pycti.utils.constants

These are the custom STIX properties and observation types used internally by OpenCTI.

class pycti.utils.constants.CaseInsensitiveEnum(new_class_name, /, names, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Base Enum class with case-insensitive value lookup.

classmethod has_value(value)[source]

Check if the enum contains the given value (case-insensitive).

Parameters:

value (str) – Value to check

Returns:

True if value exists in enum, False otherwise

Return type:

bool

class pycti.utils.constants.ContainerTypes(*values)[source]

Enumeration of Container types supported by OpenCTI.

class pycti.utils.constants.CustomObjectCaseIncident[source]

Custom STIX2 Case-Incident object for OpenCTI.

Represents a case-incident container with associated metadata including name, description, severity, priority, and response types.

Parameters:

  • name (str) – Name of the case incident (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • description (str) – Description of the case incident

  • severity (str) – Severity level of the incident

  • priority (str) – Priority level of the incident

  • response_types (list) – List of response types

  • x_opencti_workflow_id (str) – OpenCTI workflow identifier

  • x_opencti_assignee_ids (list) – List of assignee identifiers

  • external_references (list) – List of external references

  • object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObjectCaseRfi[source]

Custom STIX2 Case-RFI (Request For Information) object for OpenCTI.

Represents a request for information container with associated metadata including name, description, severity, priority, and information types.

Parameters:

  • name (str) – Name of the RFI case (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • description (str) – Description of the RFI case

  • severity (str) – Severity level of the RFI

  • priority (str) – Priority level of the RFI

  • information_types (list) – List of information types requested

  • x_opencti_workflow_id (str) – OpenCTI workflow identifier

  • x_opencti_assignee_ids (list) – List of assignee identifiers

  • external_references (list) – List of external references

  • object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObjectChannel[source]

Custom STIX2 Channel object for OpenCTI.

Represents a communication channel with associated metadata including name, description, aliases, and channel types.

Parameters:

  • name (str) – Name of the channel (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • description (str) – Description of the channel

  • aliases (list) – List of alternative names for the channel

  • channel_types (list) – List of channel types

  • x_opencti_workflow_id (str) – OpenCTI workflow identifier

  • x_opencti_assignee_ids (list) – List of assignee identifiers

  • external_references (list) – List of external references

class pycti.utils.constants.CustomObjectTask[source]

Custom STIX2 Task object for OpenCTI.

Represents a task with associated metadata including name, description, due date, and assignees.

Parameters:

  • name (str) – Name of the task (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • description (str) – Description of the task

  • due_date (datetime) – Due date timestamp for the task

  • x_opencti_workflow_id (str) – OpenCTI workflow identifier

  • x_opencti_assignee_ids (list) – List of assignee identifiers

  • object_refs (list) – List of referenced STIX objects

class pycti.utils.constants.CustomObservableAIPrompt[source]

Custom STIX2 AI Prompt observable for OpenCTI.

Represents an AI prompt cyber observable used in AI-related threat intelligence.

Parameters:

  • value (str) – The AI prompt value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableBankAccount[source]

Custom STIX2 Bank Account observable for OpenCTI.

Represents a bank account cyber observable with account details.

Parameters:

  • value (str) – Display value for the bank account (required)

  • iban (str) – International Bank Account Number (required)

  • bic (str) – Bank Identifier Code

  • account_number (str) – Bank account number

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCredential[source]

Custom STIX2 Credential observable for OpenCTI.

Represents a credential cyber observable such as a password or access token.

Parameters:

  • value (str) – The credential value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCryptocurrencyWallet[source]

Custom STIX2 Cryptocurrency Wallet observable for OpenCTI.

Represents a cryptocurrency wallet address cyber observable.

Parameters:

  • value (str) – The wallet address value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableCryptographicKey[source]

Custom STIX2 Cryptographic-Key observable for OpenCTI.

Represents a cryptographic key cyber observable such as API keys or encryption keys.

Parameters:

  • value (str) – The cryptographic key value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableHostname[source]

Custom STIX2 Hostname observable for OpenCTI.

Represents a hostname cyber observable with its associated value.

Parameters:

  • value (str) – The hostname value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableICCID[source]

ICCID observable.

Represents an unique serial number of a SIM card, printed on the SIM itself.

Format: up to 18-20 digits, numeric only.

Parameters:

  • value (str) – The ICCID value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableIMEI[source]

IMEI observable.

Represents an International Mobile Equipment Identity which is a phone serial number.

Format: 14 digits + 1 check digit, numeric only, (can be 16 for legacy digits total).

Parameters:

  • value (str) – The IMEI value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableIMSI[source]

IMSI observable.

Identifies the user as a subscriber in the mobile network.

Format: usually 15 digits (can be 14-15), numeric only Composed of MCC+MNC+MSIN

Parameters:

  • value (str) – The IMSI value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableMediaContent[source]

Custom STIX2 Media-Content observable for OpenCTI.

Represents a media content cyber observable such as articles or posts.

Parameters:

  • title (str) – Title of the media content

  • description (str) – Description of the media content

  • content (str) – The actual content body

  • media_category (str) – Category of the media

  • url (str) – URL of the media content (required)

  • publication_date (datetime) – Publication date timestamp

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePaymentCard[source]

Custom STIX2 Payment Card observable for OpenCTI.

Represents a payment card cyber observable with card details.

Parameters:

  • value (str) – Display value for the payment card (required)

  • card_number (str) – The payment card number (required)

  • expiration_date (str) – Card expiration date

  • cvv (str) – Card verification value

  • holder_name (str) – Name of the card holder

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePersona[source]

Custom STIX2 Persona observable for OpenCTI.

Represents a persona or online identity cyber observable.

Parameters:

  • persona_name (str) – Name of the persona (required)

  • persona_type (str) – Type of the persona (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservablePhoneNumber[source]

Custom STIX2 Phone Number observable for OpenCTI.

Represents a phone number cyber observable.

Parameters:

  • value (str) – The phone number value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableSshKey[source]

Custom STIX2 SSH-Key observable for OpenCTI.

Represents an SSH key cyber observable such as public or private SSH keys.

Parameters:

  • value (str) – The SSH key value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableText[source]

Custom STIX2 Text observable for OpenCTI.

Represents a generic text cyber observable with its associated value.

Parameters:

  • value (str) – The text value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableTrackingNumber[source]

Custom STIX2 Tracking Number observable for OpenCTI.

Represents a tracking number cyber observable (e.g., package tracking).

Parameters:

  • value (str) – The tracking number value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.CustomObservableUserAgent[source]

Custom STIX2 User-Agent observable for OpenCTI.

Represents a User-Agent string cyber observable from HTTP headers.

Parameters:

  • value (str) – The User-Agent string value (required)

  • spec_version (str) – STIX specification version, fixed to “2.1”

  • object_marking_refs (list) – List of marking definition references

class pycti.utils.constants.IdentityTypes(*values)[source]

Enumeration of Identity types supported by OpenCTI.

class pycti.utils.constants.LocationTypes(*values)[source]

Enumeration of Location types supported by OpenCTI.

class pycti.utils.constants.MultipleRefRelationship(*values)[source]

Enumeration of relationship types that can have multiple references.

class pycti.utils.constants.StixCyberObservableTypes(*values)[source]

Enumeration of STIX Cyber Observable types supported by OpenCTI.

class pycti.utils.constants.StixMetaTypes(*values)[source]

Enumeration of STIX Meta Object types supported by OpenCTI.

class pycti.utils.constants.ThreatActorTypes(*values)[source]

Enumeration of Threat Actor types supported by OpenCTI.