pycti.entities.opencti_indicator
Classes
Main Indicator class for OpenCTI |
Module Contents
- class pycti.entities.opencti_indicator.Indicator(opencti)[source]
Main Indicator class for OpenCTI
Manages threat indicators and detection patterns in the OpenCTI platform.
- Parameters:
opencti (OpenCTIApiClient) – instance of
OpenCTIApiClient
Initialize the Indicator instance.
- Parameters:
opencti (OpenCTIApiClient) – OpenCTI API client instance
- properties = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } revoked confidence created modified pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type x_opencti_observable_values { type value hashes { algorithm hash } } x_mitre_platforms observables { edges { node { id entity_type observable_value } } } killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } """
- properties_with_files = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at creators { id name } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } revoked confidence created modified pattern_type pattern_version pattern name description indicator_types valid_from valid_until x_opencti_score x_opencti_detection x_opencti_main_observable_type x_opencti_observable_values { type value hashes { algorithm hash } } x_mitre_platforms observables { edges { node { id entity_type observable_value } } } killChainPhases { id standard_id entity_type kill_chain_name phase_name x_opencti_order created modified } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """
- static generate_id(pattern)[source]
Generate a STIX ID for an Indicator.
- Parameters:
pattern (str) – The STIX pattern
- Returns:
STIX ID for the indicator
- Return type:
str
- static generate_id_from_data(data)[source]
Generate a STIX ID from indicator data.
- Parameters:
data (dict) – Dictionary containing ‘pattern’ key
- Returns:
STIX ID for the indicator
- Return type:
str
- list(**kwargs)[source]
List Indicator objects.
- Parameters:
filters (dict) – (optional) the filters to apply
search (str) – (optional) a search keyword to apply for the listing
first (int) – (optional) return the first n rows from the after ID or the beginning if not set
after (str) – (optional) OpenCTI object ID of the first row for pagination
orderBy (str) – (optional) the field to order the response on
orderMode (str) – (optional) either “asc” or “desc”
customAttributes (str) – (optional) list of attributes keys to return
getAll (bool) – (optional) switch to return all entries (be careful to use this without any other filters)
withPagination (bool) – (optional) switch to use pagination
withFiles (bool) – (optional) include files in response
toStix (bool) – (optional) get in STIX format
- Returns:
List of Indicators
- Return type:
list
- read(**kwargs)[source]
Read an Indicator object.
Read can be either used with a known OpenCTI entity id or by using a valid filter to search and return a single Indicator entity or None.
Note: either id or filters is required.
- Parameters:
id (str) – the id of the Indicator
filters (dict) – the filters to apply if no id provided
customAttributes (str) – custom attributes to return
withFiles (bool) – whether to include files
- Returns:
Indicator object
- Return type:
dict or None
- create(**kwargs)[source]
Create an Indicator object.
- Parameters:
stix_id (str) – (optional) the STIX ID
createdBy (str) – (optional) the author ID
objectMarking (list) – (optional) list of marking definition IDs
objectLabel (list) – (optional) list of label IDs
externalReferences (list) – (optional) list of external reference IDs
revoked (bool) – (optional) whether the indicator is revoked
confidence (int) – (optional) confidence level (0-100)
lang (str) – (optional) language
created (str) – (optional) creation date
modified (str) – (optional) modification date
pattern_type (str) – the pattern type (required)
pattern_version (str) – (optional) the pattern version
pattern (str) – the indicator pattern (required)
name (str) – the name of the Indicator (defaults to pattern)
description (str) – (optional) description
indicator_types (list) – (optional) list of indicator types
valid_from (str) – (optional) valid from date
valid_until (str) – (optional) valid until date
x_opencti_score (int) – (optional) score (default: 50)
x_opencti_detection (bool) – (optional) detection flag (default: False)
x_opencti_main_observable_type (str) – the main observable type (required)
x_mitre_platforms (list) – (optional) list of MITRE platforms
killChainPhases (list) – (optional) list of kill chain phase IDs
x_opencti_stix_ids (list) – (optional) list of additional STIX IDs
x_opencti_create_observables (bool) – (optional) create observables (default: False)
objectOrganization (list) – (optional) list of organization IDs
x_opencti_workflow_id (str) – (optional) workflow ID
x_opencti_modified_at (str) – (optional) custom modification date
update (bool) – (optional) whether to update if exists (default: False)
files (list) – (optional) list of File objects to attach
filesMarkings (list) – (optional) list of lists of marking definition IDs for each file
- Returns:
Indicator object
- Return type:
dict or None
- update_field(**kwargs)[source]
Update an Indicator object field.
- Parameters:
id (str) – the Indicator id
input (list) – the input of the field
- Returns:
Updated indicator object
- Return type:
dict or None
- add_stix_cyber_observable(**kwargs)[source]
Add a Stix-Cyber-Observable object to Indicator object (based-on).
- Parameters:
id (str) – the id of the Indicator
indicator (dict) – Indicator object
stix_cyber_observable_id (str) – the id of the Stix-Observable
- Returns:
True if there has been no import error
- Return type:
bool