pycti 6.0.9__tar.gz → 6.0.10__tar.gz

{pycti-6.0.9 → pycti-6.0.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pycti
-Version: 6.0.9
+Version: 6.0.10
 Summary: Python API client for OpenCTI.
 Home-page: https://github.com/OpenCTI-Platform/client-python
 Author: Filigran
@@ -29,12 +29,12 @@ Requires-Dist: python-magic-bin~=0.4.14; sys_platform == "win32"
 Requires-Dist: python_json_logger~=2.0.4
 Requires-Dist: pyyaml~=6.0
 Requires-Dist: requests~=2.31.0
-Requires-Dist: setuptools~=69.2.0
+Requires-Dist: setuptools~=69.5.1
 Requires-Dist: filigran-sseclient~=1.0.0
 Requires-Dist: stix2~=3.0.1
 Requires-Dist: cachetools~=5.3.0
 Provides-Extra: dev
-Requires-Dist: black~=24.3.0; extra == "dev"
+Requires-Dist: black~=24.4.0; extra == "dev"
 Requires-Dist: build~=1.2.1; extra == "dev"
 Requires-Dist: isort~=5.13.0; extra == "dev"
 Requires-Dist: types-pytz~=2024.1.0.20240203; extra == "dev"
@@ -47,7 +47,7 @@ Requires-Dist: types-python-dateutil~=2.9.0; extra == "dev"
 Requires-Dist: wheel~=0.43.0; extra == "dev"
 Provides-Extra: doc
 Requires-Dist: autoapi~=2.0.1; extra == "doc"
-Requires-Dist: sphinx-autodoc-typehints~=2.0.0; extra == "doc"
+Requires-Dist: sphinx-autodoc-typehints~=2.1.0; extra == "doc"
 Requires-Dist: sphinx-rtd-theme~=2.0.0; extra == "doc"
 
 # OpenCTI client for Python

{pycti-6.0.9 → pycti-6.0.10}/pycti/__init__.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-__version__ = "6.0.9"
+__version__ = "6.0.10"
 
 from .api.opencti_api_client import OpenCTIApiClient
 from .api.opencti_api_connector import OpenCTIApiConnector
@@ -53,9 +53,14 @@ from .entities.opencti_vulnerability import Vulnerability
 from .utils.constants import (
     CustomObjectCaseIncident,
     CustomObjectTask,
+    CustomObservableBankAccount,
+    CustomObservableCredential,
     CustomObservableCryptocurrencyWallet,
     CustomObservableHostname,
+    CustomObservablePaymentCard,
+    CustomObservablePhoneNumber,
     CustomObservableText,
+    CustomObservableTrackingNumber,
     CustomObservableUserAgent,
     MultipleRefRelationship,
     StixCyberObservableTypes,
@@ -128,9 +133,14 @@ __all__ = [
     "CustomObjectCaseIncident",
     "CustomObjectTask",
     "StixCyberObservableTypes",
+    "CustomObservableCredential",
     "CustomObservableHostname",
     "CustomObservableUserAgent",
+    "CustomObservableBankAccount",
     "CustomObservableCryptocurrencyWallet",
+    "CustomObservablePaymentCard",
+    "CustomObservablePhoneNumber",
+    "CustomObservableTrackingNumber",
     "CustomObservableText",
     "STIX_EXT_MITRE",
     "STIX_EXT_OCTI_SCO",

{pycti-6.0.9 → pycti-6.0.10}/pycti/api/opencti_api_client.py

@@ -108,6 +108,7 @@ class OpenCTIApiClient:
         ssl_verify=False,
         proxies=None,
         json_logging=False,
+        bundle_send_to_queue=True,
         cert=None,
         auth=None,
         perform_health_check=True,
@@ -115,6 +116,7 @@ class OpenCTIApiClient:
         """Constructor method"""
 
         # Check configuration
+        self.bundle_send_to_queue = bundle_send_to_queue
         self.ssl_verify = ssl_verify
         self.cert = cert
         self.proxies = proxies

{pycti-6.0.9 → pycti-6.0.10}/pycti/api/opencti_api_work.py

@@ -9,28 +9,34 @@ class OpenCTIApiWork:
         self.api = api
 
     def to_received(self, work_id: str, message: str):
-        self.api.app_logger.info("Reporting work update_received", {"work_id": work_id})
-        query = """
-            mutation workToReceived($id: ID!, $message: String) {
-                workEdit(id: $id) {
-                    toReceived (message: $message)
+        if self.api.bundle_send_to_queue:
+            self.api.app_logger.info(
+                "Reporting work update_received", {"work_id": work_id}
+            )
+            query = """
+                mutation workToReceived($id: ID!, $message: String) {
+                    workEdit(id: $id) {
+                        toReceived (message: $message)
+                    }
                 }
-            }
-           """
-        self.api.query(query, {"id": work_id, "message": message})
+               """
+            self.api.query(query, {"id": work_id, "message": message})
 
     def to_processed(self, work_id: str, message: str, in_error: bool = False):
-        self.api.app_logger.info(
-            "Reporting work update_processed", {"work_id": work_id}
-        )
-        query = """
-            mutation workToProcessed($id: ID!, $message: String, $inError: Boolean) {
-                workEdit(id: $id) {
-                    toProcessed (message: $message, inError: $inError)
+        if self.api.bundle_send_to_queue:
+            self.api.app_logger.info(
+                "Reporting work update_processed", {"work_id": work_id}
+            )
+            query = """
+                mutation workToProcessed($id: ID!, $message: String, $inError: Boolean) {
+                    workEdit(id: $id) {
+                        toProcessed (message: $message, inError: $inError)
+                    }
                 }
-            }
-           """
-        self.api.query(query, {"id": work_id, "message": message, "inError": in_error})
+               """
+            self.api.query(
+                query, {"id": work_id, "message": message, "inError": in_error}
+            )
 
     def ping(self, work_id: str):
         self.api.app_logger.info("Ping work", {"work_id": work_id})
@@ -44,49 +50,52 @@ class OpenCTIApiWork:
         self.api.query(query, {"id": work_id})
 
     def report_expectation(self, work_id: str, error):
-        self.api.app_logger.info("Report expectation", {"work_id": work_id})
-        query = """
-            mutation reportExpectation($id: ID!, $error: WorkErrorInput) {
-                workEdit(id: $id) {
-                    reportExpectation(error: $error)
+        if self.api.bundle_send_to_queue:
+            self.api.app_logger.info("Report expectation", {"work_id": work_id})
+            query = """
+                mutation reportExpectation($id: ID!, $error: WorkErrorInput) {
+                    workEdit(id: $id) {
+                        reportExpectation(error: $error)
+                    }
                 }
-            }
-           """
-        try:
-            self.api.query(query, {"id": work_id, "error": error})
-        except:
-            self.api.app_logger.error("Cannot report expectation")
+               """
+            try:
+                self.api.query(query, {"id": work_id, "error": error})
+            except:
+                self.api.app_logger.error("Cannot report expectation")
 
     def add_expectations(self, work_id: str, expectations: int):
-        self.api.app_logger.info(
-            "Update action expectations",
-            {"work_id": work_id, "expectations": expectations},
-        )
-        query = """
-            mutation addExpectations($id: ID!, $expectations: Int) {
-                workEdit(id: $id) {
-                    addExpectations(expectations: $expectations)
+        if self.api.bundle_send_to_queue:
+            self.api.app_logger.info(
+                "Update action expectations",
+                {"work_id": work_id, "expectations": expectations},
+            )
+            query = """
+                mutation addExpectations($id: ID!, $expectations: Int) {
+                    workEdit(id: $id) {
+                        addExpectations(expectations: $expectations)
+                    }
                 }
-            }
-           """
-        try:
-            self.api.query(query, {"id": work_id, "expectations": expectations})
-        except:
-            self.api.app_logger.error("Cannot report expectation")
+               """
+            try:
+                self.api.query(query, {"id": work_id, "expectations": expectations})
+            except:
+                self.api.app_logger.error("Cannot report expectation")
 
     def initiate_work(self, connector_id: str, friendly_name: str) -> str:
-        self.api.app_logger.info("Initiate work", {"connector_id": connector_id})
-        query = """
-            mutation workAdd($connectorId: String!, $friendlyName: String) {
-                workAdd(connectorId: $connectorId, friendlyName: $friendlyName) {
-                  id
+        if self.api.bundle_send_to_queue:
+            self.api.app_logger.info("Initiate work", {"connector_id": connector_id})
+            query = """
+                mutation workAdd($connectorId: String!, $friendlyName: String) {
+                    workAdd(connectorId: $connectorId, friendlyName: $friendlyName) {
+                      id
+                    }
                 }
-            }
-           """
-        work = self.api.query(
-            query, {"connectorId": connector_id, "friendlyName": friendly_name}
-        )
-        return work["data"]["workAdd"]["id"]
+               """
+            work = self.api.query(
+                query, {"connectorId": connector_id, "friendlyName": friendly_name}
+            )
+            return work["data"]["workAdd"]["id"]
 
     def delete_work(self, work_id: str):
         query = """

{pycti-6.0.9 → pycti-6.0.10}/pycti/connector/opencti_connector_helper.py

@@ -728,6 +728,32 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
         self.connect_auto = get_config_variable(
             "CONNECTOR_AUTO", ["connector", "auto"], config, False, False
         )
+        self.bundle_send_to_queue = get_config_variable(
+            "CONNECTOR_SEND_TO_QUEUE",
+            ["connector", "send_to_queue"],
+            config,
+            False,
+            True,
+        )
+        self.bundle_send_to_directory = get_config_variable(
+            "CONNECTOR_SEND_TO_DIRECTORY",
+            ["connector", "send_to_directory"],
+            config,
+            False,
+            False,
+        )
+        self.bundle_send_to_directory_path = get_config_variable(
+            "CONNECTOR_SEND_TO_DIRECTORY_PATH",
+            ["connector", "send_to_directory_path"],
+            config,
+        )
+        self.bundle_send_to_directory_retention = get_config_variable(
+            "CONNECTOR_SEND_TO_DIRECTORY_RETENTION",
+            ["connector", "send_to_directory_retention"],
+            config,
+            True,
+            7,
+        )
         self.connect_only_contextual = get_config_variable(
             "CONNECTOR_ONLY_CONTEXTUAL",
             ["connector", "only_contextual"],
@@ -749,6 +775,8 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
             "CONNECTOR_VALIDATE_BEFORE_IMPORT",
             ["connector", "validate_before_import"],
             config,
+            False,
+            False,
         )
         # Start up the server to expose the metrics.
         expose_metrics = get_config_variable(
@@ -769,6 +797,7 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
             self.opencti_token,
             self.log_level,
             json_logging=self.opencti_json_logging,
+            bundle_send_to_queue=self.bundle_send_to_queue,
         )
         # - Impersonate API that will use applicant id
         # Behave like standard api if applicant not found
@@ -777,6 +806,7 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
             self.opencti_token,
             self.log_level,
             json_logging=self.opencti_json_logging,
+            bundle_send_to_queue=self.bundle_send_to_queue,
         )
         self.connector_logger = self.api.logger_class(self.connect_name)
         # For retro compatibility
@@ -1075,6 +1105,16 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
         bypass_validation = kwargs.get("bypass_validation", False)
         entity_id = kwargs.get("entity_id", None)
         file_name = kwargs.get("file_name", None)
+        bundle_send_to_queue = kwargs.get("send_to_queue", self.bundle_send_to_queue)
+        bundle_send_to_directory = kwargs.get(
+            "send_to_directory", self.bundle_send_to_directory
+        )
+        bundle_send_to_directory_path = kwargs.get(
+            "send_to_directory_path", self.bundle_send_to_directory_path
+        )
+        bundle_send_to_directory_retention = kwargs.get(
+            "send_to_directory_retention", self.bundle_send_to_directory_retention
+        )
 
         # In case of enrichment ingestion, ensure the sharing if needed
         if self.enrichment_shared_organizations is not None:
@@ -1114,13 +1154,14 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
                         )
             bundle = json.dumps(bundle_data)
 
+        # If execution in playbook, callback the api
         if self.playbook is not None:
             self.api.playbook.playbook_step_execution(self.playbook, bundle)
             return [bundle]
 
+        # Upload workbench in case of pending validation
         if not file_name and work_id:
             file_name = f"{work_id}.json"
-
         if self.connect_validate_before_import and not bypass_validation and file_name:
             self.api.upload_pending_file(
                 file_name=file_name,
@@ -1130,8 +1171,61 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
             )
             return []
 
-        if entities_types is None:
-            entities_types = []
+        # If directory setup, write the bundle to the target directory
+        if bundle_send_to_directory and bundle_send_to_directory_path is not None:
+            self.connector_logger.info(
+                "The connector sending bundle to directory",
+                {
+                    "connector": self.connect_name,
+                    "directory": bundle_send_to_directory_path,
+                    "also_queuing": bundle_send_to_queue,
+                },
+            )
+            bundle_file = (
+                self.connect_name.lower().replace(" ", "_")
+                + "-"
+                + time.strftime("%Y%m%d-%H%M%S-")
+                + str(time.time())
+                + ".json"
+            )
+            write_file = os.path.join(
+                bundle_send_to_directory_path, bundle_file + ".tmp"
+            )
+            message_bundle = {
+                "bundle_type": "DIRECTORY_BUNDLE",
+                "applicant_id": self.applicant_id,
+                "connector": {
+                    "id": self.connect_id,
+                    "name": self.connect_name,
+                    "type": self.connect_type,
+                    "scope": self.connect_scope,
+                    "auto": self.connect_auto,
+                    "validate_before_import": self.connect_validate_before_import,
+                },
+                "entities_types": entities_types,
+                "bundle": json.loads(bundle),
+                "update": update,
+            }
+            # Maintains the list of files under control
+            if bundle_send_to_directory_retention > 0:  # If 0, disable the auto remove
+                current_time = time.time()
+                for f in os.listdir(bundle_send_to_directory_path):
+                    if f.endswith(".json"):
+                        file_location = os.path.join(bundle_send_to_directory_path, f)
+                        file_time = os.stat(file_location).st_mtime
+                        is_expired_file = (
+                            file_time
+                            < current_time - 86400 * bundle_send_to_directory_retention
+                        )  # 86400 = 1 day
+                        if is_expired_file:
+                            os.remove(file_location)
+            # Write the bundle to target directory
+            with open(write_file, "w") as f:
+                str_bundle = json.dumps(message_bundle)
+                f.write(str_bundle)
+            # Rename the file after full write
+            final_write_file = os.path.join(bundle_send_to_directory_path, bundle_file)
+            os.rename(write_file, final_write_file)
 
         if bypass_split:
             bundles = [bundle]
@@ -1143,44 +1237,48 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
             self.metric.inc("error_count")
             raise ValueError("Nothing to import")
 
-        if work_id:
-            self.api.work.add_expectations(work_id, len(bundles))
-
-        pika_credentials = pika.PlainCredentials(
-            self.connector_config["connection"]["user"],
-            self.connector_config["connection"]["pass"],
-        )
-        pika_parameters = pika.ConnectionParameters(
-            host=self.connector_config["connection"]["host"],
-            port=self.connector_config["connection"]["port"],
-            virtual_host=self.connector_config["connection"]["vhost"],
-            credentials=pika_credentials,
-            ssl_options=(
-                pika.SSLOptions(
-                    create_mq_ssl_context(self.config),
-                    self.connector_config["connection"]["host"],
-                )
-                if self.connector_config["connection"]["use_ssl"]
-                else None
-            ),
-        )
-        pika_connection = pika.BlockingConnection(pika_parameters)
-        channel = pika_connection.channel()
-        try:
-            channel.confirm_delivery()
-        except Exception as err:  # pylint: disable=broad-except
-            self.connector_logger.warning(str(err))
-        for sequence, bundle in enumerate(bundles, start=1):
-            self._send_bundle(
-                channel,
-                bundle,
-                work_id=work_id,
-                entities_types=entities_types,
-                sequence=sequence,
-                update=update,
+        if bundle_send_to_queue:
+            if work_id:
+                self.api.work.add_expectations(work_id, len(bundles))
+            if entities_types is None:
+                entities_types = []
+            pika_credentials = pika.PlainCredentials(
+                self.connector_config["connection"]["user"],
+                self.connector_config["connection"]["pass"],
+            )
+            pika_parameters = pika.ConnectionParameters(
+                host=self.connector_config["connection"]["host"],
+                port=self.connector_config["connection"]["port"],
+                virtual_host=self.connector_config["connection"]["vhost"],
+                credentials=pika_credentials,
+                ssl_options=(
+                    pika.SSLOptions(
+                        create_mq_ssl_context(self.config),
+                        self.connector_config["connection"]["host"],
+                    )
+                    if self.connector_config["connection"]["use_ssl"]
+                    else None
+                ),
             )
-        channel.close()
-        pika_connection.close()
+            pika_connection = pika.BlockingConnection(pika_parameters)
+            channel = pika_connection.channel()
+            try:
+                channel.confirm_delivery()
+            except Exception as err:  # pylint: disable=broad-except
+                self.connector_logger.warning(str(err))
+            self.connector_logger.info(self.connect_name + " sending bundle to queue")
+            for sequence, bundle in enumerate(bundles, start=1):
+                self._send_bundle(
+                    channel,
+                    bundle,
+                    work_id=work_id,
+                    entities_types=entities_types,
+                    sequence=sequence,
+                    update=update,
+                )
+            channel.close()
+            pika_connection.close()
+
         return bundles
 
     def _send_bundle(self, channel, bundle, **kwargs) -> None:
@@ -1212,6 +1310,7 @@ class OpenCTIConnectorHelper:  # pylint: disable=too-many-public-methods
         # if self.current_work_id is None:
         #    raise ValueError('The job id must be specified')
         message = {
+            "bundle_type": "QUEUE_BUNDLE",
             "applicant_id": self.applicant_id,
             "action_sequence": sequence,
             "entities_types": entities_types,

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_incident.py

@@ -458,6 +458,10 @@ class Incident:
                 stix_object["x_opencti_granted_refs"] = (
                     self.opencti.get_attribute_in_extension("granted_refs", stix_object)
                 )
+            if "x_opencti_workflow_id" not in stix_object:
+                stix_object["x_opencti_workflow_id"] = (
+                    self.opencti.get_attribute_in_extension("workflow_id", stix_object)
+                )
 
             return self.create(
                 stix_id=stix_object["id"],

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_indicator.py

@@ -468,6 +468,7 @@ class Indicator:
         x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None)
         create_observables = kwargs.get("x_opencti_create_observables", False)
         granted_refs = kwargs.get("objectOrganization", None)
+        x_opencti_workflow_id = kwargs.get("x_opencti_workflow_id", None)
         update = kwargs.get("update", False)
 
         if (
@@ -528,6 +529,7 @@ class Indicator:
                         "x_opencti_stix_ids": x_opencti_stix_ids,
                         "killChainPhases": kill_chain_phases,
                         "createObservables": create_observables,
+                        "x_opencti_workflow_id": x_opencti_workflow_id,
                         "update": update,
                     }
                 },
@@ -642,6 +644,10 @@ class Indicator:
                 stix_object["x_opencti_granted_refs"] = (
                     self.opencti.get_attribute_in_extension("granted_refs", stix_object)
                 )
+            if "x_opencti_workflow_id" not in stix_object:
+                stix_object["x_opencti_workflow_id"] = (
+                    self.opencti.get_attribute_in_extension("workflow_id", stix_object)
+                )
 
             return self.create(
                 stix_id=stix_object["id"],
@@ -740,6 +746,11 @@ class Indicator:
                     if "x_opencti_granted_refs" in stix_object
                     else None
                 ),
+                x_opencti_workflow_id=(
+                    stix_object["x_opencti_workflow_id"]
+                    if "x_opencti_workflow_id" in stix_object
+                    else None
+                ),
                 update=update,
             )
         else:

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_intrusion_set.py

@@ -363,6 +363,7 @@ class IntrusionSet:
         secondary_motivations = kwargs.get("secondary_motivations", None)
         x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None)
         granted_refs = kwargs.get("objectOrganization", None)
+        x_opencti_workflow_id = kwargs.get("x_opencti_workflow_id", None)
         update = kwargs.get("update", False)
 
         if name is not None:
@@ -402,6 +403,7 @@ class IntrusionSet:
                         "primary_motivation": primary_motivation,
                         "secondary_motivations": secondary_motivations,
                         "x_opencti_stix_ids": x_opencti_stix_ids,
+                        "x_opencti_workflow_id": x_opencti_workflow_id,
                         "update": update,
                     }
                 },
@@ -435,7 +437,11 @@ class IntrusionSet:
                 stix_object["x_opencti_granted_refs"] = (
                     self.opencti.get_attribute_in_extension("granted_refs", stix_object)
                 )
-
+            if "x_opencti_workflow_id" not in stix_object:
+                stix_object["x_opencti_workflow_id"] = (
+                    self.opencti.get_attribute_in_extension("workflow_id", stix_object)
+                )
+                7
             return self.create(
                 stix_id=stix_object["id"],
                 createdBy=(
@@ -500,6 +506,11 @@ class IntrusionSet:
                     if "x_opencti_granted_refs" in stix_object
                     else None
                 ),
+                x_opencti_workflow_id=(
+                    stix_object["x_opencti_workflow_id"]
+                    if "x_opencti_workflow_id" in stix_object
+                    else None
+                ),
                 update=update,
             )
         else:

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_malware_analysis.py

@@ -401,6 +401,7 @@ class MalwareAnalysis:
         analysisSco = kwargs.get("analysisSco", None)
         x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None)
         granted_refs = kwargs.get("objectOrganization", None)
+        x_opencti_workflow_id = kwargs.get("x_opencti_workflow_id", None)
         update = kwargs.get("update", False)
 
         if product is not None and result_name is not None:
@@ -449,6 +450,7 @@ class MalwareAnalysis:
                         "analysisSample": sample,
                         "analysisSco": analysisSco,
                         "x_opencti_stix_ids": x_opencti_stix_ids,
+                        "x_opencti_workflow_id": x_opencti_workflow_id,
                         "update": update,
                     }
                 },
@@ -482,6 +484,10 @@ class MalwareAnalysis:
                 stix_object["x_opencti_granted_refs"] = (
                     self.opencti.get_attribute_in_extension("granted_refs", stix_object)
                 )
+            if "x_opencti_workflow_id" not in stix_object:
+                stix_object["x_opencti_workflow_id"] = (
+                    self.opencti.get_attribute_in_extension("workflow_id", stix_object)
+                )
 
             return self.create(
                 stix_id=stix_object["id"],
@@ -574,6 +580,11 @@ class MalwareAnalysis:
                     if "x_opencti_granted_refs" in stix_object
                     else None
                 ),
+                x_opencti_workflow_id=(
+                    stix_object["x_opencti_workflow_id"]
+                    if "x_opencti_workflow_id" in stix_object
+                    else None
+                ),
                 update=update,
             )
         else:

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_stix_core_object.py

@@ -615,6 +615,12 @@ class StixCoreObject:
             ... on PhoneNumber {
                 value
             }
+            ... on TrackingNumber {
+                value
+            }
+            ... on Credential {
+                value
+            }
             ... on PaymentCard {
                 card_number
                 expiration_date

{pycti-6.0.9 → pycti-6.0.10}/pycti/entities/opencti_stix_cyber_observable.py

@@ -282,6 +282,12 @@ class StixCyberObservable:
             ... on PhoneNumber {
                 value
             }
+            ... on TrackingNumber {
+                value
+            }
+            ... on Credential {
+                value
+            }
             ... on PaymentCard {
                 card_number
                 expiration_date
@@ -576,6 +582,12 @@ class StixCyberObservable:
             ... on PhoneNumber {
                 value
             }
+            ... on TrackingNumber {
+                value
+            }
+            ... on Credential {
+                value
+            }
             ... on PaymentCard {
                 card_number
                 expiration_date
@@ -857,6 +869,15 @@ class StixCyberObservable:
             type = "IPv6-Addr"
         elif type.lower() == "hostname" or type.lower() == "x-opencti-hostname":
             type = "Hostname"
+        elif type.lower() == "payment-card" or type.lower() == "x-opencti-payment-card":
+            type = "Payment-Card"
+        elif type.lower() == "credential" or type.lower() == "x-opencti-credential":
+            type = "Credential"
+        elif (
+            type.lower() == "tracking-number"
+            or type.lower() == "x-opencti-tracking-number"
+        ):
+            type = "Tracking-Number"
         elif (
             type.lower() == "cryptocurrency-wallet"
             or type.lower() == "x-opencti-cryptocurrency-wallet"
@@ -974,6 +995,8 @@ class StixCyberObservable:
                     $UserAgent: UserAgentAddInput
                     $BankAccount: BankAccountAddInput
                     $PhoneNumber: PhoneNumberAddInput
+                    $Credential: CredentialAddInput
+                    $TrackingNumber: TrackingNumberAddInput
                     $PaymentCard: PaymentCardAddInput
                     $MediaContent: MediaContentAddInput
                 ) {
@@ -1016,6 +1039,8 @@ class StixCyberObservable:
                         UserAgent: $UserAgent
                         BankAccount: $BankAccount
                         PhoneNumber: $PhoneNumber
+                        Credential: $Credential
+                        TrackingNumber: $TrackingNumber
                         PaymentCard: $PaymentCard
                         MediaContent: $MediaContent
                     ) {
@@ -1508,15 +1533,6 @@ class StixCyberObservable:
                         observable_data["value"] if "value" in observable_data else None
                     ),
                 }
-            elif (
-                type == "Cryptocurrency-Wallet"
-                or type == "X-OpenCTI-Cryptocurrency-Wallet"
-            ):
-                input_variables["CryptocurrencyWallet"] = {
-                    "value": (
-                        observable_data["value"] if "value" in observable_data else None
-                    ),
-                }
             elif type == "Hostname":
                 input_variables["Hostname"] = {
                     "value": (
@@ -1588,8 +1604,50 @@ class StixCyberObservable:
                         else None
                     ),
                 }
+            elif type == "Payment-Card" or type.lower() == "x-opencti-payment-card":
+                input_variables["PaymentCard"] = {
+                    "card_number": (
+                        observable_data["card_number"]
+                        if "card_number" in observable_data
+                        else None
+                    ),
+                    "expiration_date": (
+                        observable_data["expiration_date"]
+                        if "expiration_date" in observable_data
+                        else None
+                    ),
+                    "cvv": observable_data["cvv"] if "cvv" in observable_data else None,
+                    "holder_name": (
+                        observable_data["holder_name"]
+                        if "holder_name" in observable_data
+                        else None
+                    ),
+                }
+            elif (
+                type == "Cryptocurrency-Wallet"
+                or type.lower() == "x-opencti-cryptocurrency-wallet"
+            ):
+                input_variables["CryptocurrencyWallet"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
+            elif type == "Credential" or type.lower() == "x-opencti-credential":
+                input_variables["Credential"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
+            elif (
+                type == "Tracking-Number" or type.lower() == "x-opencti-tracking-number"
+            ):
+                input_variables["TrackingNumber"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
             result = self.opencti.query(query, input_variables)
-            if "payload_bin" in observable_data and "mime/type" in observable_data:
+            if "payload_bin" in observable_data and "mime_type" in observable_data:
                 self.add_file(
                     id=result["data"]["stixCyberObservableAdd"]["id"],
                     file_name=(

{pycti-6.0.9 → pycti-6.0.10}/pycti/utils/constants.py

@@ -42,6 +42,8 @@ class StixCyberObservableTypes(Enum):
     USER_AGENT = "User-Agent"
     BANK_ACCOUNT = "Bank-Account"
     PHONE_NUMBER = "Phone-Number"
+    CREDENTIAL = "Credential"
+    TRACKING_NUMBER = "Tracking-Number"
     PAYMENT_CARD = "Payment-Card"
     MEDIA_CONTENT = "Media-Content"
     SIMPLE_OBSERVABLE = "Simple-Observable"
@@ -66,6 +68,7 @@ class IdentityTypes(Enum):
 
 class ThreatActorTypes(Enum):
     THREAT_ACTOR_GROUP = "Threat-Actor-Group"
+    THREAT_ACTOR_INDIVIDUAL = "Threat-Actor-Individual"
 
     @classmethod
     def has_value(cls, value):
@@ -263,6 +266,73 @@ class CustomObservableText:
     pass
 
 
+@CustomObservable(
+    "payment-card",
+    [
+        ("value", StringProperty(required=True)),
+        ("card_number", StringProperty(required=True)),
+        ("expiration_date", StringProperty(required=False)),
+        ("cvv", StringProperty(required=False)),
+        ("holder_name", StringProperty(required=False)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["card_number"],
+)
+class CustomObservablePaymentCard:
+    """Payment card observable."""
+
+    pass
+
+
+@CustomObservable(
+    "bank-account",
+    [
+        ("value", StringProperty(required=True)),
+        ("iban", StringProperty(required=True)),
+        ("bic", StringProperty(required=False)),
+        ("account_number", StringProperty(required=False)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["iban"],
+)
+class CustomObservableBankAccount:
+    """Bank Account observable."""
+
+    pass
+
+
+@CustomObservable(
+    "credential",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservableCredential:
+    """Credential observable."""
+
+    pass
+
+
 @CustomObservable(
     "cryptocurrency-wallet",
     [
@@ -283,6 +353,46 @@ class CustomObservableCryptocurrencyWallet:
     pass
 
 
+@CustomObservable(
+    "phone-number",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservablePhoneNumber:
+    """Phone number observable."""
+
+    pass
+
+
+@CustomObservable(
+    "tracking-number",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservableTrackingNumber:
+    """Tracking number observable."""
+
+    pass
+
+
 @CustomObservable(
     "user-agent",
     [

{pycti-6.0.9 → pycti-6.0.10}/pycti/utils/opencti_stix2.py

@@ -835,6 +835,21 @@ class OpenCTIStix2:
             "Vulnerability": self.opencti.vulnerability.read,
         }
 
+    def get_reader(self, entity_type: str):
+        # Map types
+        if entity_type == "StixFile":
+            entity_type = "File"
+        if IdentityTypes.has_value(entity_type):
+            entity_type = "Identity"
+        if LocationTypes.has_value(entity_type):
+            entity_type = "Location"
+        if StixCyberObservableTypes.has_value(entity_type):
+            entity_type = "Stix-Cyber-Observable"
+        readers = self.get_readers()
+        return readers.get(
+            entity_type, lambda **kwargs: self.unknown_type({"type": entity_type})
+        )
+
     # endregion
 
     # region import

{pycti-6.0.9 → pycti-6.0.10}/pycti/utils/opencti_stix2_utils.py

@@ -7,8 +7,11 @@ STIX_CYBER_OBSERVABLE_MAPPING = {
     "directory": "Directory",
     "domain-name": "Domain-Name",
     "email-addr": "Email-Addr",
-    "file": "StixFile",
     "email-message": "Email-Message",
+    "email-mime-part-type": "Email-Mime-Part-Type",
+    "artifact": "Artifact",
+    "file": "StixFile",
+    "x509-certificate": "X509-Certificate",
     "ipv4-addr": "IPv4-Addr",
     "ipv6-addr": "IPv6-Addr",
     "mac-addr": "Mac-Addr",
@@ -21,8 +24,14 @@ STIX_CYBER_OBSERVABLE_MAPPING = {
     "windows-registry-key": "Windows-Registry-Key",
     "windows-registry-value-type": "Windows-Registry-Value-Type",
     "hostname": "Hostname",
+    "cryptographic-key": "Cryptographic-Key",
+    "cryptocurrency-wallet": "Cryptocurrency-Wallet",
+    "text": "Text",
+    "user-agent": "User-Agent",
     "bank-account": "Bank-Account",
     "phone-number": "Phone-Number",
+    "credential": "Credential",
+    "tracking-number": "Tracking-Number",
     "payment-card": "Payment-Card",
     "media-content": "Media-Content",
 }
@@ -54,6 +63,8 @@ PATTERN_MAPPING = {
     "Bank-Account": ["iban"],
     "Phone-Number": ["value"],
     "Payment-Card": ["card_number"],
+    "Tracking-Number": ["value"],
+    "Credential": ["value"],
     "Media-Content": ["url"],
 }
 

{pycti-6.0.9 → pycti-6.0.10}/pycti.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pycti
-Version: 6.0.9
+Version: 6.0.10
 Summary: Python API client for OpenCTI.
 Home-page: https://github.com/OpenCTI-Platform/client-python
 Author: Filigran
@@ -29,12 +29,12 @@ Requires-Dist: python-magic-bin~=0.4.14; sys_platform == "win32"
 Requires-Dist: python_json_logger~=2.0.4
 Requires-Dist: pyyaml~=6.0
 Requires-Dist: requests~=2.31.0
-Requires-Dist: setuptools~=69.2.0
+Requires-Dist: setuptools~=69.5.1
 Requires-Dist: filigran-sseclient~=1.0.0
 Requires-Dist: stix2~=3.0.1
 Requires-Dist: cachetools~=5.3.0
 Provides-Extra: dev
-Requires-Dist: black~=24.3.0; extra == "dev"
+Requires-Dist: black~=24.4.0; extra == "dev"
 Requires-Dist: build~=1.2.1; extra == "dev"
 Requires-Dist: isort~=5.13.0; extra == "dev"
 Requires-Dist: types-pytz~=2024.1.0.20240203; extra == "dev"
@@ -47,7 +47,7 @@ Requires-Dist: types-python-dateutil~=2.9.0; extra == "dev"
 Requires-Dist: wheel~=0.43.0; extra == "dev"
 Provides-Extra: doc
 Requires-Dist: autoapi~=2.0.1; extra == "doc"
-Requires-Dist: sphinx-autodoc-typehints~=2.0.0; extra == "doc"
+Requires-Dist: sphinx-autodoc-typehints~=2.1.0; extra == "doc"
 Requires-Dist: sphinx-rtd-theme~=2.0.0; extra == "doc"
 
 # OpenCTI client for Python

{pycti-6.0.9 → pycti-6.0.10}/pycti.egg-info/requires.txt

@@ -4,7 +4,7 @@ prometheus-client~=0.20.0
 python_json_logger~=2.0.4
 pyyaml~=6.0
 requests~=2.31.0
-setuptools~=69.2.0
+setuptools~=69.5.1
 filigran-sseclient~=1.0.0
 stix2~=3.0.1
 cachetools~=5.3.0
@@ -16,7 +16,7 @@ python-magic~=0.4.27
 python-magic-bin~=0.4.14
 
 [dev]
-black~=24.3.0
+black~=24.4.0
 build~=1.2.1
 isort~=5.13.0
 types-pytz~=2024.1.0.20240203
@@ -30,5 +30,5 @@ wheel~=0.43.0
 
 [doc]
 autoapi~=2.0.1
-sphinx-autodoc-typehints~=2.0.0
+sphinx-autodoc-typehints~=2.1.0
 sphinx-rtd-theme~=2.0.0

{pycti-6.0.9 → pycti-6.0.10}/setup.cfg

@@ -40,14 +40,14 @@ install_requires =
 	python_json_logger~=2.0.4
 	pyyaml~=6.0
 	requests~=2.31.0
-	setuptools~=69.2.0
+	setuptools~=69.5.1
 	filigran-sseclient~=1.0.0
 	stix2~=3.0.1
 	cachetools~=5.3.0
 
 [options.extras_require]
 dev = 
-	black~=24.3.0
+	black~=24.4.0
 	build~=1.2.1
 	isort~=5.13.0
 	types-pytz~=2024.1.0.20240203
@@ -60,7 +60,7 @@ dev =
 	wheel~=0.43.0
 doc = 
 	autoapi~=2.0.1
-	sphinx-autodoc-typehints~=2.0.0
+	sphinx-autodoc-typehints~=2.1.0
 	sphinx-rtd-theme~=2.0.0
 
 [egg_info]