pycti 5.12.21__py3-none-any.whl → 5.12.23__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pycti might be problematic. Click here for more details.

Files changed (50) hide show
  1. pycti/__init__.py +1 -1
  2. pycti/connector/opencti_connector_helper.py +13 -11
  3. pycti/entities/opencti_attack_pattern.py +76 -58
  4. pycti/entities/opencti_campaign.py +49 -41
  5. pycti/entities/opencti_case_incident.py +62 -48
  6. pycti/entities/opencti_case_rfi.py +45 -35
  7. pycti/entities/opencti_case_rft.py +45 -35
  8. pycti/entities/opencti_channel.py +45 -35
  9. pycti/entities/opencti_course_of_action.py +43 -35
  10. pycti/entities/opencti_data_component.py +43 -35
  11. pycti/entities/opencti_data_source.py +48 -38
  12. pycti/entities/opencti_event.py +44 -38
  13. pycti/entities/opencti_external_reference.py +5 -3
  14. pycti/entities/opencti_feedback.py +40 -32
  15. pycti/entities/opencti_grouping.py +43 -35
  16. pycti/entities/opencti_identity.py +91 -73
  17. pycti/entities/opencti_incident.py +59 -47
  18. pycti/entities/opencti_indicator.py +110 -84
  19. pycti/entities/opencti_infrastructure.py +56 -44
  20. pycti/entities/opencti_intrusion_set.py +61 -47
  21. pycti/entities/opencti_language.py +30 -24
  22. pycti/entities/opencti_location.py +41 -35
  23. pycti/entities/opencti_malware.py +83 -63
  24. pycti/entities/opencti_malware_analysis.py +87 -63
  25. pycti/entities/opencti_marking_definition.py +24 -18
  26. pycti/entities/opencti_narrative.py +45 -35
  27. pycti/entities/opencti_note.py +51 -39
  28. pycti/entities/opencti_observed_data.py +70 -48
  29. pycti/entities/opencti_opinion.py +40 -32
  30. pycti/entities/opencti_report.py +74 -47
  31. pycti/entities/opencti_stix_core_object.py +10 -10
  32. pycti/entities/opencti_stix_core_relationship.py +55 -41
  33. pycti/entities/opencti_stix_cyber_observable.py +442 -318
  34. pycti/entities/opencti_stix_domain_object.py +15 -13
  35. pycti/entities/opencti_stix_object_or_stix_relationship.py +5 -5
  36. pycti/entities/opencti_task.py +44 -36
  37. pycti/entities/opencti_threat_actor_group.py +76 -56
  38. pycti/entities/opencti_threat_actor_individual.py +76 -56
  39. pycti/entities/opencti_tool.py +53 -41
  40. pycti/entities/opencti_vulnerability.py +151 -109
  41. pycti/utils/constants.py +1 -0
  42. pycti/utils/opencti_stix2.py +177 -139
  43. pycti/utils/opencti_stix2_update.py +20 -12
  44. pycti/utils/opencti_stix2_utils.py +5 -3
  45. {pycti-5.12.21.dist-info → pycti-5.12.23.dist-info}/METADATA +2 -2
  46. pycti-5.12.23.dist-info/RECORD +68 -0
  47. pycti-5.12.21.dist-info/RECORD +0 -68
  48. {pycti-5.12.21.dist-info → pycti-5.12.23.dist-info}/LICENSE +0 -0
  49. {pycti-5.12.21.dist-info → pycti-5.12.23.dist-info}/WHEEL +0 -0
  50. {pycti-5.12.21.dist-info → pycti-5.12.23.dist-info}/top_level.txt +0 -0
pycti/entities/opencti_stix_cyber_observable.py CHANGED
@@ -807,9 +807,11 @@ class StixCyberObservable:
807
807
  {
808
808
  "id": id,
809
809
  "file": (self.file(final_file_name, data, mime_type)),
810
- "noTriggerImport": no_trigger_import
811
- if isinstance(no_trigger_import, bool)
812
- else no_trigger_import == "True",
810
+ "noTriggerImport": (
811
+ no_trigger_import
812
+ if isinstance(no_trigger_import, bool)
813
+ else no_trigger_import == "True"
814
+ ),
813
815
  },
814
816
  )
815
817
  else:
@@ -1048,26 +1050,28 @@ class StixCyberObservable:
1048
1050
  if type == "Autonomous-System":
1049
1051
  input_variables["AutonomousSystem"] = {
1050
1052
  "number": observable_data["number"],
1051
- "name": observable_data["name"]
1052
- if "name" in observable_data
1053
- else None,
1053
+ "name": (
1054
+ observable_data["name"] if "name" in observable_data else None
1055
+ ),
1054
1056
  "rir": observable_data["rir"] if "rir" in observable_data else None,
1055
1057
  }
1056
1058
  elif type == "Directory":
1057
1059
  input_variables["Directory"] = {
1058
1060
  "path": observable_data["path"],
1059
- "path_enc": observable_data["path_enc"]
1060
- if "path_enc" in observable_data
1061
- else None,
1062
- "ctime": observable_data["ctime"]
1063
- if "ctime" in observable_data
1064
- else None,
1065
- "mtime": observable_data["mtime"]
1066
- if "mtime" in observable_data
1067
- else None,
1068
- "atime": observable_data["atime"]
1069
- if "atime" in observable_data
1070
- else None,
1061
+ "path_enc": (
1062
+ observable_data["path_enc"]
1063
+ if "path_enc" in observable_data
1064
+ else None
1065
+ ),
1066
+ "ctime": (
1067
+ observable_data["ctime"] if "ctime" in observable_data else None
1068
+ ),
1069
+ "mtime": (
1070
+ observable_data["mtime"] if "mtime" in observable_data else None
1071
+ ),
1072
+ "atime": (
1073
+ observable_data["atime"] if "atime" in observable_data else None
1074
+ ),
1071
1075
  }
1072
1076
  elif type == "Domain-Name":
1073
1077
  input_variables["DomainName"] = {"value": observable_data["value"]}
@@ -1076,42 +1080,56 @@ class StixCyberObservable:
1076
1080
  elif type == "Email-Addr":
1077
1081
  input_variables["EmailAddr"] = {
1078
1082
  "value": observable_data["value"],
1079
- "display_name": observable_data["display_name"]
1080
- if "display_name" in observable_data
1081
- else None,
1083
+ "display_name": (
1084
+ observable_data["display_name"]
1085
+ if "display_name" in observable_data
1086
+ else None
1087
+ ),
1082
1088
  }
1083
1089
  elif type == "Email-Message":
1084
1090
  input_variables["EmailMessage"] = {
1085
- "is_multipart": observable_data["is_multipart"]
1086
- if "is_multipart" in observable_data
1087
- else None,
1088
- "attribute_date": observable_data["date"]
1089
- if "date" in observable_data
1090
- else None,
1091
- "message_id": observable_data["message_id"]
1092
- if "message_id" in observable_data
1093
- else None,
1094
- "subject": observable_data["subject"]
1095
- if "subject" in observable_data
1096
- else None,
1097
- "received_lines": observable_data["received_lines"]
1098
- if "received_lines" in observable_data
1099
- else None,
1100
- "body": observable_data["body"]
1101
- if "body" in observable_data
1102
- else None,
1091
+ "is_multipart": (
1092
+ observable_data["is_multipart"]
1093
+ if "is_multipart" in observable_data
1094
+ else None
1095
+ ),
1096
+ "attribute_date": (
1097
+ observable_data["date"] if "date" in observable_data else None
1098
+ ),
1099
+ "message_id": (
1100
+ observable_data["message_id"]
1101
+ if "message_id" in observable_data
1102
+ else None
1103
+ ),
1104
+ "subject": (
1105
+ observable_data["subject"]
1106
+ if "subject" in observable_data
1107
+ else None
1108
+ ),
1109
+ "received_lines": (
1110
+ observable_data["received_lines"]
1111
+ if "received_lines" in observable_data
1112
+ else None
1113
+ ),
1114
+ "body": (
1115
+ observable_data["body"] if "body" in observable_data else None
1116
+ ),
1103
1117
  }
1104
1118
  elif type == "Email-Mime-Part-Type":
1105
1119
  input_variables["EmailMimePartType"] = {
1106
- "body": observable_data["body"]
1107
- if "body" in observable_data
1108
- else None,
1109
- "content_type": observable_data["content_type"]
1110
- if "content_type" in observable_data
1111
- else None,
1112
- "content_disposition": observable_data["content_disposition"]
1113
- if "content_disposition" in observable_data
1114
- else None,
1120
+ "body": (
1121
+ observable_data["body"] if "body" in observable_data else None
1122
+ ),
1123
+ "content_type": (
1124
+ observable_data["content_type"]
1125
+ if "content_type" in observable_data
1126
+ else None
1127
+ ),
1128
+ "content_disposition": (
1129
+ observable_data["content_disposition"]
1130
+ if "content_disposition" in observable_data
1131
+ else None
1132
+ ),
1115
1133
  }
1116
1134
  elif type == "Artifact":
1117
1135
  if (
@@ -1121,28 +1139,34 @@ class StixCyberObservable:
1121
1139
  )
1122
1140
  is not None
1123
1141
  ):
1124
- observable_data[
1125
- "x_opencti_additional_names"
1126
- ] = self.opencti.get_attribute_in_extension(
1127
- "additional_names", observable_data
1142
+ observable_data["x_opencti_additional_names"] = (
1143
+ self.opencti.get_attribute_in_extension(
1144
+ "additional_names", observable_data
1145
+ )
1128
1146
  )
1129
1147
  input_variables["Artifact"] = {
1130
1148
  "hashes": hashes if len(hashes) > 0 else None,
1131
- "mime_type": observable_data["mime_type"]
1132
- if "mime_type" in observable_data
1133
- else None,
1149
+ "mime_type": (
1150
+ observable_data["mime_type"]
1151
+ if "mime_type" in observable_data
1152
+ else None
1153
+ ),
1134
1154
  "url": observable_data["url"] if "url" in observable_data else None,
1135
- "encryption_algorithm": observable_data["encryption_algorithm"]
1136
- if "encryption_algorithm" in observable_data
1137
- else None,
1138
- "decryption_key": observable_data["decryption_key"]
1139
- if "decryption_key" in observable_data
1140
- else None,
1141
- "x_opencti_additional_names": observable_data[
1142
- "x_opencti_additional_names"
1143
- ]
1144
- if "x_opencti_additional_names" in observable_data
1145
- else None,
1155
+ "encryption_algorithm": (
1156
+ observable_data["encryption_algorithm"]
1157
+ if "encryption_algorithm" in observable_data
1158
+ else None
1159
+ ),
1160
+ "decryption_key": (
1161
+ observable_data["decryption_key"]
1162
+ if "decryption_key" in observable_data
1163
+ else None
1164
+ ),
1165
+ "x_opencti_additional_names": (
1166
+ observable_data["x_opencti_additional_names"]
1167
+ if "x_opencti_additional_names" in observable_data
1168
+ else None
1169
+ ),
1146
1170
  }
1147
1171
  elif type == "StixFile":
1148
1172
  if (
@@ -1152,340 +1176,440 @@ class StixCyberObservable:
1152
1176
  )
1153
1177
  is not None
1154
1178
  ):
1155
- observable_data[
1156
- "x_opencti_additional_names"
1157
- ] = self.opencti.get_attribute_in_extension(
1158
- "additional_names", observable_data
1179
+ observable_data["x_opencti_additional_names"] = (
1180
+ self.opencti.get_attribute_in_extension(
1181
+ "additional_names", observable_data
1182
+ )
1159
1183
  )
1160
1184
  input_variables["StixFile"] = {
1161
1185
  "hashes": hashes if len(hashes) > 0 else None,
1162
- "size": observable_data["size"]
1163
- if "size" in observable_data
1164
- else None,
1165
- "name": observable_data["name"]
1166
- if "name" in observable_data
1167
- else None,
1168
- "name_enc": observable_data["name_enc"]
1169
- if "name_enc" in observable_data
1170
- else None,
1171
- "magic_number_hex": observable_data["magic_number_hex"]
1172
- if "magic_number_hex" in observable_data
1173
- else None,
1174
- "mime_type": observable_data["mime_type"]
1175
- if "mime_type" in observable_data
1176
- else None,
1177
- "mtime": observable_data["mtime"]
1178
- if "mtime" in observable_data
1179
- else None,
1180
- "ctime": observable_data["ctime"]
1181
- if "ctime" in observable_data
1182
- else None,
1183
- "atime": observable_data["atime"]
1184
- if "atime" in observable_data
1185
- else None,
1186
- "x_opencti_additional_names": observable_data[
1187
- "x_opencti_additional_names"
1188
- ]
1189
- if "x_opencti_additional_names" in observable_data
1190
- else None,
1186
+ "size": (
1187
+ observable_data["size"] if "size" in observable_data else None
1188
+ ),
1189
+ "name": (
1190
+ observable_data["name"] if "name" in observable_data else None
1191
+ ),
1192
+ "name_enc": (
1193
+ observable_data["name_enc"]
1194
+ if "name_enc" in observable_data
1195
+ else None
1196
+ ),
1197
+ "magic_number_hex": (
1198
+ observable_data["magic_number_hex"]
1199
+ if "magic_number_hex" in observable_data
1200
+ else None
1201
+ ),
1202
+ "mime_type": (
1203
+ observable_data["mime_type"]
1204
+ if "mime_type" in observable_data
1205
+ else None
1206
+ ),
1207
+ "mtime": (
1208
+ observable_data["mtime"] if "mtime" in observable_data else None
1209
+ ),
1210
+ "ctime": (
1211
+ observable_data["ctime"] if "ctime" in observable_data else None
1212
+ ),
1213
+ "atime": (
1214
+ observable_data["atime"] if "atime" in observable_data else None
1215
+ ),
1216
+ "x_opencti_additional_names": (
1217
+ observable_data["x_opencti_additional_names"]
1218
+ if "x_opencti_additional_names" in observable_data
1219
+ else None
1220
+ ),
1191
1221
  }
1192
1222
  elif type == "X509-Certificate":
1193
1223
  input_variables["X509Certificate"] = {
1194
1224
  "hashes": hashes if len(hashes) > 0 else None,
1195
- "is_self_signed": observable_data["is_self_signed"]
1196
- if "is_self_signed" in observable_data
1197
- else False,
1198
- "version": observable_data["version"]
1199
- if "version" in observable_data
1200
- else None,
1201
- "serial_number": observable_data["serial_number"]
1202
- if "serial_number" in observable_data
1203
- else None,
1204
- "signature_algorithm": observable_data["signature_algorithm"]
1205
- if "signature_algorithm" in observable_data
1206
- else None,
1207
- "issuer": observable_data["issuer"]
1208
- if "issuer" in observable_data
1209
- else None,
1210
- "validity_not_before": observable_data["validity_not_before"]
1211
- if "validity_not_before" in observable_data
1212
- else None,
1213
- "validity_not_after": observable_data["validity_not_after"]
1214
- if "validity_not_after" in observable_data
1215
- else None,
1216
- "subject": observable_data["subject"]
1217
- if "subject" in observable_data
1218
- else None,
1219
- "subject_public_key_algorithm": observable_data[
1220
- "subject_public_key_algorithm"
1221
- ]
1222
- if "subject_public_key_algorithm" in observable_data
1223
- else None,
1224
- "subject_public_key_modulus": observable_data[
1225
- "subject_public_key_modulus"
1226
- ]
1227
- if "subject_public_key_modulus" in observable_data
1228
- else None,
1229
- "subject_public_key_exponent": observable_data[
1230
- "subject_public_key_exponent"
1231
- ]
1232
- if "subject_public_key_exponent" in observable_data
1233
- else None,
1225
+ "is_self_signed": (
1226
+ observable_data["is_self_signed"]
1227
+ if "is_self_signed" in observable_data
1228
+ else False
1229
+ ),
1230
+ "version": (
1231
+ observable_data["version"]
1232
+ if "version" in observable_data
1233
+ else None
1234
+ ),
1235
+ "serial_number": (
1236
+ observable_data["serial_number"]
1237
+ if "serial_number" in observable_data
1238
+ else None
1239
+ ),
1240
+ "signature_algorithm": (
1241
+ observable_data["signature_algorithm"]
1242
+ if "signature_algorithm" in observable_data
1243
+ else None
1244
+ ),
1245
+ "issuer": (
1246
+ observable_data["issuer"]
1247
+ if "issuer" in observable_data
1248
+ else None
1249
+ ),
1250
+ "validity_not_before": (
1251
+ observable_data["validity_not_before"]
1252
+ if "validity_not_before" in observable_data
1253
+ else None
1254
+ ),
1255
+ "validity_not_after": (
1256
+ observable_data["validity_not_after"]
1257
+ if "validity_not_after" in observable_data
1258
+ else None
1259
+ ),
1260
+ "subject": (
1261
+ observable_data["subject"]
1262
+ if "subject" in observable_data
1263
+ else None
1264
+ ),
1265
+ "subject_public_key_algorithm": (
1266
+ observable_data["subject_public_key_algorithm"]
1267
+ if "subject_public_key_algorithm" in observable_data
1268
+ else None
1269
+ ),
1270
+ "subject_public_key_modulus": (
1271
+ observable_data["subject_public_key_modulus"]
1272
+ if "subject_public_key_modulus" in observable_data
1273
+ else None
1274
+ ),
1275
+ "subject_public_key_exponent": (
1276
+ observable_data["subject_public_key_exponent"]
1277
+ if "subject_public_key_exponent" in observable_data
1278
+ else None
1279
+ ),
1234
1280
  }
1235
1281
  elif type == "IPv4-Addr":
1236
1282
  input_variables["IPv4Addr"] = {
1237
- "value": observable_data["value"]
1238
- if "value" in observable_data
1239
- else None,
1283
+ "value": (
1284
+ observable_data["value"] if "value" in observable_data else None
1285
+ ),
1240
1286
  }
1241
1287
  elif type == "IPv6-Addr":
1242
1288
  input_variables["IPv6Addr"] = {
1243
- "value": observable_data["value"]
1244
- if "value" in observable_data
1245
- else None,
1289
+ "value": (
1290
+ observable_data["value"] if "value" in observable_data else None
1291
+ ),
1246
1292
  }
1247
1293
  elif type == "Mac-Addr":
1248
1294
  input_variables["MacAddr"] = {
1249
- "value": observable_data["value"]
1250
- if "value" in observable_data
1251
- else None,
1295
+ "value": (
1296
+ observable_data["value"] if "value" in observable_data else None
1297
+ ),
1252
1298
  }
1253
1299
  elif type == "Mutex":
1254
1300
  input_variables["Mutex"] = {
1255
- "name": observable_data["name"]
1256
- if "name" in observable_data
1257
- else None,
1301
+ "name": (
1302
+ observable_data["name"] if "name" in observable_data else None
1303
+ ),
1258
1304
  }
1259
1305
  elif type == "Network-Traffic":
1260
1306
  input_variables["NetworkTraffic"] = {
1261
- "start": observable_data["start"]
1262
- if "start" in observable_data
1263
- else None,
1307
+ "start": (
1308
+ observable_data["start"] if "start" in observable_data else None
1309
+ ),
1264
1310
  "end": observable_data["end"] if "end" in observable_data else None,
1265
- "is_active": observable_data["is_active"]
1266
- if "is_active" in observable_data
1267
- else None,
1268
- "src_port": observable_data["src_port"]
1269
- if "src_port" in observable_data
1270
- else None,
1271
- "dst_port": observable_data["dst_port"]
1272
- if "dst_port" in observable_data
1273
- else None,
1274
- "protocols": observable_data["protocols"]
1275
- if "protocols" in observable_data
1276
- else None,
1277
- "src_byte_count": observable_data["src_byte_count"]
1278
- if "src_byte_count" in observable_data
1279
- else None,
1280
- "dst_byte_count": observable_data["dst_byte_count"]
1281
- if "dst_byte_count" in observable_data
1282
- else None,
1283
- "src_packets": observable_data["src_packets"]
1284
- if "src_packets" in observable_data
1285
- else None,
1286
- "dst_packets": observable_data["dst_packets"]
1287
- if "dst_packets" in observable_data
1288
- else None,
1311
+ "is_active": (
1312
+ observable_data["is_active"]
1313
+ if "is_active" in observable_data
1314
+ else None
1315
+ ),
1316
+ "src_port": (
1317
+ observable_data["src_port"]
1318
+ if "src_port" in observable_data
1319
+ else None
1320
+ ),
1321
+ "dst_port": (
1322
+ observable_data["dst_port"]
1323
+ if "dst_port" in observable_data
1324
+ else None
1325
+ ),
1326
+ "protocols": (
1327
+ observable_data["protocols"]
1328
+ if "protocols" in observable_data
1329
+ else None
1330
+ ),
1331
+ "src_byte_count": (
1332
+ observable_data["src_byte_count"]
1333
+ if "src_byte_count" in observable_data
1334
+ else None
1335
+ ),
1336
+ "dst_byte_count": (
1337
+ observable_data["dst_byte_count"]
1338
+ if "dst_byte_count" in observable_data
1339
+ else None
1340
+ ),
1341
+ "src_packets": (
1342
+ observable_data["src_packets"]
1343
+ if "src_packets" in observable_data
1344
+ else None
1345
+ ),
1346
+ "dst_packets": (
1347
+ observable_data["dst_packets"]
1348
+ if "dst_packets" in observable_data
1349
+ else None
1350
+ ),
1289
1351
  }
1290
1352
  elif type == "Process":
1291
1353
  input_variables["Process"] = {
1292
- "is_hidden": observable_data["is_hidden"]
1293
- if "is_hidden" in observable_data
1294
- else None,
1354
+ "is_hidden": (
1355
+ observable_data["is_hidden"]
1356
+ if "is_hidden" in observable_data
1357
+ else None
1358
+ ),
1295
1359
  "pid": observable_data["pid"] if "pid" in observable_data else None,
1296
- "created_time": observable_data["created_time"]
1297
- if "created_time" in observable_data
1298
- else None,
1360
+ "created_time": (
1361
+ observable_data["created_time"]
1362
+ if "created_time" in observable_data
1363
+ else None
1364
+ ),
1299
1365
  "cwd": observable_data["cwd"] if "cwd" in observable_data else None,
1300
- "command_line": observable_data["command_line"]
1301
- if "command_line" in observable_data
1302
- else None,
1303
- "environment_variables": observable_data["environment_variables"]
1304
- if "environment_variables" in observable_data
1305
- else None,
1366
+ "command_line": (
1367
+ observable_data["command_line"]
1368
+ if "command_line" in observable_data
1369
+ else None
1370
+ ),
1371
+ "environment_variables": (
1372
+ observable_data["environment_variables"]
1373
+ if "environment_variables" in observable_data
1374
+ else None
1375
+ ),
1306
1376
  }
1307
1377
  elif type == "Software":
1308
1378
  input_variables["Software"] = {
1309
- "name": observable_data["name"]
1310
- if "name" in observable_data
1311
- else None,
1379
+ "name": (
1380
+ observable_data["name"] if "name" in observable_data else None
1381
+ ),
1312
1382
  "cpe": observable_data["cpe"] if "cpe" in observable_data else None,
1313
- "swid": observable_data["swid"]
1314
- if "swid" in observable_data
1315
- else None,
1316
- "languages": observable_data["languages"]
1317
- if "languages" in observable_data
1318
- else None,
1319
- "vendor": observable_data["vendor"]
1320
- if "vendor" in observable_data
1321
- else None,
1322
- "version": observable_data["version"]
1323
- if "version" in observable_data
1324
- else None,
1383
+ "swid": (
1384
+ observable_data["swid"] if "swid" in observable_data else None
1385
+ ),
1386
+ "languages": (
1387
+ observable_data["languages"]
1388
+ if "languages" in observable_data
1389
+ else None
1390
+ ),
1391
+ "vendor": (
1392
+ observable_data["vendor"]
1393
+ if "vendor" in observable_data
1394
+ else None
1395
+ ),
1396
+ "version": (
1397
+ observable_data["version"]
1398
+ if "version" in observable_data
1399
+ else None
1400
+ ),
1325
1401
  }
1326
1402
  elif type == "Url":
1327
1403
  input_variables["Url"] = {
1328
- "value": observable_data["value"]
1329
- if "value" in observable_data
1330
- else None,
1404
+ "value": (
1405
+ observable_data["value"] if "value" in observable_data else None
1406
+ ),
1331
1407
  }
1332
1408
  elif type == "User-Account":
1333
1409
  input_variables["UserAccount"] = {
1334
- "user_id": observable_data["user_id"]
1335
- if "user_id" in observable_data
1336
- else None,
1337
- "credential": observable_data["credential"]
1338
- if "credential" in observable_data
1339
- else None,
1340
- "account_login": observable_data["account_login"]
1341
- if "account_login" in observable_data
1342
- else None,
1343
- "account_type": observable_data["account_type"]
1344
- if "account_type" in observable_data
1345
- else None,
1346
- "display_name": observable_data["display_name"]
1347
- if "display_name" in observable_data
1348
- else None,
1349
- "is_service_account": observable_data["is_service_account"]
1350
- if "is_service_account" in observable_data
1351
- else None,
1352
- "is_privileged": observable_data["is_privileged"]
1353
- if "is_privileged" in observable_data
1354
- else None,
1355
- "can_escalate_privs": observable_data["can_escalate_privs"]
1356
- if "can_escalate_privs" in observable_data
1357
- else None,
1358
- "is_disabled": observable_data["is_disabled"]
1359
- if "is_disabled" in observable_data
1360
- else None,
1361
- "account_created": observable_data["account_created"]
1362
- if "account_created" in observable_data
1363
- else None,
1364
- "account_expires": observable_data["account_expires"]
1365
- if "account_expires" in observable_data
1366
- else None,
1367
- "credential_last_changed": observable_data[
1368
- "credential_last_changed"
1369
- ]
1370
- if "credential_last_changed" in observable_data
1371
- else None,
1372
- "account_first_login": observable_data["account_first_login"]
1373
- if "account_first_login" in observable_data
1374
- else None,
1375
- "account_last_login": observable_data["account_last_login"]
1376
- if "account_last_login" in observable_data
1377
- else None,
1410
+ "user_id": (
1411
+ observable_data["user_id"]
1412
+ if "user_id" in observable_data
1413
+ else None
1414
+ ),
1415
+ "credential": (
1416
+ observable_data["credential"]
1417
+ if "credential" in observable_data
1418
+ else None
1419
+ ),
1420
+ "account_login": (
1421
+ observable_data["account_login"]
1422
+ if "account_login" in observable_data
1423
+ else None
1424
+ ),
1425
+ "account_type": (
1426
+ observable_data["account_type"]
1427
+ if "account_type" in observable_data
1428
+ else None
1429
+ ),
1430
+ "display_name": (
1431
+ observable_data["display_name"]
1432
+ if "display_name" in observable_data
1433
+ else None
1434
+ ),
1435
+ "is_service_account": (
1436
+ observable_data["is_service_account"]
1437
+ if "is_service_account" in observable_data
1438
+ else None
1439
+ ),
1440
+ "is_privileged": (
1441
+ observable_data["is_privileged"]
1442
+ if "is_privileged" in observable_data
1443
+ else None
1444
+ ),
1445
+ "can_escalate_privs": (
1446
+ observable_data["can_escalate_privs"]
1447
+ if "can_escalate_privs" in observable_data
1448
+ else None
1449
+ ),
1450
+ "is_disabled": (
1451
+ observable_data["is_disabled"]
1452
+ if "is_disabled" in observable_data
1453
+ else None
1454
+ ),
1455
+ "account_created": (
1456
+ observable_data["account_created"]
1457
+ if "account_created" in observable_data
1458
+ else None
1459
+ ),
1460
+ "account_expires": (
1461
+ observable_data["account_expires"]
1462
+ if "account_expires" in observable_data
1463
+ else None
1464
+ ),
1465
+ "credential_last_changed": (
1466
+ observable_data["credential_last_changed"]
1467
+ if "credential_last_changed" in observable_data
1468
+ else None
1469
+ ),
1470
+ "account_first_login": (
1471
+ observable_data["account_first_login"]
1472
+ if "account_first_login" in observable_data
1473
+ else None
1474
+ ),
1475
+ "account_last_login": (
1476
+ observable_data["account_last_login"]
1477
+ if "account_last_login" in observable_data
1478
+ else None
1479
+ ),
1378
1480
  }
1379
1481
  elif type == "Windows-Registry-Key":
1380
1482
  input_variables["WindowsRegistryKey"] = {
1381
- "attribute_key": observable_data["key"]
1382
- if "key" in observable_data
1383
- else None,
1384
- "modified_time": observable_data["modified_time"]
1385
- if "modified_time" in observable_data
1386
- else None,
1387
- "number_of_subkeys": observable_data["number_of_subkeys"]
1388
- if "number_of_subkeys" in observable_data
1389
- else None,
1483
+ "attribute_key": (
1484
+ observable_data["key"] if "key" in observable_data else None
1485
+ ),
1486
+ "modified_time": (
1487
+ observable_data["modified_time"]
1488
+ if "modified_time" in observable_data
1489
+ else None
1490
+ ),
1491
+ "number_of_subkeys": (
1492
+ observable_data["number_of_subkeys"]
1493
+ if "number_of_subkeys" in observable_data
1494
+ else None
1495
+ ),
1390
1496
  }
1391
1497
  elif type == "Windows-Registry-Value-Type":
1392
1498
  input_variables["WindowsRegistryKeyValueType"] = {
1393
- "name": observable_data["name"]
1394
- if "name" in observable_data
1395
- else None,
1396
- "data": observable_data["data"]
1397
- if "data" in observable_data
1398
- else None,
1399
- "data_type": observable_data["data_type"]
1400
- if "data_type" in observable_data
1401
- else None,
1499
+ "name": (
1500
+ observable_data["name"] if "name" in observable_data else None
1501
+ ),
1502
+ "data": (
1503
+ observable_data["data"] if "data" in observable_data else None
1504
+ ),
1505
+ "data_type": (
1506
+ observable_data["data_type"]
1507
+ if "data_type" in observable_data
1508
+ else None
1509
+ ),
1402
1510
  }
1403
1511
  elif type == "User-Agent":
1404
1512
  input_variables["UserAgent"] = {
1405
- "value": observable_data["value"]
1406
- if "value" in observable_data
1407
- else None,
1513
+ "value": (
1514
+ observable_data["value"] if "value" in observable_data else None
1515
+ ),
1408
1516
  }
1409
1517
  elif type == "Cryptographic-Key":
1410
1518
  input_variables["CryptographicKey"] = {
1411
- "value": observable_data["value"]
1412
- if "value" in observable_data
1413
- else None,
1519
+ "value": (
1520
+ observable_data["value"] if "value" in observable_data else None
1521
+ ),
1414
1522
  }
1415
1523
  elif (
1416
1524
  type == "Cryptocurrency-Wallet"
1417
1525
  or type == "X-OpenCTI-Cryptocurrency-Wallet"
1418
1526
  ):
1419
1527
  input_variables["CryptocurrencyWallet"] = {
1420
- "value": observable_data["value"]
1421
- if "value" in observable_data
1422
- else None,
1528
+ "value": (
1529
+ observable_data["value"] if "value" in observable_data else None
1530
+ ),
1423
1531
  }
1424
1532
  elif type == "Hostname":
1425
1533
  input_variables["Hostname"] = {
1426
- "value": observable_data["value"]
1427
- if "value" in observable_data
1428
- else None,
1534
+ "value": (
1535
+ observable_data["value"] if "value" in observable_data else None
1536
+ ),
1429
1537
  }
1430
1538
  elif type == "Text":
1431
1539
  input_variables["Text"] = {
1432
- "value": observable_data["value"]
1433
- if "value" in observable_data
1434
- else None,
1540
+ "value": (
1541
+ observable_data["value"] if "value" in observable_data else None
1542
+ ),
1435
1543
  }
1436
1544
  elif type == "Bank-Account":
1437
1545
  input_variables["BankAccount"] = {
1438
- "iban": observable_data["iban"]
1439
- if "iban" in observable_data
1440
- else None,
1546
+ "iban": (
1547
+ observable_data["iban"] if "iban" in observable_data else None
1548
+ ),
1441
1549
  "bic": observable_data["bic"] if "bic" in observable_data else None,
1442
- "account_number": observable_data["account_number"]
1443
- if "account_number" in observable_data
1444
- else None,
1550
+ "account_number": (
1551
+ observable_data["account_number"]
1552
+ if "account_number" in observable_data
1553
+ else None
1554
+ ),
1445
1555
  }
1446
1556
  elif type == "Phone-Number":
1447
1557
  input_variables["PhoneNumber"] = {
1448
- "value": observable_data["value"]
1449
- if "value" in observable_data
1450
- else None,
1558
+ "value": (
1559
+ observable_data["value"] if "value" in observable_data else None
1560
+ ),
1451
1561
  }
1452
1562
  elif type == "Payment-Card":
1453
1563
  input_variables["PaymentCard"] = {
1454
- "card_number": observable_data["card_number"]
1455
- if "card_number" in observable_data
1456
- else None,
1457
- "expiration_date": observable_data["expiration_date"]
1458
- if "expiration_date" in observable_data
1459
- else None,
1564
+ "card_number": (
1565
+ observable_data["card_number"]
1566
+ if "card_number" in observable_data
1567
+ else None
1568
+ ),
1569
+ "expiration_date": (
1570
+ observable_data["expiration_date"]
1571
+ if "expiration_date" in observable_data
1572
+ else None
1573
+ ),
1460
1574
  "cvv": observable_data["cvv"] if "cvv" in observable_data else None,
1461
- "holder_name": observable_data["holder_name"]
1462
- if "holder_name" in observable_data
1463
- else None,
1575
+ "holder_name": (
1576
+ observable_data["holder_name"]
1577
+ if "holder_name" in observable_data
1578
+ else None
1579
+ ),
1464
1580
  }
1465
1581
  elif type == "Media-Content":
1466
1582
  input_variables["MediaContent"] = {
1467
- "title": observable_data["title"]
1468
- if "title" in observable_data
1469
- else None,
1470
- "content": observable_data["content"]
1471
- if "content" in observable_data
1472
- else None,
1473
- "media_category": observable_data["media_category"]
1474
- if "media_category" in observable_data
1475
- else None,
1583
+ "title": (
1584
+ observable_data["title"] if "title" in observable_data else None
1585
+ ),
1586
+ "content": (
1587
+ observable_data["content"]
1588
+ if "content" in observable_data
1589
+ else None
1590
+ ),
1591
+ "media_category": (
1592
+ observable_data["media_category"]
1593
+ if "media_category" in observable_data
1594
+ else None
1595
+ ),
1476
1596
  "url": observable_data["url"] if "url" in observable_data else None,
1477
- "publication_date": observable_data["publication_date"]
1478
- if "publication_date" in observable_data
1479
- else None,
1597
+ "publication_date": (
1598
+ observable_data["publication_date"]
1599
+ if "publication_date" in observable_data
1600
+ else None
1601
+ ),
1480
1602
  }
1481
1603
  result = self.opencti.query(query, input_variables)
1482
1604
  if "payload_bin" in observable_data and "mime/type" in observable_data:
1483
1605
  self.add_file(
1484
1606
  id=result["data"]["stixCyberObservableAdd"]["id"],
1485
- file_name=observable_data["x_opencti_additional_names"][0]
1486
- if "x_opencti_additional_names" in observable_data
1487
- and len(observable_data["x_opencti_additional_names"]) > 0
1488
- else "artifact.bin",
1607
+ file_name=(
1608
+ observable_data["x_opencti_additional_names"][0]
1609
+ if "x_opencti_additional_names" in observable_data
1610
+ and len(observable_data["x_opencti_additional_names"]) > 0
1611
+ else "artifact.bin"
1612
+ ),
1489
1613
  data=base64.b64decode(observable_data["payload_bin"]),
1490
1614
  mime_type=observable_data["mime_type"],
1491
1615
  )