pycti.entities.opencti_report

class pycti.entities.opencti_report.Report(opencti)[source]

Main Report class for OpenCTI

Manages threat intelligence reports in the OpenCTI platform.

Parameters:

opencti (OpenCTIApiClient) – instance of OpenCTIApiClient

__init__(opencti)[source]

Initialize the Report instance.

Parameters:

opencti (OpenCTIApiClient) – OpenCTI API client instance

add_stix_object_or_stix_relationship(**kwargs)[source]

Add a STIX object or relationship to Report object (object_refs).

Parameters:

  • id (str) – the id of the Report

  • stixObjectOrStixRelationshipId (str) – the id of the STIX object or relationship

Returns:

True if successful, False otherwise

Return type:

bool

contains_stix_object_or_stix_relationship(**kwargs)[source]

Check if a report already contains a STIX object or relationship.

Parameters:

  • id (str) – the id of the Report

  • stixObjectOrStixRelationshipId (str) – the id of the STIX object or relationship

Returns:

True if the report contains the entity, False otherwise

Return type:

bool

create(**kwargs)[source]

Create a Report object.

Parameters:

  • stix_id – (optional) the STIX ID of the Report

  • createdBy – (optional) the author ID

  • objects – (optional) list of STIX object IDs contained in the report

  • objectMarking – (optional) list of marking definition IDs

  • objectAssignee – (optional) list of assignee IDs

  • objectParticipant – (optional) list of participant IDs

  • objectLabel – (optional) list of label IDs

  • externalReferences – (optional) list of external reference IDs

  • revoked – (optional) whether the report is revoked

  • confidence – (optional) confidence level (0-100)

  • lang – (optional) language of the report

  • created – (optional) creation date

  • modified – (optional) modification date

  • name – the name of the Report (required)

  • description – (optional) description of the report

  • content – (optional) content of the report

  • report_types – (optional) list of report types

  • published – the publication date (required)

  • x_opencti_reliability – (optional) reliability level

  • x_opencti_stix_ids – (optional) list of additional STIX IDs

  • objectOrganization – (optional) list of organization IDs

  • x_opencti_workflow_id – (optional) workflow ID

  • x_opencti_modified_at – (optional) custom modification date

  • update (bool) – (optional) whether to update if exists (default: False)

  • files (list) – (optional) list of File objects to attach

  • filesMarkings (list) – (optional) list of lists of marking definition IDs for each file

Returns:

Report object

Return type:

dict or None

static generate_fixed_fake_id(name, published=None)[source]

Generate a fixed fake STIX ID for a Report (used for testing).

Parameters:

  • name (str) – The name of the report

  • published (str or datetime.datetime or None) – (optional) The published date of the report

Returns:

STIX ID for the report

Return type:

str

static generate_id(name, published)[source]

Generate a STIX ID for a Report.

Parameters:

  • name (str) – The name of the report

  • published (str or datetime.datetime) – The published date of the report

Returns:

STIX ID for the report

Return type:

str

static generate_id_from_data(data)[source]

Generate a STIX ID from report data.

Parameters:

data (dict) – Dictionary containing ‘name’ and ‘published’ keys

Returns:

STIX ID for the report

Return type:

str

get_by_stix_id_or_name(**kwargs)[source]

Read a Report object by stix_id or name.

Parameters:

  • stix_id (str) – the STIX ID of the Report

  • name (str) – the name of the Report

  • published (str) – the published date of the Report

  • customAttributes (str) – custom attributes to return

Returns:

Report object

Return type:

dict or None

import_from_stix2(**kwargs)[source]

Import a Report object from a STIX2 object.

Parameters:

  • stixObject (dict) – the STIX2 Report object

  • extras (dict) – extra parameters including created_by_id, object_marking_ids, object_ids, etc.

  • update (bool) – whether to update if the entity already exists

Returns:

Report object

Return type:

dict or None

list(**kwargs)[source]

List Report objects.

Parameters:

  • filters (dict) – the filters to apply

  • search (str) – the search keyword

  • first (int) – return the first n rows from the after ID (or the beginning if not set)

  • after (str) – ID of the first row for pagination

  • orderBy (str) – field to order results by

  • orderMode (str) – ordering mode (asc/desc)

  • customAttributes (str) – custom attributes to return

  • getAll (bool) – whether to retrieve all results

  • withPagination (bool) – whether to include pagination info

  • withFiles (bool) – whether to include files

Returns:

List of Report objects

Return type:

list

read(**kwargs)[source]

Read a Report object.

Parameters:

  • id (str) – the id of the Report

  • filters (dict) – the filters to apply if no id provided

  • customAttributes (str) – custom attributes to return

  • withFiles (bool) – whether to include files

Returns:

Report object

Return type:

dict or None

remove_stix_object_or_stix_relationship(**kwargs)[source]

Remove a STIX object or relationship from Report object (object_refs).

Parameters:

  • id (str) – the id of the Report

  • stixObjectOrStixRelationshipId (str) – the id of the STIX object or relationship

Returns:

True if successful, False otherwise

Return type:

bool