pycti.entities.opencti_observed_data
Classes
Main ObservedData class for OpenCTI |
Module Contents
- class pycti.entities.opencti_observed_data.ObservedData(opencti)[source]
Main ObservedData class for OpenCTI
Manages observed data and raw intelligence in the OpenCTI platform.
- Parameters:
opencti (OpenCTIApiClient) – instance of
OpenCTIApiClient
Initialize the ObservedData instance.
- Parameters:
opencti (OpenCTIApiClient) – OpenCTI API client instance
- properties = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at status { id template { id name color } } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified } } } revoked confidence created modified first_observed last_observed number_observed objects(all: true) { edges { node { ... on BasicObject { id entity_type parent_types } ... on BasicRelationship { id entity_type parent_types } ... on StixObject { standard_id spec_version created_at updated_at } ... on AttackPattern { name } ... on Campaign { name } ... on CourseOfAction { name } ... on Individual { name } ... on Organization { name } ... on Sector { name } ... on System { name } ... on Indicator { name } ... on Infrastructure { name } ... on IntrusionSet { name } ... on Position { name } ... on City { name } ... on Country { name } ... on Region { name } ... on Malware { name } ... on ThreatActor { name } ... on Tool { name } ... on Vulnerability { name } ... on Incident { name } ... on Event { name } ... on Channel { name } ... on Narrative { name } ... on Language { name } ... on DataComponent { name } ... on DataSource { name } ... on Case { name } ... on StixCyberObservable { observable_value } ... on StixCoreRelationship { standard_id spec_version created_at updated_at } ... on StixSightingRelationship { standard_id spec_version created_at updated_at } } } } """
- properties_with_files = Multiline-String[source]
Show Value
""" id standard_id entity_type parent_types spec_version created_at updated_at status { id template { id name color } } createdBy { ... on Identity { id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel { id value color } } ... on Organization { x_opencti_organization_type x_opencti_reliability } ... on Individual { x_opencti_firstname x_opencti_lastname } } objectOrganization { id standard_id name } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } objectLabel { id value color } externalReferences { edges { node { id standard_id entity_type source_name description url hash external_id created modified importFiles { edges { node { id name size metaData { mimetype version } } } } } } } revoked confidence created modified first_observed last_observed number_observed objects(all: true) { edges { node { ... on BasicObject { id entity_type parent_types } ... on BasicRelationship { id entity_type parent_types } ... on StixObject { standard_id spec_version created_at updated_at } ... on AttackPattern { name } ... on Campaign { name } ... on CourseOfAction { name } ... on Individual { name } ... on Organization { name } ... on Sector { name } ... on System { name } ... on Indicator { name } ... on Infrastructure { name } ... on IntrusionSet { name } ... on Position { name } ... on City { name } ... on Country { name } ... on Region { name } ... on Malware { name } ... on ThreatActor { name } ... on Tool { name } ... on Vulnerability { name } ... on Incident { name } ... on Event { name } ... on Channel { name } ... on Narrative { name } ... on Language { name } ... on DataComponent { name } ... on DataSource { name } ... on Case { name } ... on StixCyberObservable { observable_value } ... on StixCoreRelationship { standard_id spec_version created_at updated_at } ... on StixSightingRelationship { standard_id spec_version created_at updated_at } } } } importFiles { edges { node { id name size metaData { mimetype version } objectMarking { id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color } } } } """
- static generate_id(object_ids)[source]
Generate a STIX ID for an Observed Data object.
- Parameters:
object_ids (list) – list of object IDs contained in the observed data
- Returns:
STIX ID for the Observed Data
- Return type:
str
- static generate_id_from_data(data)[source]
Generate a STIX ID from Observed Data data.
- Parameters:
data (dict) – Dictionary containing an ‘object_refs’ key
- Returns:
STIX ID for the Observed Data
- Return type:
str
- list(**kwargs)[source]
List ObservedData objects.
- Parameters:
filters (dict) – the filters to apply
search (str) – the search keyword
first (int) – return the first n rows from the after ID (or the beginning if not set)
after (str) – ID of the first row for pagination
- Returns:
List of ObservedData objects
- Return type:
list
- read(**kwargs)[source]
Read an ObservedData object.
- Parameters:
id (str) – the id of the ObservedData
filters (dict) – the filters to apply if no id provided
- Returns:
ObservedData object
- Return type:
dict or None
- contains_stix_object_or_stix_relationship(**kwargs)[source]
Check if an observedData already contains a STIX entity.
- Parameters:
id (str) – the id of the ObservedData
stixObjectOrStixRelationshipId (str) – the id of the STIX entity
- Returns:
True if contained, False otherwise
- Return type:
bool or None
- create(**kwargs)[source]
Create an ObservedData object.
- Parameters:
stix_id (str) – the STIX ID (optional)
createdBy (str) – the author ID (optional)
objects (list) – list of STIX object IDs (required)
objectMarking (list) – list of marking definition IDs (optional)
objectLabel (list) – list of label IDs (optional)
externalReferences (list) – list of external reference IDs (optional)
revoked (bool) – whether the observed data is revoked (optional)
confidence (int) – confidence level 0-100 (optional)
lang (str) – language (optional)
created (str) – creation date (optional)
modified (str) – modification date (optional)
first_observed (str) – the first observed datetime (required)
last_observed (str) – the last observed datetime (required)
number_observed (int) – number of times observed (optional)
x_opencti_stix_ids (list) – list of additional STIX IDs (optional)
objectOrganization (list) – list of organization IDs (optional)
x_opencti_workflow_id (str) – workflow ID (optional)
x_opencti_modified_at (str) – custom modification date (optional)
update (bool) – whether to update if exists (default: False)
files (list) – (optional) list of File objects to attach
filesMarkings (list) – (optional) list of lists of marking definition IDs for each file
- Returns:
ObservedData object
- Return type:
dict or None
- add_stix_object_or_stix_relationship(**kwargs)[source]
Add a Stix-Core-Object or stix_relationship to ObservedData object (object).
- Parameters:
id (str) – the id of the ObservedData
stixObjectOrStixRelationshipId (str) – the id of the Stix-Core-Object or stix_relationship
- Returns:
True if successful, False otherwise
- Return type:
bool
- remove_stix_object_or_stix_relationship(**kwargs)[source]
Remove a Stix-Core-Object or stix_relationship from Observed-Data object.
- Parameters:
id (str) – the id of the Observed-Data
stixObjectOrStixRelationshipId (str) – the id of the Stix-Core-Object or stix_relationship
- Returns:
True if successful, False otherwise
- Return type:
bool
- import_from_stix2(**kwargs)[source]
Import an ObservedData object from a STIX2 object.
- Parameters:
stixObject (dict) – the Stix-Object ObservedData
extras (dict) – additional parameters like created_by_id, object_marking_ids
update (bool) – whether to update existing object
- Returns:
ObservedData object
- Return type:
dict or None