|
| 1 | +"""These are the custom STIX properties and observation types used internally by OpenCTI. |
| 2 | +
|
| 3 | +""" |
| 4 | + |
| 5 | + |
| 6 | +class ObservableTypes: |
| 7 | + """These are the possible values for OpenCTI's observable types. |
| 8 | +
|
| 9 | + Use in conjuction with the STIX custom property 'x_opencti_observable_type'. |
| 10 | +
|
| 11 | + ref: https://github.com/OpenCTI-Platform/opencti/blob/8854c2576dc17da9da54e54b116779bd2131617c/opencti-front/src/private/components/report/ReportAddObservable.js |
| 12 | +
|
| 13 | + NOTE: should this be a mapping between the stix2 SDO objects (i.e. stix2/v20/sdo.py)? |
| 14 | +
|
| 15 | + """ |
| 16 | + DOMAIN = "Domain" |
| 17 | + EMAIL_ADDR = "Email-Address" |
| 18 | + EMAIL_SUBJECT = "Email-Subject" |
| 19 | + FILE_NAME = "File-Name" |
| 20 | + FILE_PATH = "File-Path" |
| 21 | + FILE_HASH_MD5 = "File-MD5" |
| 22 | + FILE_HASH_SHA1 = "File-SHA1" |
| 23 | + FILE_HASH_SHA256 = "File-SHA256" |
| 24 | + IPV4_ADDR = "IPv4-Addr" |
| 25 | + IPV6_ADDR = "IPv6-Addr" |
| 26 | + MUTEX = "Mutex" |
| 27 | + PDB_PATH = "PDB-Path" |
| 28 | + REGISTRY_KEY = "Registry-Key" |
| 29 | + REGISTRY_VALUE = "Registry-Key-Value" |
| 30 | + URL = "URL" |
| 31 | + WIN_SERVICE_NAME = "Windows-Service-Name" |
| 32 | + WIN_SERVICE_DISPLAY = "Windows-Service-Display-Name" |
| 33 | + WIN_SCHEDULED_TASK = "Windows-Scheduled-Task" |
| 34 | + X509_CERT_ISSUER = "X509-Certificate-Issuer" |
| 35 | + X509_CERT_SN = "X509-Certificate-Serial-Number" |
| 36 | + |
| 37 | + |
| 38 | +class CustomProperties: |
| 39 | + """These are the custom properies used by OpenCTI. |
| 40 | +
|
| 41 | + """ |
| 42 | + |
| 43 | + # internal id used by OpenCTI - this will be auto generated |
| 44 | + ID = 'x_opencti_id' |
| 45 | + |
| 46 | + # This should be set on all reports to one of the following values: |
| 47 | + # "external" |
| 48 | + # "internal" |
| 49 | + REPORT_CLASS = 'x_opencti_report_class' |
| 50 | + |
| 51 | + # These values should be set on all stix Indicator objects as custom properties. |
| 52 | + # See constants.ObservableTypes for possible types |
| 53 | + OBSERVABLE_TYPE = 'x_opencti_observable_type' |
| 54 | + OBSERVABLE_VALUE = 'x_opencti_observable_value' |
| 55 | + |
| 56 | + # custom created and modified dates |
| 57 | + # use with STIX "kill chain" and "external reference" objects |
| 58 | + CREATED = 'x_opencti_created' |
| 59 | + MODIFIED = 'x_opencti_modified' |
| 60 | + |
| 61 | + # use with intrusion-set, campaign, relation |
| 62 | + FIRST_SEEN = 'x_opencti_first_seen' |
| 63 | + LAST_SEEN = 'x_opencti_last_seen' |
| 64 | + |
| 65 | + # use with marking deinitions |
| 66 | + COLOR = 'x_opencti_color' |
| 67 | + LEVEL = 'x_opencti_level' # should be an integer |
| 68 | + |
| 69 | + # use with kill chain |
| 70 | + PHASE_ORDER = 'x_opencti_phase_order' |
| 71 | + |
| 72 | + # use with relation |
| 73 | + WEIGHT = 'x_opencti_weight' |
| 74 | + SCORE = 'x_opencti_score' |
| 75 | + ROLE_PLAYED = 'x_opencti_role_played' |
| 76 | + EXPIRATION = 'x_opencti_expiration' |
| 77 | + SOURCE_REF = 'x_opencti_source_ref' |
| 78 | + TARGET_REF = 'x_opencti_target_ref' |
| 79 | + |
| 80 | + # generic property - applies to most SDOs |
| 81 | + ALIASES = 'x_opencti_aliases' |
| 82 | + |
| 83 | + # applies to STIX Identity |
| 84 | + ORG_CLASS = 'x_opencti_organization_class' |
| 85 | + IDENTITY_TYPE = 'x_opencti_identity_type' # this overrides the stix 'identity_class' property! |
| 86 | + |
| 87 | + # applies to STIX report |
| 88 | + OBJECT_STATUS = 'x_opencti_object_status' |
| 89 | + SRC_CONF_LEVEL = 'x_opencti_source_confidence_level' |
| 90 | + GRAPH_DATA = 'x_opencti_graph_data' |
0 commit comments