Does main observable type in OpenCTI differ from STIX v2.1 SCO type?

## Prerequisites

- [x] I read the [Deployment and Setup](https://docs.opencti.io/latest/deployment/overview) section of the OpenCTI documentation as well as the [Troubleshooting](https://docs.opencti.io/latest/deployment/troubleshooting) page and didn't find anything relevant to my problem.
- [x] I went through old GitHub issues and couldn't find anything relevant
- [x] I googled the issue and didn't find anything relevant

## Description

Hi,
I'm struggling with understanding of what OpenCTI considers to be "Main observable type", specifically when it processes CSV file via custom mapper.
I've got a CSV file with next columns:
```csv
Indicator,Malware,Is family,Intrusion_set,TTP,Organization,Pattern type,pattern,main_observable_type
1.2.3.4,,,,,Test-Org,stix,[ipv4-addr:value = '1.2.3.4'],ipv4-addr
```
The last column, as per STIX 2.1 SCOs, has values like `ipv4-addr`, `domain-name` etc.
My mapper is extracting Indicator entity from CSV data and parses the last column as **main observable type** respectively. CSV mapper test correctly passes with my test file, however when processing this same file via **CSV mapper import** connector it throws error  **"Observable type 'ipv4-addr' is not supproted"**. I have stumbled upon references of this observable type labeled as `IPv4-Addr` over OpenCTI documentation here and there. So my question is - are the STIX 2.1 SCOs `type` and OpenCTI's `main observable type` supposed to be different or am I missing something? If that is my fault, then why does a CSV mapper test successfully passes?

## Environment

1. OS (where OpenCTI server runs): **Ubuntu 24.04 LTS**
2. OpenCTI version: **OpenCTI 1.0.2** 
3. OpenCTI client: **frontend**

## Reproducible Steps

Steps to create the smallest reproducible scenario:
1. Create **CSV mapper** with **Inidcator** entity
2. Extract `main observable type` from a column having values as per STIX 2.1 SCOs
3. Run Test over test CSV file
4. Import test CSV file into the platform via **Global Files**
5. Run created **CSV mapper** connector over imported file (validation mode is irrelevant)
6. Get error `Observable type ipv4-addr is not supported`.
7. Change last column value from `ipv4-addr` to `IPv4-Addr`.
8. Import changed CSV and rerun CSV mapper over it.
9. Import successful 💯.


## Additional information

<img width="907" height="798" alt="Image" src="https://github.com/user-attachments/assets/f3aee17c-46aa-4496-a728-d9a3fab0f106" />

<img width="718" height="771" alt="Image" src="https://github.com/user-attachments/assets/6a5325c6-8500-4b61-a6da-c4d925113ced" />

<img width="602" height="310" alt="Image" src="https://github.com/user-attachments/assets/5cb0b447-7660-4bf5-bcee-20d798f97840" />

<img width="933" height="287" alt="Image" src="https://github.com/user-attachments/assets/e322ed54-dbb5-4b87-a538-10e6a1702ca9" />

<img width="933" height="287" alt="Image" src="https://github.com/user-attachments/assets/f33762c9-3cf6-4a1f-913f-06e69d2be22d" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Does main observable type in OpenCTI differ from STIX v2.1 SCO type? #13858

Prerequisites

Description

Environment

Reproducible Steps

Additional information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Does main observable type in OpenCTI differ from STIX v2.1 SCO type? #13858

Description

Prerequisites

Description

Environment

Reproducible Steps

Additional information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions