OpenCTI-Platform · labo-flg · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/client-python/pycti/__init__.py b/client-python/pycti/__init__.py
@@ -73,6 +73,9 @@
     CustomObservableCryptocurrencyWallet,
     CustomObservableCryptographicKey,
     CustomObservableHostname,
+    CustomObservableICCID,
+    CustomObservableIMEI,
+    CustomObservableIMSI,
     CustomObservableMediaContent,
     CustomObservablePaymentCard,
     CustomObservablePersona,
@@ -176,6 +179,9 @@
     "CustomObservableBankAccount",
     "CustomObservableCryptographicKey",
     "CustomObservableCryptocurrencyWallet",
+    "CustomObservableICCID",
+    "CustomObservableIMEI",
+    "CustomObservableIMSI",
     "CustomObservablePaymentCard",
     "CustomObservablePersona",
     "CustomObservablePhoneNumber",

diff --git a/client-python/pycti/entities/opencti_stix_cyber_observable.py b/client-python/pycti/entities/opencti_stix_cyber_observable.py
@@ -384,6 +384,12 @@ def create(self, **kwargs):
             or type.lower() == "x-opencti-cryptographic-key"
         ):
             type = "Cryptographic-Key"
+        elif type.lower() == "imei" or type.lower() == "x-opencti-imei":
+            type = "IMEI"
+        elif type.lower() == "iccid" or type.lower() == "x-opencti-iccid":
+            type = "ICCID"
+        elif type.lower() == "imsi" or type.lower() == "x-opencti-imsi":
+            type = "IMSI"
         elif type.lower() == "text" or type.lower() == "x-opencti-text":
             type = "Text"
 
@@ -499,6 +505,9 @@ def create(self, **kwargs):
                         $MediaContent: MediaContentAddInput
                         $SSHKey: SSHKeyAddInput
                         $AIPrompt: AIPromptAddInput
+                        $IMEI: IMEIAddInput
+                        $ICCID: ICCIDAddInput
+                        $IMSI: IMSIAddInput
                     ) {
                         stixCyberObservableAdd(
                             type: $type,
@@ -547,6 +556,9 @@ def create(self, **kwargs):
                             MediaContent: $MediaContent
                             SSHKey: $SSHKey
                             AIPrompt: $AIPrompt
+                            IMEI: $IMEI
+                            ICCID: $ICCID
+                            IMSI: $IMSI
                         ) {
                             id
                             standard_id
@@ -1470,6 +1482,24 @@ def create(self, **kwargs):
                     "noTriggerImport": no_trigger_import,
                     "embedded": embedded,
                 }
+            elif type == "IMEI" or type.lower() == "x-opencti-imei":
+                input_variables["IMEI"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
+            elif type == "ICCID" or type.lower() == "x-opencti-iccid":
+                input_variables["ICCID"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
+            elif type == "IMSI" or type.lower() == "x-opencti-imsi":
+                input_variables["IMSI"] = {
+                    "value": (
+                        observable_data["value"] if "value" in observable_data else None
+                    ),
+                }
             result = self.opencti.query(query, input_variables)
             if "payload_bin" in observable_data and "mime_type" in observable_data:
                 self.add_file(

diff --git a/...t-python/pycti/entities/stix_cyber_observable/opencti_stix_cyber_observable_properties.py b/...t-python/pycti/entities/stix_cyber_observable/opencti_stix_cyber_observable_properties.py
@@ -322,6 +322,15 @@
         url
         publication_date
     }
+    ... on IMEI {
+        value
+    }
+    ... on ICCID {
+        value
+    }
+    ... on IMSI {
+        value
+    }
 """
 SCO_PROPERTIES_WITH_FILES = """
     id
@@ -660,6 +669,15 @@
         url
         publication_date
     }
+    ... on IMEI {
+        value
+    }
+    ... on ICCID {
+        value
+    }
+    ... on IMSI {
+        value
+    }
     importFiles {
         edges {
             node {

diff --git a/client-python/pycti/utils/constants.py b/client-python/pycti/utils/constants.py
@@ -66,6 +66,9 @@ class StixCyberObservableTypes(CaseInsensitiveEnum):
     PERSONA = "Persona"
     SSH_KEY = "SSH-Key"
     AI_PROMPT = "AI-Prompt"
+    IMEI = "IMEI"
+    ICCID = "ICCID"
+    IMSI = "IMSI"
 
 
 class IdentityTypes(CaseInsensitiveEnum):
@@ -788,3 +791,103 @@ class CustomObservableAIPrompt:
     """
 
     pass
+
+
+@CustomObservable(
+    "imei",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservableIMEI:
+    """IMEI observable.
+
+    Represents an International Mobile Equipment Identity
+    which is a phone serial number.
+
+    Format: 14 digits + 1 check digit, numeric only,
+    (can be 16 for legacy digits total).
+
+    :param value: The IMEI value (required)
+    :type value: str
+    :param spec_version: STIX specification version, fixed to "2.1"
+    :type spec_version: str
+    :param object_marking_refs: List of marking definition references
+    :type object_marking_refs: list
+    """
+
+    pass
+
+
+@CustomObservable(
+    "iccid",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservableICCID:
+    """ICCID observable.
+
+    Represents an unique serial number of a SIM card,
+    printed on the SIM itself.
+
+    Format: up to 19-20 digits, numeric only.
+
+    :param value: The ICCID value (required)
+    :type value: str
+    :param spec_version: STIX specification version, fixed to "2.1"
+    :type spec_version: str
+    :param object_marking_refs: List of marking definition references
+    :type object_marking_refs: list
+    """
+
+    pass
+
+
+@CustomObservable(
+    "imsi",
+    [
+        ("value", StringProperty(required=True)),
+        ("spec_version", StringProperty(fixed="2.1")),
+        (
+            "object_marking_refs",
+            ListProperty(
+                ReferenceProperty(valid_types="marking-definition", spec_version="2.1")
+            ),
+        ),
+    ],
+    ["value"],
+)
+class CustomObservableIMSI:
+    """IMSI observable.
+
+    Identifies the user as a subscriber in the mobile network.
+
+    Format: usually 15 digits (can be 14-15), numeric only
+    Composed of MCC+MNC+MSIN
+
+    :param value: The IMSI value (required)
+    :type value: str
+    :param spec_version: STIX specification version, fixed to "2.1"
+    :type spec_version: str
+    :param object_marking_refs: List of marking definition references
+    :type object_marking_refs: list
+    """
+
+    pass
diff --git a/client-python/pycti/utils/opencti_stix2_utils.py b/client-python/pycti/utils/opencti_stix2_utils.py
@@ -115,6 +115,9 @@
     "persona": "Persona",
     "ssh-key": "SSH-Key",
     "ai-prompt": "AI-Prompt",
+    "imei": "IMEI",
+    "iccid": "ICCID",
+    "imsi": "IMSI",
 }
 
 STIX_OBJECTS = (
@@ -154,6 +157,9 @@
     "Credential": ["value"],
     "Media-Content": ["url"],
     "AI-Prompt": ["value"],
+    "IMEI": ["value"],
+    "ICCID": ["value"],
+    "IMSI": ["value"],
 }
 
 OBSERVABLES_VALUE_INT = [

diff --git a/opencti-platform/opencti-front/lang/front/de.json b/opencti-platform/opencti-front/lang/front/de.json
@@ -1581,7 +1581,10 @@
   "entity_Grouping": "Gruppierung",
   "entity_History": "Geschichte (Wissen)",
   "entity_Hostname": "Hostname",
+  "entity_ICCID": "ICCID",
   "entity_Identity": "Identität",
+  "entity_IMEI": "IMEI",
+  "entity_IMSI": "IMSI",
   "entity_Incident": "Vorfall",
   "entity_Indicator": "Indikator",
   "entity_Individual": "Einzelne",
@@ -2095,6 +2098,7 @@
   "I have read, I understand and I accept the Filigran AI terms": "Ich habe die Filigran AI-Bedingungen gelesen, verstanden und akzeptiere sie",
   "I would like to use a EE feature ...": "Ich würde gerne eine EE-Funktion ({feature}) verwenden, habe aber keine EE aktiviert.\nIch würde gerne mit Ihnen über die Aktivierung von EE diskutieren.",
   "iban values must begin with a country code and can only include A-Z and 0-9, 34 characters": "iban-Werte müssen mit einem Ländercode beginnen und dürfen nur A-Z und 0-9, 34 Zeichen enthalten",
+  "ICCID values can only include digits, must be 18 to 22 characters": "ICCID-Werte können nur Ziffern enthalten, müssen 18 bis 22 Zeichen lang sein",
   "ID": "ID",
   "ID of your public dashboard": "ID Ihres öffentlichen Dashboards (wird in der URL verwendet)",
   "Identification": "Kennung",
@@ -2126,6 +2130,7 @@
   "If your email address is found, an email will be sent to you.": "Wenn Ihre E-Mail-Adresse gefunden wurde, wird Ihnen eine E-Mail zugeschickt.",
   "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.": "wenn Ihr Dienstkonto ursprünglich als Dienstkonto angelegt wurde (nicht umgewandelt), ändern Sie bitte auch die E-Mail Ihres Dienstkontos vor/nach der Umwandlung in einen Benutzer, um sicherzustellen, dass der zukünftige Benutzer eine E-Mail im Workflow \"Passwort vergessen\" erhalten kann.",
   "Image URL": "Bild-URL",
+  "IMEI values can only include digits, must be 15 to 16 characters": "IMEI-Werte dürfen nur Ziffern enthalten und müssen aus 15 bis 16 Zeichen bestehen",
   "Impact": "Aufschlag",
   "Impacted": "Beeinflusst",
   "impacted by a modification to a linked entity (relation, added in container...)": "beeinflusst durch eine Änderung an einer verknüpften Entität (Beziehung, hinzugefügt in Container...)",
@@ -2161,6 +2166,7 @@
   "Import Widget": "Widget importieren",
   "Important notice: your action is required!": "Wichtiger Hinweis: Ihr Handeln ist erforderlich!",
   "Imports": "Importe",
+  "IMSI values can only include digits, must be 14 to 15 characters": "IMSI-Werte können nur Ziffern enthalten, müssen 14 bis 15 Zeichen lang sein",
   "In all the database": "In der gesamten Datenbank",
   "In Carousel": "Im Karussell",
   "In containers": "In Containern",

diff --git a/opencti-platform/opencti-front/lang/front/en.json b/opencti-platform/opencti-front/lang/front/en.json
@@ -1581,7 +1581,10 @@
   "entity_Grouping": "Grouping",
   "entity_History": "History (knowledge)",
   "entity_Hostname": "Hostname",
+  "entity_ICCID": "ICCID",
   "entity_Identity": "Identity",
+  "entity_IMEI": "IMEI",
+  "entity_IMSI": "IMSI",
   "entity_Incident": "Incident",
   "entity_Indicator": "Indicator",
   "entity_Individual": "Individual",
@@ -2095,6 +2098,7 @@
   "I have read, I understand and I accept the Filigran AI terms": "I have read, I understand and I accept the Filigran AI terms",
   "I would like to use a EE feature ...": "I would like to use a EE feature ({feature}) but I don't have EE activated.\nI would like to discuss with you about activating EE.",
   "iban values must begin with a country code and can only include A-Z and 0-9, 34 characters": "iban values must begin with a country code and can only include A-Z and 0-9, 34 characters",
+  "ICCID values can only include digits, must be 18 to 22 characters": "ICCID values can only include digits, must be 18 to 22 characters",
   "ID": "ID",
   "ID of your public dashboard": "ID of your public dashboard (used in the URL)",
   "Identification": "Identification",
@@ -2126,6 +2130,7 @@
   "If your email address is found, an email will be sent to you.": "If your email address is found, an email will be sent to you.",
   "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.": "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.",
   "Image URL": "Image URL",
+  "IMEI values can only include digits, must be 15 to 16 characters": "IMEI values can only include digits, must be 15 to 16 characters",
   "Impact": "Impact",
   "Impacted": "Impacted",
   "impacted by a modification to a linked entity (relation, added in container...)": "impacted by a modification to a linked entity (relation, added in container...)",
@@ -2161,6 +2166,7 @@
   "Import Widget": "Import Widget",
   "Important notice: your action is required!": "Important notice: your action is required!",
   "Imports": "Imports",
+  "IMSI values can only include digits, must be 14 to 15 characters": "IMSI values can only include digits, must be 14 to 15 characters",
   "In all the database": "In all the database",
   "In Carousel": "In Carousel",
   "In containers": "In containers",

diff --git a/opencti-platform/opencti-front/lang/front/es.json b/opencti-platform/opencti-front/lang/front/es.json
@@ -1581,7 +1581,10 @@
   "entity_Grouping": "Agrupación",
   "entity_History": "Historia (conocimiento)",
   "entity_Hostname": "Nombre de host",
+  "entity_ICCID": "ICCID",
   "entity_Identity": "Identidad",
+  "entity_IMEI": "IMEI",
+  "entity_IMSI": "IMSI",
   "entity_Incident": "Incidente",
   "entity_Indicator": "Indicador",
   "entity_Individual": "Individuo",
@@ -2095,6 +2098,7 @@
   "I have read, I understand and I accept the Filigran AI terms": "He leído, entiendo y acepto las condiciones de Filigran AI",
   "I would like to use a EE feature ...": "Me gustaría utilizar una función EE ({feature}) pero no tengo EE activado.\nMe gustaría hablar con usted sobre la activación de EE.",
   "iban values must begin with a country code and can only include A-Z and 0-9, 34 characters": "los valores iban deben comenzar con un código de país y solo pueden incluir A-Z y 0-9, 34 caracteres",
+  "ICCID values can only include digits, must be 18 to 22 characters": "Los valores ICCID sólo pueden incluir dígitos, deben tener entre 18 y 22 caracteres",
   "ID": "ID",
   "ID of your public dashboard": "ID de su panel de control público (utilizado en la URL)",
   "Identification": "Identificación",
@@ -2126,6 +2130,7 @@
   "If your email address is found, an email will be sent to you.": "Si su dirección de correo electrónico se encuentra, se le enviará un correo electrónico.",
   "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.": "si su cuenta de servicio se ha creado originalmente como una cuenta de servicio (no transformada), cambie también el correo electrónico de su cuenta de servicio antes/después de transformarla en un usuario para asegurarse de que el futuro usuario podrá recibir un correo electrónico en el flujo de trabajo de olvido de contraseña.",
   "Image URL": "URL de la imagen",
+  "IMEI values can only include digits, must be 15 to 16 characters": "Los valores IMEI sólo pueden incluir dígitos, deben tener entre 15 y 16 caracteres",
   "Impact": "Impacto",
   "Impacted": "Impactado",
   "impacted by a modification to a linked entity (relation, added in container...)": "afectado por una modificación de una entidad vinculada (relación, añadido en contenedor...)",
@@ -2161,6 +2166,7 @@
   "Import Widget": "Importar Widget",
   "Important notice: your action is required!": "Aviso importante: ¡su acción es necesaria!",
   "Imports": "Importaciones",
+  "IMSI values can only include digits, must be 14 to 15 characters": "Los valores IMSI sólo pueden incluir dígitos, deben tener de 14 a 15 caracteres",
   "In all the database": "En toda la base de datos",
   "In Carousel": "Carrusel",
   "In containers": "En contenedores",

diff --git a/opencti-platform/opencti-front/lang/front/fr.json b/opencti-platform/opencti-front/lang/front/fr.json
@@ -1581,7 +1581,10 @@
   "entity_Grouping": "Groupement",
   "entity_History": "Historique (connaissance)",
   "entity_Hostname": "Nom d'hôte",
+  "entity_ICCID": "ICCID",
   "entity_Identity": "Identité",
+  "entity_IMEI": "IMEI",
+  "entity_IMSI": "IMSI",
   "entity_Incident": "Incident",
   "entity_Indicator": "Indicateur",
   "entity_Individual": "Individu",
@@ -2095,6 +2098,7 @@
   "I have read, I understand and I accept the Filigran AI terms": "J'ai lu, je comprends et j'accepte les conditions d'utilisation de Filigran AI",
   "I would like to use a EE feature ...": "J'aimerais utiliser une fonctionnalité ({feature}) sous Enterprise Edition qui n'est pas activée.\nJ'aimerais savoir si il est possible d'activer EE.",
   "iban values must begin with a country code and can only include A-Z and 0-9, 34 characters": "les valeurs iban doivent commencer par un code de pays et ne peuvent inclure que A-Z et 0-9, 34 caractères",
+  "ICCID values can only include digits, must be 18 to 22 characters": "Les valeurs ICCID ne peuvent comprendre que des chiffres, doivent être de 18 à 22 caractères",
   "ID": "ID",
   "ID of your public dashboard": "ID de votre tableau de bord public (utilisé dans l'URL)",
   "Identification": "Identification",
@@ -2126,6 +2130,7 @@
   "If your email address is found, an email will be sent to you.": "Si votre adresse électronique est trouvée, un courriel vous sera envoyé.",
   "if your service account has been created originally as a service account (not transformed), please also change the email of your service account before/after transforming it to a user to ensure that the future user will be able to receive an email in the forgot password workflow.": "si votre compte de service a été créé à l'origine en tant que compte de service (non transformé), veuillez également modifier l'adresse électronique de votre compte de service avant/après sa transformation en utilisateur afin de vous assurer que le futur utilisateur sera en mesure de recevoir un courrier électronique dans le flux de travail \"mot de passe oublié\".",
   "Image URL": "URL de l'image",
+  "IMEI values can only include digits, must be 15 to 16 characters": "Les valeurs IMEI ne peuvent comporter que des chiffres et doivent être composées de 15 à 16 caractères",
   "Impact": "Impact",
   "Impacted": "Impactés",
   "impacted by a modification to a linked entity (relation, added in container...)": "impacté par une modification d'une entité liée (relation, ajout dans un conteneur...)",
@@ -2161,6 +2166,7 @@
   "Import Widget": "Importer un widget",
   "Important notice: your action is required!": "Avis important : votre action est requise !",
   "Imports": "Importations",
+  "IMSI values can only include digits, must be 14 to 15 characters": "Les valeurs IMSI ne peuvent comprendre que des chiffres, doivent être de 14 à 15 caractères",
   "In all the database": "Dans toute la base",
   "In Carousel": "Carrousel",
   "In containers": "Dans les conteneurs",