pycti.utils.opencti_stix2_utils

STIX2 utility functions and mappings for OpenCTI.

This module provides utility classes and constants for working with STIX2 objects in OpenCTI, including type mappings, pattern generation, and object reference counting.

Attributes

`ALIASES_FIELD`
`X_OPENCTI_ALIASES_FIELD`
`SUPPORTED_INTERNAL_OBJECTS`
`STIX_META_OBJECTS`
`STIX_CORE_OBJECTS`
`SUPPORTED_STIX_ENTITY_OBJECTS`
`STIX_CYBER_OBSERVABLE_MAPPING`
`STIX_OBJECTS`
`PATTERN_MAPPING`
`OBSERVABLES_VALUE_INT`

Classes

OpenCTIStix2Utils

Utility class for STIX2 operations in OpenCTI.

Functions

`resolve_aliases_field`(→ str)	Resolve the correct aliases field name for a given STIX type.
`is_stix_object_aliased`(→ bool)	Check if a STIX object type supports aliases.

Module Contents

pycti.utils.opencti_stix2_utils.ALIASES_FIELD = 'aliases'[source]

pycti.utils.opencti_stix2_utils.X_OPENCTI_ALIASES_FIELD = 'x_opencti_aliases'[source]

pycti.utils.opencti_stix2_utils.SUPPORTED_INTERNAL_OBJECTS = ['user', 'group', 'capability', 'role', 'settings', 'notification', 'work', 'trash',...[source]

pycti.utils.opencti_stix2_utils.STIX_META_OBJECTS = ['label', 'vocabulary', 'kill-chain-phase'][source]

pycti.utils.opencti_stix2_utils.STIX_CORE_OBJECTS = ['attack-pattern', 'campaign', 'case-incident', 'x-opencti-case-incident', 'case-rfi',...[source]

pycti.utils.opencti_stix2_utils.SUPPORTED_STIX_ENTITY_OBJECTS = ['label', 'vocabulary', 'kill-chain-phase', 'attack-pattern', 'campaign', 'case-incident',...[source]

pycti.utils.opencti_stix2_utils.STIX_CYBER_OBSERVABLE_MAPPING[source]

pycti.utils.opencti_stix2_utils.STIX_OBJECTS[source]

pycti.utils.opencti_stix2_utils.PATTERN_MAPPING[source]

pycti.utils.opencti_stix2_utils.OBSERVABLES_VALUE_INT = ['Autonomous-System.number', 'Network-Traffic.dst_port', 'Process.pid'][source]

class pycti.utils.opencti_stix2_utils.OpenCTIStix2Utils[source]

Utility class for STIX2 operations in OpenCTI.

Provides helper methods for STIX2 conversions and pattern generation, including type mappings, observable pattern creation, and reference counting.

static stix_observable_opencti_type(observable_type)[source]

Convert STIX observable type to OpenCTI type.

Parameters:: observable_type (str) – STIX observable type
Returns:: Corresponding OpenCTI type or “Unknown”
Return type:: str

static create_stix_pattern(observable_type, observable_value)[source]

Create a STIX pattern from an observable type and value.

Parameters:

observable_type (str) – Type of the observable
observable_value (str) – Value of the observable

Returns:

STIX pattern string or None if type not supported

Return type:

str or None

static generate_random_stix_id(stix_type)[source]

Generate random stix id (uuid v1) - DEPRECATED.

This function is deprecated and should not be used anymore. Please use the generate_id function for SDO or proper SCO constructor.

Parameters:: stix_type – the stix type
Raises:: ValueError – Always raises an error as this function is deprecated

static retrieve_class_for_method(opencti_api_client, entity: Dict, type_path: str, method: str) → Any[source]

Retrieve the appropriate API class for a given entity type and method.

Parameters:

opencti_api_client (OpenCTIApiClient) – OpenCTI API client instance
entity (Dict) – Entity dictionary containing the type
type_path (str) – Path to the type field in the entity
method (str) – Name of the method to check for

Returns:

The API class that has the specified method, or None

Return type:

Any

static retrieveClassForMethod(openCTIApiClient, entity: Dict, type_path: str, method: str) → Any[source]

Retrieve the appropriate API class for a given entity type and method.

Deprecated since version Use: retrieve_class_for_method() instead.

Parameters:

openCTIApiClient (OpenCTIApiClient) – OpenCTI API client instance
entity (Dict) – Entity dictionary containing the type
type_path (str) – Path to the type field in the entity
method (str) – Name of the method to check for

Returns:

The API class that has the specified method, or None

Return type:

Any

static compute_object_refs_number(entity: Dict)[source]

Compute the number of object references in an entity.

Parameters:: entity (Dict) – Entity dictionary to analyze
Returns:: Total number of references
Return type:: int

pycti.utils.opencti_stix2_utils.resolve_aliases_field(stix_type: str) → str[source]

Resolve the correct aliases field name for a given STIX type.

OpenCTI uses two different field names for aliases depending on the entity type: - aliases: Standard STIX field used by most SDO types (Attack-Pattern, Campaign,

Infrastructure, Intrusion-Set, Malware, Threat-Actor-Group, Tool, Incident, etc.)

x_opencti_aliases: OpenCTI extension field used by Course-Of-Action, Vulnerability, Grouping, Identity types (Individual, Sector, System, Organization), and Location types (Region, Country, Administrative-Area, City, Position)

This mirrors the logic in opencti-graphql/src/schema/stixDomainObject.ts resolveAliasesField()

Note: This function is case-insensitive.

Parameters:: stix_type (str) – The STIX object type (e.g., “malware”, “vulnerability”, “identity”)
Returns:: The aliases field name to use (“aliases” or “x_opencti_aliases”)
Return type:: str

Example

>>> resolve_aliases_field("malware")
'aliases'
>>> resolve_aliases_field("Vulnerability")
'x_opencti_aliases'
>>> resolve_aliases_field("IDENTITY")
'x_opencti_aliases'

pycti.utils.opencti_stix2_utils.is_stix_object_aliased(stix_type: str) → bool[source]

Check if a STIX object type supports aliases.

Returns True for entity types that have an aliases field in OpenCTI.

Note: This function is case-insensitive.

Parameters:: stix_type (str) – The STIX object type (e.g., “malware”, “indicator”, “identity”)
Returns:: True if the type supports aliases, False otherwise
Return type:: bool

Example

>>> is_stix_object_aliased("malware")
True
>>> is_stix_object_aliased("Malware")
True
>>> is_stix_object_aliased("indicator")
False