegistryValueType { name data data_type } ... on CryptographicKey { value } ... on CryptocurrencyWallet { value } ... on Hostname { value } ... on Text { value } ... on UserAgent { value } ... on BankAccount { iban bic account_number } ... on PhoneNumber { value } ... on TrackingNumber { value } ... on Credential { value } ... on PaymentCard { card_number expiration_date cvv holder_name } ... on Persona { persona_name persona_type } ... on MediaContent { title content media_category url publication_date } ... on IMEI { value } ... on ICCID { value } ... on IMSI { value } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """
- list(**kwargs)[source]
List StixCyberObservable objects.
- Parameters:
types (list) – the array of types
filters (dict) – the filters to apply
search (str) – the search keyword
first (int) – return the first n rows from the after ID (or the beginning if not set)
after (str) – ID of the first row for pagination
orderBy (str) – field to order results by
orderMode (str) – ordering mode (asc/desc)
customAttributes (str) – custom attributes to return
getAll (bool) – whether to retrieve all results
withPagination (bool) – whether to include pagination info
withFiles (bool) – whether to include files
- Returns:
List of StixCyberObservable objects
- Return type:
list
- read(**kwargs)[source]
Read a StixCyberObservable object.
- Parameters:
id (str) – the id of the StixCyberObservable
filters (dict) – the filters to apply if no id provided
customAttributes (str) – custom attributes to return
withFiles (bool) – whether to include files
- Returns:
StixCyberObservable object
- Return type:
dict or None
- add_file(**kwargs)[source]
Upload a file in this Observable.
- Parameters:
id (str) – the Stix-Cyber-Observable id
file_name (str) – name of the file to upload
data (bytes or str) – the file data
fileMarkings (list) – list of marking definition IDs for the file
version (str) – file version
mime_type (str) – MIME type of the file (default: text/plain)
no_trigger_import (bool) – whether to skip import trigger
embedded (bool) – whether the file is embedded
- Returns:
updated StixCyberObservable object
- Return type:
dict or None
- create(**kwargs)[source]
Create a Stix-Cyber-Observable object.
- Parameters:
observableData (dict) – the data of the observable (STIX2 structure)
simple_observable_id (str) – (optional) simple observable STIX ID
simple_observable_key (str) – (optional) simple observable key (e.g., “IPv4-Addr.value”)
simple_observable_value (str) – (optional) simple observable value
simple_observable_description (str) – (optional) simple observable description
x_opencti_score (int) – (optional) score (0-100)
createdBy (str) – (optional) the author ID
objectMarking (list) – (optional) list of marking definition IDs
objectLabel (list) – (optional) list of label IDs
externalReferences (list) – (optional) list of external reference IDs
objectOrganization (list) – (optional) list of organization IDs
update (bool) – (optional) whether to update if exists (default: False)
resolve_result_indicators (bool) – (optional) resolve result indicators (default: True)
files (list) – (optional) list of File objects to attach
filesMarkings (list) – (optional) list of lists of marking definition IDs for each file
- Returns:
Stix-Cyber-Observable object
- Return type:
dict or None
- upload_artifact(**kwargs)[source]
Upload an artifact.
- Parameters:
file_name (str) – the file name or path
data (bytes) – the file data (optional, reads from file_name if not provided)
mime_type (str) – the MIME type (default: text/plain)
x_opencti_description (str) – description for the artifact
createdBy (str) – the author ID
objectMarking (list) – list of marking definition IDs
objectLabel (list) – list of label IDs
createIndicator (bool) – whether to create an indicator (default: False)
- Returns:
Stix-Observable object
- Return type:
dict or None
- update_field(**kwargs)[source]
Update a Stix-Observable object field.
- Parameters:
id (str) – the Stix-Observable id
input (list) – the input of the field to update
- Returns:
The updated Stix-Observable object
- Return type:
dict or None
- promote_to_indicator_v2(**kwargs)[source]
Promote a Stix-Observable to an Indicator.
- Parameters:
id (str) – the Stix-Observable id
customAttributes (str) – custom attributes to return for the indicator
- Returns:
The newly created indicator
- Return type:
dict or None
- delete(**kwargs)[source]
Delete a Stix-Observable.
- Parameters:
id (str) – the Stix-Observable id
- Returns:
None
- Return type:
None
- update_created_by(**kwargs)[source]
Update the Identity author of a Stix-Cyber-Observable object (created_by).
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
identity_id (str) – the id of the Identity
- Returns:
True on success, False on failure
- Return type:
bool
- add_marking_definition(**kwargs)[source]
Add a Marking-Definition object to Stix-Cyber-Observable object (object_marking_refs).
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
marking_definition_id (str) – the id of the Marking-Definition
- Returns:
True on success, False on failure
- Return type:
bool
- remove_marking_definition(**kwargs)[source]
Remove a Marking-Definition object from Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
marking_definition_id (str) – the id of the Marking-Definition
- Returns:
True on success, False on failure
- Return type:
bool
- add_label(**kwargs)[source]
Add a Label object to Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
label_id (str) – the id of the Label
label_name (str) – the name of the Label (will create if not exists)
- Returns:
True on success, False on failure
- Return type:
bool
- remove_label(**kwargs)[source]
Remove a Label object from Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
label_id (str) – the id of the Label
label_name (str) – the name of the Label (alternative to label_id)
- Returns:
True on success, False on failure
- Return type:
bool
- add_external_reference(**kwargs)[source]
Add an External-Reference object to Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
external_reference_id (str) – the id of the External-Reference
- Returns:
True on success, False on failure
- Return type:
bool
- remove_external_reference(**kwargs)[source]
Remove an External-Reference object from Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
external_reference_id (str) – the id of the External-Reference
- Returns:
True on success, False on failure
- Return type:
bool
- push_list_export(entity_id, entity_type, file_name, file_markings, data, list_filters='', mime_type=None)[source]
Push a list export for Stix-Cyber-Observables.
- Parameters:
entity_id (str) – the entity ID
entity_type (str) – the entity type
file_name (str) – the file name
file_markings (list) – list of marking definition IDs for the file
data (bytes) – the file data
list_filters (str) – the list filters (default: “”)
mime_type (str) – the MIME type (optional)
- Returns:
None
- Return type:
None
- ask_for_enrichment(**kwargs) str[source]
Ask for enrichment of a Stix-Cyber-Observable.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
connector_id (str) – the id of the enrichment connector
- Returns:
The work ID
- Return type:
str
- reports(**kwargs)[source]
Get the reports about a Stix-Cyber-Observable object.
- Parameters:
id (str) – the id of the Stix-Cyber-Observable
- Returns:
List of reports
- Return type:
list or None