Files
Anthropic-Cybersecurity-Skills/skills/modeling-threats-with-opencti/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

3.1 KiB

API Reference — OpenCTI / pycti

Client initialization

from pycti import OpenCTIApiClient
opencti = OpenCTIApiClient("http://localhost:8080", "API_TOKEN")
Constructor arg Purpose
url Base URL of the OpenCTI platform
token API token (Profile > API access)
ssl_verify Verify TLS (default False for self-hosted dev)
log_level info, debug, etc.

Core entity creators (upsert with update=True)

Method STIX type Key arguments
opencti.threat_actor_group.create(...) threat-actor name, description, threat_actor_types
opencti.intrusion_set.create(...) intrusion-set name, description, first_seen, last_seen
opencti.campaign.create(...) campaign name, description, objective
opencti.attack_pattern.create(...) attack-pattern name, x_mitre_id
opencti.malware.create(...) malware name, is_family, malware_types
opencti.indicator.create(...) indicator name, pattern, pattern_type, x_opencti_main_observable_type, valid_from
opencti.vulnerability.create(...) vulnerability name (CVE id), description
opencti.identity.create(...) identity name, type (organization/individual/sector)

Relationships

opencti.stix_core_relationship.create(
    fromId=..., toId=..., relationship_type="uses")
relationship_type Meaning
uses Actor/set/campaign uses a technique, tool, or malware
attributed-to Campaign -> intrusion-set -> threat-actor
targets Adversary targets an identity/sector/location
indicates Indicator indicates a malware/intrusion-set/campaign
based-on Indicator based-on an observable

Reading / listing

Method Purpose
opencti.intrusion_set.read(filters=...) Read a single object by filter
opencti.stix_core_relationship.list(fromId=..., relationship_type=...) List relationships from an object
opencti.stix_domain_object.list(types=[...]) List SDOs by type

Bundle ingestion

Method Purpose
opencti.stix2.import_bundle_from_json(json_str, update=True) Import a STIX 2.1 bundle (JSON string)
opencti.stix2.import_bundle_from_file(path, update=True) Import a bundle from a file
connector_helper.send_stix2_bundle(bundle) Connector path to send a bundle to workers

Connector environment variables (compose)

Variable Purpose
OPENCTI_URL Platform URL reachable by the connector
OPENCTI_TOKEN Connector-specific API token
CONNECTOR_ID UUID v4 unique per connector
CONNECTOR_TYPE EXTERNAL_IMPORT / INTERNAL_ENRICHMENT / STREAM
CONNECTOR_SCOPE STIX types the connector handles
CONNECTOR_NAME Display name

Deployment quick reference

Command Purpose
docker compose up -d Start platform, workers, dependencies
sysctl -w vm.max_map_count=1048575 Required for Elasticsearch
cat /proc/sys/kernel/random/uuid Generate UUID v4 tokens