pycti.utils.constants

These are the custom STIX properties and observation types used internally by OpenCTI.

Classes

`CaseInsensitiveEnum`	Base Enum class with case-insensitive value lookup.
`StixCyberObservableTypes`	Enumeration of STIX Cyber Observable types supported by OpenCTI.
`IdentityTypes`	Enumeration of Identity types supported by OpenCTI.
`ThreatActorTypes`	Enumeration of Threat Actor types supported by OpenCTI.
`LocationTypes`	Enumeration of Location types supported by OpenCTI.
`ContainerTypes`	Enumeration of Container types supported by OpenCTI.
`StixMetaTypes`	Enumeration of STIX Meta Object types supported by OpenCTI.
`MultipleRefRelationship`	Enumeration of relationship types that can have multiple references.
`CustomObjectCaseIncident`	Custom STIX2 Case-Incident object for OpenCTI.
`CustomObjectCaseRfi`	Custom STIX2 Case-RFI (Request For Information) object for OpenCTI.
`CustomObjectTask`	Custom STIX2 Task object for OpenCTI.
`CustomObjectChannel`	Custom STIX2 Channel object for OpenCTI.
`CustomObservableHostname`	Custom STIX2 Hostname observable for OpenCTI.
`CustomObservableText`	Custom STIX2 Text observable for OpenCTI.
`CustomObservablePaymentCard`	Custom STIX2 Payment Card observable for OpenCTI.
`CustomObservableBankAccount`	Custom STIX2 Bank Account observable for OpenCTI.
`CustomObservableCredential`	Custom STIX2 Credential observable for OpenCTI.
`CustomObservableCryptocurrencyWallet`	Custom STIX2 Cryptocurrency Wallet observable for OpenCTI.
`CustomObservablePhoneNumber`	Custom STIX2 Phone Number observable for OpenCTI.
`CustomObservableTrackingNumber`	Custom STIX2 Tracking Number observable for OpenCTI.
`CustomObservableUserAgent`	Custom STIX2 User-Agent observable for OpenCTI.
`CustomObservableMediaContent`	Custom STIX2 Media-Content observable for OpenCTI.
`CustomObservablePersona`	Custom STIX2 Persona observable for OpenCTI.
`CustomObservableCryptographicKey`	Custom STIX2 Cryptographic-Key observable for OpenCTI.
`CustomObservableSshKey`	Custom STIX2 SSH-Key observable for OpenCTI.
`CustomObservableAIPrompt`	Custom STIX2 AI Prompt observable for OpenCTI.
`CustomObservableIMEI`	IMEI observable.
`CustomObservableICCID`	ICCID observable.
`CustomObservableIMSI`	IMSI observable.

Module Contents

class pycti.utils.constants.CaseInsensitiveEnum(*args, **kwds)[source]

Bases: enum.Enum

Base Enum class with case-insensitive value lookup.

classmethod has_value(value: str) → bool[source]

Check if the enum contains the given value (case-insensitive).

Parameters:: value (str) – Value to check
Returns:: True if value exists in enum, False otherwise
Return type:: bool

class pycti.utils.constants.StixCyberObservableTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of STIX Cyber Observable types supported by OpenCTI.

AUTONOMOUS_SYSTEM = 'Autonomous-System'[source]

DIRECTORY = 'Directory'[source]

DOMAIN_NAME = 'Domain-Name'[source]

EMAIL_ADDR = 'Email-Addr'[source]

EMAIL_MESSAGE = 'Email-Message'[source]

EMAIL_MIME_PART_TYPE = 'Email-Mime-Part-Type'[source]

ARTIFACT = 'Artifact'[source]

FILE = 'File'[source]

X509_CERTIFICATE = 'X509-Certificate'[source]

IPV4_ADDR = 'IPv4-Addr'[source]

IPV6_ADDR = 'IPv6-Addr'[source]

MAC_ADDR = 'Mac-Addr'[source]

MUTEX = 'Mutex'[source]

NETWORK_TRAFFIC = 'Network-Traffic'[source]

PROCESS = 'Process'[source]

SOFTWARE = 'Software'[source]

URL = 'Url'[source]

USER_ACCOUNT = 'User-Account'[source]

WINDOWS_REGISTRY_KEY = 'Windows-Registry-Key'[source]

WINDOWS_REGISTRY_VALUE_TYPE = 'Windows-Registry-Value-Type'[source]

HOSTNAME = 'Hostname'[source]

CRYPTOGRAPHIC_KEY = 'Cryptographic-Key'[source]

CRYPTOCURRENCY_WALLET = 'Cryptocurrency-Wallet'[source]

TEXT = 'Text'[source]

USER_AGENT = 'User-Agent'[source]

BANK_ACCOUNT = 'Bank-Account'[source]

PHONE_NUMBER = 'Phone-Number'[source]

CREDENTIAL = 'Credential'[source]

TRACKING_NUMBER = 'Tracking-Number'[source]

PAYMENT_CARD = 'Payment-Card'[source]

MEDIA_CONTENT = 'Media-Content'[source]

SIMPLE_OBSERVABLE = 'Simple-Observable'[source]

PERSONA = 'Persona'[source]

SSH_KEY = 'SSH-Key'[source]

AI_PROMPT = 'AI-Prompt'[source]

IMEI = 'IMEI'[source]

ICCID = 'ICCID'[source]

IMSI = 'IMSI'[source]

class pycti.utils.constants.IdentityTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of Identity types supported by OpenCTI.

SECTOR = 'Sector'[source]

ORGANIZATION = 'Organization'[source]

INDIVIDUAL = 'Individual'[source]

SYSTEM = 'System'[source]

SECURITYPLATFORM = 'SecurityPlatform'[source]

class pycti.utils.constants.ThreatActorTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of Threat Actor types supported by OpenCTI.

THREAT_ACTOR_GROUP = 'Threat-Actor-Group'[source]

THREAT_ACTOR_INDIVIDUAL = 'Threat-Actor-Individual'[source]

class pycti.utils.constants.LocationTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of Location types supported by OpenCTI.

REGION = 'Region'[source]

COUNTRY = 'Country'[source]

ADMINISTRATIVE_AREA = 'Administrative-Area'[source]

CITY = 'City'[source]

POSITION = 'Position'[source]

class pycti.utils.constants.ContainerTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of Container types supported by OpenCTI.

NOTE = 'Note'[source]

OBSERVED_DATA = 'Observed-Data'[source]

OPINION = 'Opinion'[source]

REPORT = 'Report'[source]

GROUPING = 'Grouping'[source]

CASE = 'Case'[source]

class pycti.utils.constants.StixMetaTypes(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of STIX Meta Object types supported by OpenCTI.

MARKING_DEFINITION = 'Marking-Definition'[source]

LABEL = 'Label'[source]

EXTERNAL_REFERENCE = 'External-Reference'[source]

KILL_CHAIN_PHASE = 'Kill-Chain-Phase'[source]

class pycti.utils.constants.MultipleRefRelationship(*args, **kwds)[source]

Bases: CaseInsensitiveEnum

Enumeration of relationship types that can have multiple references.

OPERATING_SYSTEM = 'operating-system'[source]

SAMPLE = 'sample'[source]

CONTAINS = 'contains'[source]

RESOLVES_TO = 'obs_resolves-to'[source]

BELONGS_TO = 'obs_belongs-to'[source]

TO = 'to'[source]

CC = 'cc'[source]

BCC = 'bcc'[source]

ENCAPSULATES = 'encapsulates'[source]

OPENED_CONNECTION = 'opened-connection'[source]

CHILD = 'child'[source]

BODY_MULTIPART = 'body-multipart'[source]

VALUES = 'values'[source]

SERVICE_DLL = 'service-dll'[source]

INSTALLED_SOFTWARE = 'installed-software'[source]

RELATION_ANALYSIS_SCO = 'analysis-sco'[source]

class pycti.utils.constants.CustomObjectCaseIncident[source]

Custom STIX2 Case-Incident object for OpenCTI.

Represents a case-incident container with associated metadata including name, description, severity, priority, and response types.

Parameters:

name (str) – Name of the case incident (required)
spec_version (str) – STIX specification version, fixed to “2.1”
description (str) – Description of the case incident
severity (str) – Severity level of the incident
priority (str) – Priority level of the incident
response_types (list) – List of response types
x_opencti_workflow_id (str) – OpenCTI workflow identifier
x_opencti_assignee_ids (list) – List of assignee identifiers
external_references (list) – List of external references
object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObjectCaseRfi[source]

Custom STIX2 Case-RFI (Request For Information) object for OpenCTI.

Represents a request for information container with associated metadata including name, description, severity, priority, and information types.

Parameters:

name (str) – Name of the RFI case (required)
spec_version (str) – STIX specification version, fixed to “2.1”
description (str) – Description of the RFI case
severity (str) – Severity level of the RFI
priority (str) – Priority level of the RFI
information_types (list) – List of information types requested
x_opencti_workflow_id (str) – OpenCTI workflow identifier
x_opencti_assignee_ids (list) – List of assignee identifiers
external_references (list) – List of external references
object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObjectTask[source]

Custom STIX2 Task object for OpenCTI.

Represents a task with associated metadata including name, description, due date, and assignees.

Parameters:

name (str) – Name of the task (required)
spec_version (str) – STIX specification version, fixed to “2.1”
description (str) – Description of the task
due_date (datetime) – Due date timestamp for the task
x_opencti_workflow_id (str) – OpenCTI workflow identifier
x_opencti_assignee_ids (list) – List of assignee identifiers
object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObjectChannel[source]

Custom STIX2 Channel object for OpenCTI.

Represents a communication channel with associated metadata including name, description, aliases, and channel types.

Parameters:

name (str) – Name of the channel (required)
spec_version (str) – STIX specification version, fixed to “2.1”
description (str) – Description of the channel
aliases (list) – List of alternative names for the channel
channel_types (list) – List of channel types
x_opencti_workflow_id (str) – OpenCTI workflow identifier
x_opencti_assignee_ids (list) – List of assignee identifiers
external_references (list) – List of external references

class pycti.utils.constants.CustomObservableHostname[source]

Custom STIX2 Hostname observable for OpenCTI.

Represents a hostname cyber observable with its associated value.

Parameters:

value (str) – The hostname value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableText[source]

Custom STIX2 Text observable for OpenCTI.

Represents a generic text cyber observable with its associated value.

Parameters:

value (str) – The text value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePaymentCard[source]

Custom STIX2 Payment Card observable for OpenCTI.

Represents a payment card cyber observable with card details.

Parameters:

value (str) – Display value for the payment card (required)
card_number (str) – The payment card number (required)
expiration_date (str) – Card expiration date
cvv (str) – Card verification value
holder_name (str) – Name of the card holder
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableBankAccount[source]

Custom STIX2 Bank Account observable for OpenCTI.

Represents a bank account cyber observable with account details.

Parameters:

value (str) – Display value for the bank account (required)
iban (str) – International Bank Account Number (required)
bic (str) – Bank Identifier Code
account_number (str) – Bank account number
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCredential[source]

Custom STIX2 Credential observable for OpenCTI.

Represents a credential cyber observable such as a password or access token.

Parameters:

value (str) – The credential value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCryptocurrencyWallet[source]

Custom STIX2 Cryptocurrency Wallet observable for OpenCTI.

Represents a cryptocurrency wallet address cyber observable.

Parameters:

value (str) – The wallet address value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePhoneNumber[source]

Custom STIX2 Phone Number observable for OpenCTI.

Represents a phone number cyber observable.

Parameters:

value (str) – The phone number value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableTrackingNumber[source]

Custom STIX2 Tracking Number observable for OpenCTI.

Represents a tracking number cyber observable (e.g., package tracking).

Parameters:

value (str) – The tracking number value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableUserAgent[source]

Custom STIX2 User-Agent observable for OpenCTI.

Represents a User-Agent string cyber observable from HTTP headers.

Parameters:

value (str) – The User-Agent string value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableMediaContent[source]

Custom STIX2 Media-Content observable for OpenCTI.

Represents a media content cyber observable such as articles or posts.

Parameters:

title (str) – Title of the media content
description (str) – Description of the media content
content (str) – The actual content body
media_category (str) – Category of the media
url (str) – URL of the media content (required)
publication_date (datetime) – Publication date timestamp
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePersona[source]

Custom STIX2 Persona observable for OpenCTI.

Represents a persona or online identity cyber observable.

Parameters:

persona_name (str) – Name of the persona (required)
persona_type (str) – Type of the persona (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCryptographicKey[source]

Custom STIX2 Cryptographic-Key observable for OpenCTI.

Represents a cryptographic key cyber observable such as API keys or encryption keys.

Parameters:

value (str) – The cryptographic key value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableSshKey[source]

Custom STIX2 SSH-Key observable for OpenCTI.

Represents an SSH key cyber observable such as public or private SSH keys.

Parameters:

value (str) – The SSH key value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableAIPrompt[source]

Custom STIX2 AI Prompt observable for OpenCTI.

Represents an AI prompt cyber observable used in AI-related threat intelligence.

Parameters:

value (str) – The AI prompt value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableIMEI[source]

IMEI observable.

Represents an International Mobile Equipment Identity which is a phone serial number.

Format: 14 digits + 1 check digit, numeric only, (can be 16 for legacy digits total).

Parameters:

value (str) – The IMEI value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableICCID[source]

ICCID observable.

Represents an unique serial number of a SIM card, printed on the SIM itself.

Format: up to 18-20 digits, numeric only.

Parameters:

value (str) – The ICCID value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableIMSI[source]

IMSI observable.

Identifies the user as a subscriber in the mobile network.

Format: usually 15 digits (can be 14-15), numeric only Composed of MCC+MNC+MSIN

Parameters:

value (str) – The IMSI value (required)
spec_version (str) – STIX specification version, fixed to “2.1”
object_marking_refs (list) – List of marking definition references