opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Add new observable types: IMEI / ICCID

Open SamuelHassine opened this issue 2 years ago • 3 comments

Use case

Add IMEI, ICCID & IMSI observables:

IMEI = International Mobile Equipment Identity It’s a unique serial number for your phone. Every device has its own IMEI. It helps identify a phone if it’s lost, stolen, or used on a mobile network.

ICCID = Integrated Circuit Card Identifier This is the unique serial number of your SIM card, printed on the SIM itself. It tells the network which SIM card you are using. It does not identify you; it identifies the physical SIM card.

IMSI = International Mobile Subscriber Identity This identifies you as a subscriber in the mobile network. It’s stored inside the SIM card, not on the phone. The IMSI tells the mobile network which user you are, so it can connect you to your account, phone number, and services.

In terms of implementation we should:

  • implement the 3 observables types, with the following fields:

Value IMEI: 14 digits + 1 check digit (15 or 16 for legacy digits total), numeric only Regxp to validate: ^[0-9]{15}$ ICCID: up to 19–20 digits, numeric only; often starts with an industry identifier (e.g. 89) Regexp to validate: ^[0-9]{18,22}$ IMSI: usually 15 digits (can be 14–15), numeric only; composed of MCC+MNC+MSIN Regexp to validate: ^[0-9]{14,15}$ Description Label Author Creator Description External Ref Score

  • implement the follwoing relations:

IMEI ↔ ICCID — uses Device uses SIM card (multidirectional)

IMSI ↔ IMEI — uses Subscriber uses device (multidirectional)

ICCID ↔ IMSI — has SIM card has subscriber identity (multidirectional).

IMSI ↔ phone number — uses Subscriber uses this phone number (multidirectional).

ICCID ↔ phone number — resolves-to SIM is provisioned with this phone number (shortcut to avoid forcing the modeling ICCD has IMSI uses Phone number, multidirectional).

IMEI → MAC address — has This device (IMEI) has / is associated with this MAC address(mutlidirectional)

Ensure that we can export them in pycti too

SamuelHassine avatar Apr 17 '23 20:04 SamuelHassine

Hey there , I think this task was written a while ago and could be specified a bit more.

Here are few details, first to ensure all concepts are clear:

IMEI = International Mobile Equipment Identity

  • It’s a unique serial number for your phone.
  • Every device has its own IMEI.
  • It helps identify a phone if it’s lost, stolen, or used on a mobile network.

ICCID = Integrated Circuit Card Identifier

  • This is the unique serial number of your SIM card, printed on the SIM itself.
  • It tells the network which SIM card you are using.
  • It does not identify you; it identifies the physical SIM card.

IMSI = International Mobile Subscriber Identity

  • This identifies you as a subscriber in the mobile network.
  • It’s stored inside the SIM card, not on the phone.
  • The IMSI tells the mobile network which user you are, so it can connect you to your account, phone number, and services.

In terms of implementation, in my opinion we should: - implement the 3 observables types, with the following fields:

  • Value
    • IMEI: 14 digits + 1 check digit (15 digits total), numeric only
      • Regxp to validate: ^[0-9]{15}$
    • ICCID: up to 19–20 digits, numeric only; often starts with an industry identifier (e.g. 89)
      • Regexp to validate: ^[0-9]{18,22}$
    • IMSI: usually 15 digits (can be 14–15), numeric only; composed of MCC+MNC+MSIN
      • Regexp to validate: ^[0-9]{14,15}$
  • Description
  • Label
  • Author
  • Creator
  • Description
  • External Ref
  • Score

- implement the follwoing relations:

  • IMEI ↔ ICCID — uses Device uses SIM card (multidirectional)

  • IMSI ↔ IMEI — uses Subscriber uses device (multidirectional)

  • ICCID ↔ IMSI — has SIM card has subscriber identity (multidirectional).

  • IMSI ↔ phone number — uses Subscriber uses this phone number (multidirectional).

  • ICCID ↔ phone number — has SIM is provisioned with this phone number (shortcut to avoid forcing the modeling ICCD has IMSI uses Phone number, multidirectional).

  • IMEI → MAC address — has This device (IMEI) has / is associated with this MAC address(mutlidirectional)

Ensure that we can export them in pycti too

nino-filigran avatar Dec 11 '25 09:12 nino-filigran

I would suggest a modification of:

ICCID ↔ phone number — has to be ICCID ↔ phone number — resolves-to

since this is a more ephemeral relationship type due to changeability.

ParamConstructor avatar Dec 11 '25 15:12 ParamConstructor

Yes, fully aligned, thanks. I've modified the ticket description so that it contains the full task scope.

nino-filigran avatar Dec 11 '25 16:12 nino-filigran