Files
Anthropic-Cybersecurity-Skills/skills/modeling-threats-with-opencti/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

79 lines
3.1 KiB
Markdown

# API Reference — OpenCTI / pycti
## Client initialization
```python
from pycti import OpenCTIApiClient
opencti = OpenCTIApiClient("http://localhost:8080", "API_TOKEN")
```
| Constructor arg | Purpose |
|-----------------|---------|
| url | Base URL of the OpenCTI platform |
| token | API token (Profile > API access) |
| ssl_verify | Verify TLS (default False for self-hosted dev) |
| log_level | `info`, `debug`, etc. |
## Core entity creators (upsert with `update=True`)
| Method | STIX type | Key arguments |
|--------|-----------|---------------|
| `opencti.threat_actor_group.create(...)` | threat-actor | name, description, threat_actor_types |
| `opencti.intrusion_set.create(...)` | intrusion-set | name, description, first_seen, last_seen |
| `opencti.campaign.create(...)` | campaign | name, description, objective |
| `opencti.attack_pattern.create(...)` | attack-pattern | name, x_mitre_id |
| `opencti.malware.create(...)` | malware | name, is_family, malware_types |
| `opencti.indicator.create(...)` | indicator | name, pattern, pattern_type, x_opencti_main_observable_type, valid_from |
| `opencti.vulnerability.create(...)` | vulnerability | name (CVE id), description |
| `opencti.identity.create(...)` | identity | name, type (organization/individual/sector) |
## Relationships
```python
opencti.stix_core_relationship.create(
fromId=..., toId=..., relationship_type="uses")
```
| relationship_type | Meaning |
|-------------------|---------|
| uses | Actor/set/campaign uses a technique, tool, or malware |
| attributed-to | Campaign -> intrusion-set -> threat-actor |
| targets | Adversary targets an identity/sector/location |
| indicates | Indicator indicates a malware/intrusion-set/campaign |
| based-on | Indicator based-on an observable |
## Reading / listing
| Method | Purpose |
|--------|---------|
| `opencti.intrusion_set.read(filters=...)` | Read a single object by filter |
| `opencti.stix_core_relationship.list(fromId=..., relationship_type=...)` | List relationships from an object |
| `opencti.stix_domain_object.list(types=[...])` | List SDOs by type |
## Bundle ingestion
| Method | Purpose |
|--------|---------|
| `opencti.stix2.import_bundle_from_json(json_str, update=True)` | Import a STIX 2.1 bundle (JSON string) |
| `opencti.stix2.import_bundle_from_file(path, update=True)` | Import a bundle from a file |
| `connector_helper.send_stix2_bundle(bundle)` | Connector path to send a bundle to workers |
## Connector environment variables (compose)
| Variable | Purpose |
|----------|---------|
| OPENCTI_URL | Platform URL reachable by the connector |
| OPENCTI_TOKEN | Connector-specific API token |
| CONNECTOR_ID | UUID v4 unique per connector |
| CONNECTOR_TYPE | EXTERNAL_IMPORT / INTERNAL_ENRICHMENT / STREAM |
| CONNECTOR_SCOPE | STIX types the connector handles |
| CONNECTOR_NAME | Display name |
## Deployment quick reference
| Command | Purpose |
|---------|---------|
| `docker compose up -d` | Start platform, workers, dependencies |
| `sysctl -w vm.max_map_count=1048575` | Required for Elasticsearch |
| `cat /proc/sys/kernel/random/uuid` | Generate UUID v4 tokens |