diff --git a/OpenCTI/custom-opencti.py b/OpenCTI/custom-opencti.py
index 0c384fa..7154612 100644
--- a/OpenCTI/custom-opencti.py
+++ b/OpenCTI/custom-opencti.py
@@ -44,7 +44,7 @@ def send_event(msg, agent = None):
 # OpenCTI Server API AUTH KEY
 opencti_api_auth_key = "Bearer your_opencti_token"
 # API - HTTP Headers
-opencti_apicall_headers = {"Content-Type":"application/json", "Authorization":f"{opencti_api_auth_key}", "Accept":"*/*"}
+opencti_apicall_headers = {"Content-Type":"application/json", "Authorization":f"Bearer {opencti_api_auth_key}", "Accept":"*/*"}
 ## Extract Sysmon for Windows/Sysmon for Linux and Sysmon Event ID
 event_source = alert["rule"]["groups"][0]
 event_type = alert["rule"]["groups"][2]
@@ -111,7 +111,7 @@ def send_event(msg, agent = None):
             sys.exit()
     else:
         sys.exit()
-    api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
+    api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
     try:
         opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
     except ConnectionError:
@@ -137,7 +137,7 @@ def send_event(msg, agent = None):
             dst_ip = alert["data"]["eventdata"]["DestinationIp"]
             if ipaddress.ip_address(dst_ip).is_global:
                 wazuh_event_param = dst_ip
-                api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
+                api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
                 try:
                     opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
                 except ConnectionError:
@@ -169,7 +169,7 @@ def send_event(msg, agent = None):
         opencti_key_valyue_type="hashes_SHA256"
     except IndexError:
         sys.exit()
-    api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509V3ExtensionsType {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on XOpenCTICryptographicKey {\nvalue\n}\n... on XOpenCTICryptocurrencyWallet {\nvalue\n}\n... on XOpenCTIHostname {\nvalue\n}\n... on XOpenCTIText {\nvalue\n}\n... on XOpenCTIUserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
+    api_json_body={"query": "\nquery StixCyberObservables($types: [String], $filters: [StixCyberObservablesFiltering], $search: String, $first: Int, $after: ID, $orderBy: StixCyberObservablesOrdering, $orderMode: OrderingMode) {\nstixCyberObservables(types: $types, filters: $filters, search: $search, first: $first, after: $after, orderBy: $orderBy, orderMode: $orderMode) {\nedges {\nnode {\n\nid\nstandard_id\nentity_type\nparent_types\nspec_version\ncreated_at\nupdated_at\ncreatedBy {\n... on Identity {\nid\nstandard_id\nentity_type\nparent_types\nspec_version\nidentity_class\nname\ndescription\nroles\ncontact_information\nx_opencti_aliases\ncreated\nmodified\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\n}\n... on Organization {\nx_opencti_organization_type\nx_opencti_reliability\n}\n... on Individual {\nx_opencti_firstname\nx_opencti_lastname\n}\n}\nobjectMarking {\nedges {\nnode {\nid\nstandard_id\nentity_type\ndefinition_type\ndefinition\ncreated\nmodified\nx_opencti_order\nx_opencti_color\n}\n}\n}\nobjectLabel {\nedges {\nnode {\nid\nvalue\ncolor\n}\n}\n}\nexternalReferences {\nedges {\nnode {\nid\nstandard_id\nentity_type\nsource_name\ndescription\nurl\nhash\nexternal_id\ncreated\nmodified\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n}\n}\n}\nobservable_value\nx_opencti_description\nx_opencti_score\nindicators {\nedges {\nnode {\nid\npattern\npattern_type\n}\n}\n}\n... on AutonomousSystem {\nnumber\nname\nrir\n}\n... on Directory {\npath\npath_enc\nctime\nmtime\natime\n}\n... on DomainName {\nvalue\n}\n... on EmailAddr {\nvalue\ndisplay_name\n}\n... on EmailMessage {\nis_multipart\nattribute_date\ncontent_type\nmessage_id\nsubject\nreceived_lines\nbody\n}\n... on Artifact {\nmime_type\npayload_bin\nurl\nencryption_algorithm\ndecryption_key\nhashes {\nalgorithm\nhash\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\n}\n}\n}\n}\n... on StixFile {\nextensions\nsize\nname\nname_enc\nmagic_number_hex\nmime_type\nctime\nmtime\natime\nx_opencti_additional_names\nhashes {\n  algorithm\n  hash\n}   \n}\n... on X509Certificate {\nis_self_signed\nversion\nserial_number\nsignature_algorithm\nissuer\nsubject\nsubject_public_key_algorithm\nsubject_public_key_modulus\nsubject_public_key_exponent\nvalidity_not_before\nvalidity_not_after\nhashes {\n  algorithm\n  hash\n}\n}\n... on IPv4Addr {\nvalue\n}\n... on IPv6Addr {\nvalue\n}\n... on MacAddr {\nvalue\n}\n... on Mutex {\nname\n}\n... on NetworkTraffic {\nextensions\nstart\nend\nis_active\nsrc_port\ndst_port\nprotocols\nsrc_byte_count\ndst_byte_count\nsrc_packets\ndst_packets\n}\n... on Process {\nextensions\nis_hidden\npid\ncreated_time\ncwd\ncommand_line\nenvironment_variables\n}\n... on Software {\nname\ncpe\nswid\nlanguages\nvendor\nversion\n}\n... on Url {\nvalue\n}\n... on UserAccount {\nextensions\nuser_id\ncredential\naccount_login\naccount_type\ndisplay_name\nis_service_account\nis_privileged\ncan_escalate_privs\nis_disabled\naccount_created\naccount_expires\ncredential_last_changed\naccount_first_login\naccount_last_login\n}\n... on WindowsRegistryKey {\nattribute_key\nmodified_time\nnumber_of_subkeys\n}\n... on WindowsRegistryValueType {\nname\ndata\ndata_type\n}\n... on X509Certificate {\nbasic_constraints\nname_constraints\npolicy_constraints\nkey_usage\nextended_key_usage\nsubject_key_identifier\nauthority_key_identifier\nsubject_alternative_name\nissuer_alternative_name\nsubject_directory_attributes\ncrl_distribution_points\ninhibit_any_policy\nprivate_key_usage_period_not_before\nprivate_key_usage_period_not_after\ncertificate_policies\npolicy_mappings\n}\n... on CryptographicKey {\nvalue\n}\n... on CryptocurrencyWallet {\nvalue\n}\n... on Hostname {\nvalue\n}\n... on Text {\nvalue\n}\n... on UserAgent {\nvalue\n}\nimportFiles {\nedges {\nnode {\nid\nname\nsize\nmetaData {\nmimetype\nversion\n}\n}\n}\n}\n\n}\n}\npageInfo {\nstartCursor\nendCursor\nhasNextPage\nhasPreviousPage\nglobalCount\n}\n}\n}\n", "variables": {"types": null, "filters": [{"key": f"{opencti_key_valyue_type}", "values": [f"{wazuh_event_param}"]}]}}
     try:
         opencti_api_response = requests.post(opencti_base_url, headers=opencti_apicall_headers,json=api_json_body)
     except ConnectionError: