pycti.entities.opencti_intrusion_set

class pycti.entities.opencti_intrusion_set.IntrusionSet(opencti)[source]

Main IntrusionSet class for OpenCTI

Manages intrusion sets (APT groups) in the OpenCTI platform.

Parameters:

opencti (OpenCTIApiClient) – instance of OpenCTIApiClient

__init__(opencti)[source]

Initialize the IntrusionSet instance.

Parameters:

opencti (OpenCTIApiClient) – OpenCTI API client instance

create(**kwargs)[source]

Create an Intrusion Set object.

Parameters:

  • stix_id (str) – (optional) the STIX ID

  • name (str) – the name of the Intrusion Set (required)

  • description (str) – description of the intrusion set

  • aliases (list) – list of aliases

  • first_seen (str) – first seen date

  • last_seen (str) – last seen date

  • goals (list) – goals of the intrusion set

  • resource_level (str) – resource level

  • primary_motivation (str) – primary motivation

  • secondary_motivations (list) – secondary motivations

  • createdBy (str) – creator identity ID

  • objectMarking (list) – marking definition IDs

  • objectLabel (list) – label IDs

  • externalReferences (list) – external reference IDs

  • objectOrganization (list) – organization IDs

  • revoked (bool) – whether the intrusion set is revoked

  • confidence (int) – confidence level (0-100)

  • lang (str) – language

  • created (str) – creation date

  • modified (str) – modification date

  • x_opencti_stix_ids (list) – additional STIX IDs

  • x_opencti_workflow_id (str) – workflow ID

  • x_opencti_modified_at (str) – custom modification date

  • update (bool) – whether to update existing intrusion set

  • files (list) – (optional) list of File objects to attach

  • filesMarkings (list) – (optional) list of lists of marking definition IDs for each file

Returns:

Intrusion Set object

Return type:

dict or None

static generate_id(name)[source]

Generate a STIX ID for an Intrusion Set.

Parameters:

name (str) – The name of the intrusion set

Returns:

STIX ID for the intrusion set

Return type:

str

static generate_id_from_data(data)[source]

Generate a STIX ID from intrusion set data.

Parameters:

data (dict) – Dictionary containing ‘name’ key

Returns:

STIX ID for the intrusion set

Return type:

str

import_from_stix2(**kwargs)[source]

Import an Intrusion Set object from a STIX2 object.

Parameters:

  • stixObject (dict) – the STIX2 Intrusion Set object

  • extras (dict) – extra parameters including created_by_id, object_marking_ids, etc.

  • update (bool) – whether to update if the entity already exists

Returns:

Intrusion Set object

Return type:

dict or None

list(**kwargs)[source]

List Intrusion Set objects.

Parameters:

  • filters (dict) – the filters to apply

  • search (str) – the search keyword

  • first (int) – return the first n rows from the after ID (or the beginning if not set)

  • after (str) – ID of the first row for pagination

  • orderBy (str) – field to order results by

  • orderMode (str) – ordering mode (asc/desc)

  • customAttributes (str) – custom attributes to return

  • getAll (bool) – whether to retrieve all results

  • withPagination (bool) – whether to include pagination info

  • withFiles (bool) – whether to include files

Returns:

List of Intrusion Set objects

Return type:

list

read(**kwargs)[source]

Read an Intrusion Set object.

Parameters:

  • id (str) – the id of the Intrusion Set

  • filters (dict) – the filters to apply if no id provided

  • customAttributes (str) – custom attributes to return

  • withFiles (bool) – whether to include files

Returns:

Intrusion Set object

Return type:

dict or None