v21

STIX 2.1 API Objects.

bundle STIX 2.1 Bundle Representation.
common STIX 2.1 Common Data Types and Properties.
observables STIX 2.1 Cyber Observable Objects.
sdo STIX 2.1 Domain Objects.
sro STIX 2.1 Relationship Objects.

class Bundle(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • objects (List of STIX Objects)
get_obj(obj_uuid)
class ExtensionDefinition(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference, required)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • schema (String, required)
  • version (String, required)
  • extension_types (List of Enums, required)
  • extension_properties (List of Strings)
  • revoked (Boolean)
  • labels (List of Strings)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class ExternalReference(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • source_name (String, required)
  • description (String)
  • url (String)
  • hashes (Hashes)
  • external_id (String)
class GranularMarking(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • lang (String)
  • marking_ref (Reference)
  • selectors (List of Selectors, required)
class KillChainPhase(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • kill_chain_name (String, required)
  • phase_name (String, required)
class LanguageContent(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • object_ref (Reference, required)
  • object_modified (Timestamp)
  • contents (Dictionary, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class MarkingDefinition(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • definition_type (String)
  • name (String)
  • definition (Marking)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
serialize(pretty=False, include_optional_defaults=False, **kwargs)

Serialize a STIX object.

Examples

>>> import stix2
>>> identity = stix2.Identity(name='Example Corp.', identity_class='organization')
>>> print(identity.serialize(sort_keys=True))
{"created": "2018-06-08T19:03:54.066Z", ... "name": "Example Corp.", "type": "identity"}
>>> print(identity.serialize(sort_keys=True, indent=4))
{
    "created": "2018-06-08T19:03:54.066Z",
    "id": "identity--d7f3e25a-ba1c-447a-ab71-6434b092b05e",
    "identity_class": "organization",
    "modified": "2018-06-08T19:03:54.066Z",
    "name": "Example Corp.",
    "type": "identity"
}
Returns:str – The serialized JSON object.

See also

stix2.serialization.serialize for options.

class StatementMarking(statement=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • statement (String, required)
class TLPMarking(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • tlp (String, required)
class URL(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class AlternateDataStream(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String, required)
  • hashes (Hashes)
  • size (Integer)
class ArchiveExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • contains_refs (List of References, required)
  • comment (String)
class Artifact(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • mime_type (String)
  • payload_bin (Binary)
  • url (String)
  • hashes (Hashes)
  • encryption_algorithm (Enum)
  • decryption_key (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class AutonomousSystem(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • number (Integer, required)
  • name (String)
  • rir (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class Directory(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • path (String, required)
  • path_enc (String)
  • ctime (Timestamp)
  • mtime (Timestamp)
  • atime (Timestamp)
  • contains_refs (List of References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class DomainName(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class EmailAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • display_name (String)
  • belongs_to_ref (Reference)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class EmailMessage(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • is_multipart (Boolean, required)
  • date (Timestamp)
  • content_type (String)
  • from_ref (Reference)
  • sender_ref (Reference)
  • to_refs (List of References)
  • cc_refs (List of References)
  • bcc_refs (List of References)
  • message_id (String)
  • subject (String)
  • received_lines (List of Strings)
  • additional_header_fields (Dictionary)
  • body (String)
  • body_multipart (List of Embedded Objects)
  • raw_email_ref (Reference)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class EmailMIMEComponent(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • body (String)
  • body_raw_ref (Reference)
  • content_type (String)
  • content_disposition (String)
class File(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • hashes (Hashes)
  • size (Integer)
  • name (String)
  • name_enc (String)
  • magic_number_hex (Hex)
  • mime_type (String)
  • ctime (Timestamp)
  • mtime (Timestamp)
  • atime (Timestamp)
  • parent_directory_ref (Reference)
  • contains_refs (List of References)
  • content_ref (Reference)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class HTTPRequestExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • request_method (String, required)
  • request_value (String, required)
  • request_version (String)
  • request_header (Dictionary)
  • message_body_length (Integer)
  • message_body_data_ref (Reference)
class ICMPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • icmp_type_hex (Hex, required)
  • icmp_code_hex (Hex, required)
class IPv4Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • belongs_to_refs (List of References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class IPv6Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • belongs_to_refs (List of References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class MACAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • value (String, required)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class Mutex(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • name (String, required)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class NetworkTraffic(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • start (Timestamp)
  • end (Timestamp)
  • is_active (Boolean)
  • src_ref (Reference)
  • dst_ref (Reference)
  • src_port (Integer)
  • dst_port (Integer)
  • protocols (List of Strings, required)
  • src_byte_count (Integer)
  • dst_byte_count (Integer)
  • src_packets (Integer)
  • dst_packets (Integer)
  • ipfix (Dictionary)
  • src_payload_ref (Reference)
  • dst_payload_ref (Reference)
  • encapsulates_refs (List of References)
  • encapsulated_by_ref (Reference)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class NTFSExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • sid (String)
  • alternate_data_streams (List of Embedded Objects)
class PDFExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • version (String)
  • is_optimized (Boolean)
  • document_info_dict (Dictionary)
  • pdfid0 (String)
  • pdfid1 (String)
class Process(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • is_hidden (Boolean)
  • pid (Integer)
  • created_time (Timestamp)
  • cwd (String)
  • command_line (String)
  • environment_variables (Dictionary)
  • opened_connection_refs (List of References)
  • creator_user_ref (Reference)
  • image_ref (Reference)
  • parent_ref (Reference)
  • child_refs (List of References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class RasterImageExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • image_height (Integer)
  • image_width (Integer)
  • bits_per_pixel (Integer)
  • exif_tags (Dictionary)
class SocketExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • address_family (Enum, required)
  • is_blocking (Boolean)
  • is_listening (Boolean)
  • options (Dictionary)
  • socket_type (Enum)
  • socket_descriptor (Integer)
  • socket_handle (Integer)
class Software(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • name (String, required)
  • cpe (String)
  • swid (String)
  • languages (List of Strings)
  • vendor (String)
  • version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class TCPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • src_flags_hex (Hex)
  • dst_flags_hex (Hex)
class UNIXAccountExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • gid (Integer)
  • groups (List of Strings)
  • home_dir (String)
  • shell (String)
class UserAccount(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • user_id (String)
  • credential (String)
  • account_login (String)
  • account_type (Open Vocab)
  • display_name (String)
  • is_service_account (Boolean)
  • is_privileged (Boolean)
  • can_escalate_privs (Boolean)
  • is_disabled (Boolean)
  • account_created (Timestamp)
  • account_expires (Timestamp)
  • credential_last_changed (Timestamp)
  • account_first_login (Timestamp)
  • account_last_login (Timestamp)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class WindowsPEBinaryExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • pe_type (Open Vocab, required)
  • imphash (String)
  • machine_hex (Hex)
  • number_of_sections (Integer)
  • time_date_stamp (Timestamp)
  • pointer_to_symbol_table_hex (Hex)
  • number_of_symbols (Integer)
  • size_of_optional_header (Integer)
  • characteristics_hex (Hex)
  • file_header_hashes (Hashes)
  • optional_header (Embedded Object)
  • sections (List of Embedded Objects)
class WindowsPEOptionalHeaderType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • magic_hex (Hex)
  • major_linker_version (Integer)
  • minor_linker_version (Integer)
  • size_of_code (Integer)
  • size_of_initialized_data (Integer)
  • size_of_uninitialized_data (Integer)
  • address_of_entry_point (Integer)
  • base_of_code (Integer)
  • base_of_data (Integer)
  • image_base (Integer)
  • section_alignment (Integer)
  • file_alignment (Integer)
  • major_os_version (Integer)
  • minor_os_version (Integer)
  • major_image_version (Integer)
  • minor_image_version (Integer)
  • major_subsystem_version (Integer)
  • minor_subsystem_version (Integer)
  • win32_version_value_hex (Hex)
  • size_of_image (Integer)
  • size_of_headers (Integer)
  • checksum_hex (Hex)
  • subsystem_hex (Hex)
  • dll_characteristics_hex (Hex)
  • size_of_stack_reserve (Integer)
  • size_of_stack_commit (Integer)
  • size_of_heap_reserve (Integer)
  • size_of_heap_commit (Integer)
  • loader_flags_hex (Hex)
  • number_of_rva_and_sizes (Integer)
  • hashes (Hashes)
class WindowsPESection(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String, required)
  • size (Integer)
  • entropy (Float)
  • hashes (Hashes)
class WindowsProcessExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • aslr_enabled (Boolean)
  • dep_enabled (Boolean)
  • priority (String)
  • owner_sid (String)
  • window_title (String)
  • startup_info (Dictionary)
  • integrity_level (Enum)
class WindowsRegistryKey(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • key (String)
  • values (List of Embedded Objects)
  • modified_time (Timestamp)
  • creator_user_ref (Reference)
  • number_of_subkeys (Integer)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class WindowsRegistryValueType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String)
  • data (String)
  • data_type (Enum)
class WindowsServiceExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • service_name (String)
  • descriptions (List of Strings)
  • display_name (String)
  • group_name (String)
  • start_type (Enum)
  • service_dll_refs (List of References)
  • service_type (Enum)
  • service_status (Enum)
class X509Certificate(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • is_self_signed (Boolean)
  • hashes (Hashes)
  • version (String)
  • serial_number (String)
  • signature_algorithm (String)
  • issuer (String)
  • validity_not_before (Timestamp)
  • validity_not_after (Timestamp)
  • subject (String)
  • subject_public_key_algorithm (String)
  • subject_public_key_modulus (String)
  • subject_public_key_exponent (Integer)
  • x509_v3_extensions (Embedded Object)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
  • extensions (Extensions)
class X509V3ExtensionsType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • basic_constraints (String)
  • name_constraints (String)
  • policy_constraints (String)
  • key_usage (String)
  • extended_key_usage (String)
  • subject_key_identifier (String)
  • authority_key_identifier (String)
  • subject_alternative_name (String)
  • issuer_alternative_name (String)
  • subject_directory_attributes (String)
  • crl_distribution_points (String)
  • inhibit_any_policy (String)
  • private_key_usage_period_not_before (Timestamp)
  • private_key_usage_period_not_after (Timestamp)
  • certificate_policies (String)
  • policy_mappings (String)
class AttackPattern(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Campaign(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • objective (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class CourseOfAction(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Grouping(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • context (Open Vocab, required)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Identity(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • roles (List of Strings)
  • identity_class (Open Vocab)
  • sectors (List of Open Vocabs)
  • contact_information (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Incident(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • kill_chain_phases (List of Kill Chain Phases)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Indicator(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • indicator_types (List of Open Vocabs)
  • pattern (Pattern, required)
  • pattern_type (Open Vocab, required)
  • pattern_version (String)
  • valid_from (Timestamp, default: current date/time)
  • valid_until (Timestamp)
  • kill_chain_phases (List of Kill Chain Phases)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Infrastructure(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • infrastructure_types (List of Open Vocabs)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class IntrusionSet(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • goals (List of Strings)
  • resource_level (Open Vocab)
  • primary_motivation (Open Vocab)
  • secondary_motivations (List of Open Vocabs)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Location(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • latitude (Float)
  • longitude (Float)
  • precision (Float)
  • region (Open Vocab)
  • country (String)
  • administrative_area (String)
  • city (String)
  • street_address (String)
  • postal_code (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
to_maps_url(map_engine='Google Maps')

Return URL to this location in an online map engine.

Google Maps is the default, but Bing maps are also supported.

Parameters:map_engine (str) – Which map engine to find the location in
Returns:The URL of the location in the given map engine.
class Malware(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • malware_types (List of Open Vocabs)
  • is_family (Boolean, required)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • operating_system_refs (List of References)
  • architecture_execution_envs (List of Open Vocabs)
  • implementation_languages (List of Open Vocabs)
  • capabilities (List of Open Vocabs)
  • sample_refs (List of References)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class MalwareAnalysis(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • product (String, required)
  • version (String)
  • host_vm_ref (Reference)
  • operating_system_ref (Reference)
  • installed_software_refs (List of References)
  • configuration_version (String)
  • modules (List of Strings)
  • analysis_engine_version (String)
  • analysis_definition_version (String)
  • submitted (Timestamp)
  • analysis_started (Timestamp)
  • analysis_ended (Timestamp)
  • result_name (String)
  • result (Open Vocab)
  • analysis_sco_refs (List of References)
  • sample_ref (Reference)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Note(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • abstract (String)
  • content (String, required)
  • authors (List of Strings)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class ObservedData(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • first_observed (Timestamp, required)
  • last_observed (Timestamp, required)
  • number_observed (Integer, required)
  • objects (Observable)
  • object_refs (List of References)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Opinion(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • explanation (String)
  • authors (List of Strings)
  • opinion (Enum, required)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Report(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • report_types (List of Open Vocabs)
  • published (Timestamp, required)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class ThreatActor(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • threat_actor_types (List of Open Vocabs)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • roles (List of Open Vocabs)
  • goals (List of Strings)
  • sophistication (Open Vocab)
  • resource_level (Open Vocab)
  • primary_motivation (Open Vocab)
  • secondary_motivations (List of Open Vocabs)
  • personal_motivations (List of Open Vocabs)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Tool(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • tool_types (List of Open Vocabs)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • tool_version (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Vulnerability(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Relationship(source_ref=None, relationship_type=None, target_ref=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • relationship_type (String, required)
  • description (String)
  • source_ref (Reference, required)
  • target_ref (Reference, required)
  • start_time (Timestamp)
  • stop_time (Timestamp)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
class Sighting(sighting_of_ref=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • description (String)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • count (Integer)
  • sighting_of_ref (Reference, required)
  • observed_data_refs (List of References)
  • where_sighted_refs (List of References)
  • summary (Boolean)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • extensions (Extensions)
CustomMarking(type='x-custom-marking', properties=None)

Custom STIX Marking decorator.

Example

>>> from stix2.v21 import CustomMarking
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomMarking('x-custom-marking', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewMarkingObjectType():
...     pass
CustomExtension(type='x-custom-ext', properties=None)

Custom STIX Object Extension decorator.

CustomObservable(type='x-custom-observable', properties=None, id_contrib_props=None, extension_name=None)

Custom STIX Cyber Observable Object type decorator.

Example

>>> from stix2.v21 import CustomObservable
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObservable('x-custom-observable', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObservableType():
...     pass
CustomObject(type='x-custom-type', properties=None, extension_name=None, is_sdo=True)

Custom STIX Object type decorator.

Example

>>> from stix2.v21 import CustomObject
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObject('x-type-name', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
...     pass

Supply an __init__() function to add any special validations to the custom type. Don’t call super().__init__() though - doing so will cause an error.

Example

>>> from stix2.v21 import CustomObject
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObject('x-type-name', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
...     def __init__(self, property2=None, **kwargs):
...         if property2 and property2 < 10:
...             raise ValueError("'property2' is too small.")