pycti.utils.opencti_stix2_utils =============================== .. py:module:: pycti.utils.opencti_stix2_utils .. autoapi-nested-parse:: STIX2 utility functions and mappings for OpenCTI. This module provides utility classes and constants for working with STIX2 objects in OpenCTI, including type mappings, pattern generation, and object reference counting. Attributes ---------- .. autoapisummary:: pycti.utils.opencti_stix2_utils.ALIASES_FIELD pycti.utils.opencti_stix2_utils.X_OPENCTI_ALIASES_FIELD pycti.utils.opencti_stix2_utils.SUPPORTED_INTERNAL_OBJECTS pycti.utils.opencti_stix2_utils.STIX_META_OBJECTS pycti.utils.opencti_stix2_utils.STIX_CORE_OBJECTS pycti.utils.opencti_stix2_utils.SUPPORTED_STIX_ENTITY_OBJECTS pycti.utils.opencti_stix2_utils.STIX_CYBER_OBSERVABLE_MAPPING pycti.utils.opencti_stix2_utils.STIX_OBJECTS pycti.utils.opencti_stix2_utils.PATTERN_MAPPING pycti.utils.opencti_stix2_utils.OBSERVABLES_VALUE_INT Classes ------- .. autoapisummary:: pycti.utils.opencti_stix2_utils.OpenCTIStix2Utils Functions --------- .. autoapisummary:: pycti.utils.opencti_stix2_utils.resolve_aliases_field pycti.utils.opencti_stix2_utils.is_stix_object_aliased Module Contents --------------- .. py:data:: ALIASES_FIELD :value: 'aliases' .. py:data:: X_OPENCTI_ALIASES_FIELD :value: 'x_opencti_aliases' .. py:data:: SUPPORTED_INTERNAL_OBJECTS :value: ['user', 'group', 'capability', 'role', 'settings', 'notification', 'work', 'trash',... .. py:data:: STIX_META_OBJECTS :value: ['label', 'vocabulary', 'kill-chain-phase'] .. py:data:: STIX_CORE_OBJECTS :value: ['attack-pattern', 'campaign', 'case-incident', 'x-opencti-case-incident', 'case-rfi',... .. py:data:: SUPPORTED_STIX_ENTITY_OBJECTS :value: ['label', 'vocabulary', 'kill-chain-phase', 'attack-pattern', 'campaign', 'case-incident',... .. py:data:: STIX_CYBER_OBSERVABLE_MAPPING .. py:data:: STIX_OBJECTS .. py:data:: PATTERN_MAPPING .. py:data:: OBSERVABLES_VALUE_INT :value: ['Autonomous-System.number', 'Network-Traffic.dst_port', 'Process.pid'] .. py:class:: OpenCTIStix2Utils Utility class for STIX2 operations in OpenCTI. Provides helper methods for STIX2 conversions and pattern generation, including type mappings, observable pattern creation, and reference counting. .. py:method:: stix_observable_opencti_type(observable_type) :staticmethod: Convert STIX observable type to OpenCTI type. :param observable_type: STIX observable type :type observable_type: str :return: Corresponding OpenCTI type or "Unknown" :rtype: str .. py:method:: create_stix_pattern(observable_type, observable_value) :staticmethod: Create a STIX pattern from an observable type and value. :param observable_type: Type of the observable :type observable_type: str :param observable_value: Value of the observable :type observable_value: str :return: STIX pattern string or None if type not supported :rtype: str or None .. py:method:: generate_random_stix_id(stix_type) :staticmethod: Generate random stix id (uuid v1) - DEPRECATED. This function is deprecated and should not be used anymore. Please use the generate_id function for SDO or proper SCO constructor. :param stix_type: the stix type :raises ValueError: Always raises an error as this function is deprecated .. py:method:: retrieve_class_for_method(opencti_api_client, entity: Dict, type_path: str, method: str) -> Any :staticmethod: Retrieve the appropriate API class for a given entity type and method. :param opencti_api_client: OpenCTI API client instance :type opencti_api_client: OpenCTIApiClient :param entity: Entity dictionary containing the type :type entity: Dict :param type_path: Path to the type field in the entity :type type_path: str :param method: Name of the method to check for :type method: str :return: The API class that has the specified method, or None :rtype: Any .. py:method:: retrieveClassForMethod(openCTIApiClient, entity: Dict, type_path: str, method: str) -> Any :staticmethod: Retrieve the appropriate API class for a given entity type and method. .. deprecated:: Use :meth:`retrieve_class_for_method` instead. :param openCTIApiClient: OpenCTI API client instance :type openCTIApiClient: OpenCTIApiClient :param entity: Entity dictionary containing the type :type entity: Dict :param type_path: Path to the type field in the entity :type type_path: str :param method: Name of the method to check for :type method: str :return: The API class that has the specified method, or None :rtype: Any .. py:method:: compute_object_refs_number(entity: Dict) :staticmethod: Compute the number of object references in an entity. :param entity: Entity dictionary to analyze :type entity: Dict :return: Total number of references :rtype: int .. py:function:: resolve_aliases_field(stix_type: str) -> str Resolve the correct aliases field name for a given STIX type. OpenCTI uses two different field names for aliases depending on the entity type: - `aliases`: Standard STIX field used by most SDO types (Attack-Pattern, Campaign, Infrastructure, Intrusion-Set, Malware, Threat-Actor-Group, Tool, Incident, etc.) - `x_opencti_aliases`: OpenCTI extension field used by Course-Of-Action, Vulnerability, Grouping, Identity types (Individual, Sector, System, Organization), and Location types (Region, Country, Administrative-Area, City, Position) This mirrors the logic in opencti-graphql/src/schema/stixDomainObject.ts resolveAliasesField() Note: This function is case-insensitive. :param stix_type: The STIX object type (e.g., "malware", "vulnerability", "identity") :type stix_type: str :return: The aliases field name to use ("aliases" or "x_opencti_aliases") :rtype: str .. rubric:: Example >>> resolve_aliases_field("malware") 'aliases' >>> resolve_aliases_field("Vulnerability") 'x_opencti_aliases' >>> resolve_aliases_field("IDENTITY") 'x_opencti_aliases' .. py:function:: is_stix_object_aliased(stix_type: str) -> bool Check if a STIX object type supports aliases. Returns True for entity types that have an aliases field in OpenCTI. Note: This function is case-insensitive. :param stix_type: The STIX object type (e.g., "malware", "indicator", "identity") :type stix_type: str :return: True if the type supports aliases, False otherwise :rtype: bool .. rubric:: Example >>> is_stix_object_aliased("malware") True >>> is_stix_object_aliased("Malware") True >>> is_stix_object_aliased("indicator") False