pycti.utils.opencti_stix2_splitter

Attributes

`OPENCTI_EXTENSION`
`supported_types`

Classes

OpenCTIStix2Splitter

STIX2 bundle splitter for OpenCTI.

Functions

is_id_supported(key)

Check if a STIX ID type is supported for processing.

Module Contents

pycti.utils.opencti_stix2_splitter.OPENCTI_EXTENSION = 'extension-definition--ea279b3e-5c71-4632-ac08-831c66a786ba'[source]

pycti.utils.opencti_stix2_splitter.supported_types[source]

pycti.utils.opencti_stix2_splitter.is_id_supported(key)[source]

Check if a STIX ID type is supported for processing.

Parameters:: key (str) – STIX ID or identifier to check
Returns:: True if the ID type is supported, False otherwise
Return type:: bool

class pycti.utils.opencti_stix2_splitter.OpenCTIStix2Splitter[source]

STIX2 bundle splitter for OpenCTI.

Splits large STIX2 bundles into smaller chunks for processing, handling dependencies between objects and deduplicating references.

Initialize the STIX2 bundle splitter.

Sets up internal caches for tracking processed elements, references, and incompatible items.

cache_index[source]

cache_refs[source]

elements = [][source]

incompatible_items = [][source]

get_internal_ids_in_extension(item)[source]

Get internal IDs from OpenCTI extensions in a STIX object.

Parameters:: item (dict) – the STIX object to extract IDs from
Returns:: list of internal IDs found in extensions
Return type:: list

enlist_element(item_id, raw_data, cleanup_inconsistent_bundle, parent_acc)[source]

Enlist an element and its dependencies for processing.

Parameters:

item_id (str) – the ID of the item to enlist
raw_data (dict) – the raw data dictionary of all items
cleanup_inconsistent_bundle (bool) – whether to cleanup inconsistent references
parent_acc (list) – accumulator of parent IDs to prevent circular references

Returns:

number of dependencies enlisted

Return type:

int

split_bundle_with_expectations(bundle, use_json=True, event_version=None, cleanup_inconsistent_bundle=False) → Tuple[int, list, list][source]

Split a valid STIX2 bundle into a list of bundles.

Parameters:

bundle (str or dict) – the STIX2 bundle to split
use_json (bool) – whether the bundle is JSON string (True) or dict (False)
event_version (str or None) – (optional) event version to include in bundles
cleanup_inconsistent_bundle (bool) – whether to cleanup inconsistent references

Returns:

tuple of (number of expectations, incompatible items, list of bundles)

Return type:

Tuple[int, list, list]

split_bundle(bundle, use_json=True, event_version=None) → list[source]

Split a valid STIX2 bundle into a list of bundles.

Deprecated since version Use: split_bundle_with_expectations() instead.

Parameters:

bundle (str or dict) – the STIX2 bundle to split
use_json (bool) – whether the bundle is JSON string (True) or dict (False)
event_version (str or None) – (optional) event version to include in bundles

Returns:

list of STIX2 bundles

Return type:

list

static stix2_create_bundle(bundle_id, bundle_seq, items, use_json, event_version=None)[source]

Create a STIX2 bundle with items.

Parameters:

bundle_id (str) – the bundle ID
bundle_seq (int) – the bundle sequence number
items (list) – valid STIX2 items
use_json (bool) – whether to return JSON string (True) or dict (False)
event_version (str or None) – (optional) event version to include

Returns:

STIX2 bundle as JSON string or dict

Return type:

str or dict