pycti.entities.opencti_observed_data ==================================== .. py:module:: pycti.entities.opencti_observed_data Classes ------- .. autoapisummary:: pycti.entities.opencti_observed_data.ObservedData Module Contents --------------- .. py:class:: ObservedData(opencti) Main ObservedData class for OpenCTI Manages observed data and raw intelligence in the OpenCTI platform. :param opencti: instance of :py:class:`~pycti.api.opencti_api_client.OpenCTIApiClient` :type opencti: OpenCTIApiClient Initialize the ObservedData instance. :param opencti: OpenCTI API client instance :type opencti: OpenCTIApiClient .. py:attribute:: opencti .. py:attribute:: properties :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at status { id template { id name color } } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } revoked confidence created modified first_observed last_observed number_observed objects(all: true) { edges { node { ... on BasicObject { id entity_type parent_types } ... on BasicRelationship { id entity_type parent_types } ... on StixObject { standard_id spec_version created_at updated_at } ... on AttackPattern { name } ... on Campaign { name } ... on CourseOfAction { name } ... on Individual { name } ... on Organization { name } ... on Sector { name } ... on System { name } ... on Indicator { name } ... on Infrastructure { name } ... on IntrusionSet { name } ... on Position { name } ... on City { name } ... on Country { name } ... on Region { name } ... on Malware { name } ... on ThreatActor { name } ... on Tool { name } ... on Vulnerability { name } ... on Incident { name } ... on Event { name } ... on Channel { name } ... on Narrative { name } ... on Language { name } ... on DataComponent { name } ... on DataSource { name } ... on Case { name } ... on StixCyberObservable { observable_value } ... on StixCoreRelationship { standard_id spec_version created_at updated_at } ... on StixSightingRelationship { standard_id spec_version created_at updated_at } } } } """ .. raw:: html
.. py:attribute:: properties_with_files :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ id standard_id entity_type parent_types spec_version created_at updated_at status { id template { id name color } } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } revoked confidence created modified first_observed last_observed number_observed objects(all: true) { edges { node { ... on BasicObject { id entity_type parent_types } ... on BasicRelationship { id entity_type parent_types } ... on StixObject { standard_id spec_version created_at updated_at } ... on AttackPattern { name } ... on Campaign { name } ... on CourseOfAction { name } ... on Individual { name } ... on Organization { name } ... on Sector { name } ... on System { name } ... on Indicator { name } ... on Infrastructure { name } ... on IntrusionSet { name } ... on Position { name } ... on City { name } ... on Country { name } ... on Region { name } ... on Malware { name } ... on ThreatActor { name } ... on Tool { name } ... on Vulnerability { name } ... on Incident { name } ... on Event { name } ... on Channel { name } ... on Narrative { name } ... on Language { name } ... on DataComponent { name } ... on DataSource { name } ... on Case { name } ... on StixCyberObservable { observable_value } ... on StixCoreRelationship { standard_id spec_version created_at updated_at } ... on StixSightingRelationship { standard_id spec_version created_at updated_at } } } } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """ .. raw:: html
.. py:method:: generate_id(object_ids) :staticmethod: Generate a STIX ID for an Observed Data object. :param object_ids: list of object IDs contained in the observed data :type object_ids: list :return: STIX ID for the Observed Data :rtype: str .. py:method:: generate_id_from_data(data) :staticmethod: Generate a STIX ID from Observed Data data. :param data: Dictionary containing an 'object_refs' key :type data: dict :return: STIX ID for the Observed Data :rtype: str .. py:method:: list(**kwargs) List ObservedData objects. :param filters: the filters to apply :type filters: dict :param search: the search keyword :type search: str :param first: return the first n rows from the after ID (or the beginning if not set) :type first: int :param after: ID of the first row for pagination :type after: str :return: List of ObservedData objects :rtype: list .. py:method:: read(**kwargs) Read an ObservedData object. :param id: the id of the ObservedData :type id: str :param filters: the filters to apply if no id provided :type filters: dict :return: ObservedData object :rtype: dict or None .. py:method:: contains_stix_object_or_stix_relationship(**kwargs) Check if an observedData already contains a STIX entity. :param id: the id of the ObservedData :type id: str :param stixObjectOrStixRelationshipId: the id of the STIX entity :type stixObjectOrStixRelationshipId: str :return: True if contained, False otherwise :rtype: bool or None .. py:method:: create(**kwargs) Create an ObservedData object. :param stix_id: the STIX ID (optional) :type stix_id: str :param createdBy: the author ID (optional) :type createdBy: str :param objects: list of STIX object IDs (required) :type objects: list :param objectMarking: list of marking definition IDs (optional) :type objectMarking: list :param objectLabel: list of label IDs (optional) :type objectLabel: list :param externalReferences: list of external reference IDs (optional) :type externalReferences: list :param revoked: whether the observed data is revoked (optional) :type revoked: bool :param confidence: confidence level 0-100 (optional) :type confidence: int :param lang: language (optional) :type lang: str :param created: creation date (optional) :type created: str :param modified: modification date (optional) :type modified: str :param first_observed: the first observed datetime (required) :type first_observed: str :param last_observed: the last observed datetime (required) :type last_observed: str :param number_observed: number of times observed (optional) :type number_observed: int :param x_opencti_stix_ids: list of additional STIX IDs (optional) :type x_opencti_stix_ids: list :param objectOrganization: list of organization IDs (optional) :type objectOrganization: list :param x_opencti_workflow_id: workflow ID (optional) :type x_opencti_workflow_id: str :param x_opencti_modified_at: custom modification date (optional) :type x_opencti_modified_at: str :param update: whether to update if exists (default: False) :type update: bool :param files: (optional) list of File objects to attach :type files: list :param filesMarkings: (optional) list of lists of marking definition IDs for each file :type filesMarkings: list :return: ObservedData object :rtype: dict or None .. py:method:: add_stix_object_or_stix_relationship(**kwargs) Add a Stix-Core-Object or stix_relationship to ObservedData object (object). :param id: the id of the ObservedData :type id: str :param stixObjectOrStixRelationshipId: the id of the Stix-Core-Object or stix_relationship :type stixObjectOrStixRelationshipId: str :return: True if successful, False otherwise :rtype: bool .. py:method:: remove_stix_object_or_stix_relationship(**kwargs) Remove a Stix-Core-Object or stix_relationship from Observed-Data object. :param id: the id of the Observed-Data :type id: str :param stixObjectOrStixRelationshipId: the id of the Stix-Core-Object or stix_relationship :type stixObjectOrStixRelationshipId: str :return: True if successful, False otherwise :rtype: bool .. py:method:: import_from_stix2(**kwargs) Import an ObservedData object from a STIX2 object. :param stixObject: the Stix-Object ObservedData :type stixObject: dict :param extras: additional parameters like created_by_id, object_marking_ids :type extras: dict :param update: whether to update existing object :type update: bool :return: ObservedData object :rtype: dict or None