v21

STIX 2.1 API Objects.

bundle STIX 2.1 Bundle Representation.
common STIX 2.1 Common Data Types and Properties.
observables STIX 2.1 Cyber Observable Objects.
sdo STIX 2.1 Domain Objects.
sro STIX 2.1 Relationship Objects.

class Bundle(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • objects (List of STIX Objects)
get_obj(obj_uuid)
class ExternalReference(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • source_name (String, required)
  • description (String)
  • url (String)
  • hashes (Hashes)
  • external_id (String)
class GranularMarking(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • lang (String)
  • marking_ref (Reference)
  • selectors (List of Selectors, required)
class KillChainPhase(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • kill_chain_name (String, required)
  • phase_name (String, required)
class LanguageContent(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • object_ref (Reference, required)
  • object_modified (Timestamp)
  • contents (Dictionary, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class MarkingDefinition(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • definition_type (String, required)
  • name (String)
  • definition (Marking, required)
serialize(pretty=False, include_optional_defaults=False, **kwargs)

Serialize a STIX object.

Parameters:
  • pretty (bool) – If True, output properties following the STIX specs formatting. This includes indentation. Refer to notes for more details. (Default: False)
  • include_optional_defaults (bool) – Determines whether to include optional properties set to the default value defined in the spec.
  • **kwargs – The arguments for a json.dumps() call.

Examples

>>> import stix2
>>> identity = stix2.Identity(name='Example Corp.', identity_class='organization')
>>> print(identity.serialize(sort_keys=True))
{"created": "2018-06-08T19:03:54.066Z", ... "name": "Example Corp.", "type": "identity"}
>>> print(identity.serialize(sort_keys=True, indent=4))
{
    "created": "2018-06-08T19:03:54.066Z",
    "id": "identity--d7f3e25a-ba1c-447a-ab71-6434b092b05e",
    "identity_class": "organization",
    "modified": "2018-06-08T19:03:54.066Z",
    "name": "Example Corp.",
    "type": "identity"
}
Returns:str – The serialized JSON object.

Note

The argument pretty=True will output the STIX object following spec order. Using this argument greatly impacts object serialization performance. If your use case is centered across machine-to-machine operation it is recommended to set pretty=False.

When pretty=True the following key-value pairs will be added or overridden: indent=4, separators=(“,”, “: “), item_sort_key=sort_by.

class StatementMarking(statement=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • statement (String, required)
class TLPMarking(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • tlp (String, required)
class URL(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class AlternateDataStream(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String, required)
  • hashes (Hashes)
  • size (Integer)
class ArchiveExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • contains_refs (List of References, required)
  • comment (String)
class Artifact(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • mime_type (String)
  • payload_bin (Binary)
  • url (String)
  • hashes (Hashes)
  • encryption_algorithm (String)
  • decryption_key (String)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class AutonomousSystem(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • number (Integer, required)
  • name (String)
  • rir (String)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class Directory(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • path (String, required)
  • path_enc (String)
  • ctime (Timestamp)
  • mtime (Timestamp)
  • atime (Timestamp)
  • contains_refs (List of References)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class DomainName(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class EmailAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • display_name (String)
  • belongs_to_ref (Reference)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class EmailMessage(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • is_multipart (Boolean, required)
  • date (Timestamp)
  • content_type (String)
  • from_ref (Reference)
  • sender_ref (Reference)
  • to_refs (List of References)
  • cc_refs (List of References)
  • bcc_refs (List of References)
  • message_id (String)
  • subject (String)
  • received_lines (List of Strings)
  • additional_header_fields (Dictionary)
  • body (String)
  • body_multipart (List of Embedded Objects)
  • raw_email_ref (Reference)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class EmailMIMEComponent(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • body (String)
  • body_raw_ref (Reference)
  • content_type (String)
  • content_disposition (String)
class File(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • hashes (Hashes)
  • size (Integer)
  • name (String)
  • name_enc (String)
  • magic_number_hex (Hex)
  • mime_type (String)
  • ctime (Timestamp)
  • mtime (Timestamp)
  • atime (Timestamp)
  • parent_directory_ref (Reference)
  • contains_refs (List of References)
  • content_ref (Reference)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class HTTPRequestExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • request_method (String, required)
  • request_value (String, required)
  • request_version (String)
  • request_header (Dictionary)
  • message_body_length (Integer)
  • message_body_data_ref (Reference)
class ICMPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • icmp_type_hex (Hex, required)
  • icmp_code_hex (Hex, required)
class IPv4Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • belongs_to_refs (List of References)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class IPv6Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • resolves_to_refs (List of References)
  • belongs_to_refs (List of References)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class MACAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • value (String, required)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class Mutex(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • name (String, required)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class NetworkTraffic(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • start (Timestamp)
  • end (Timestamp)
  • is_active (Boolean)
  • src_ref (Reference)
  • dst_ref (Reference)
  • src_port (Integer)
  • dst_port (Integer)
  • protocols (List of Strings, required)
  • src_byte_count (Integer)
  • dst_byte_count (Integer)
  • src_packets (Integer)
  • dst_packets (Integer)
  • ipfix (Dictionary)
  • src_payload_ref (Reference)
  • dst_payload_ref (Reference)
  • encapsulates_refs (List of References)
  • encapsulated_by_ref (Reference)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class NTFSExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • sid (String)
  • alternate_data_streams (List of Embedded Objects)
class PDFExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • version (String)
  • is_optimized (Boolean)
  • document_info_dict (Dictionary)
  • pdfid0 (String)
  • pdfid1 (String)
class Process(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • is_hidden (Boolean)
  • pid (Integer)
  • created_time (Timestamp)
  • cwd (String)
  • command_line (String)
  • environment_variables (Dictionary)
  • opened_connection_refs (List of References)
  • creator_user_ref (Reference)
  • image_ref (Reference)
  • parent_ref (Reference)
  • child_refs (List of References)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class RasterImageExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • image_height (Integer)
  • image_width (Integer)
  • bits_per_pixel (Integer)
  • exif_tags (Dictionary)
class SocketExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • address_family (Enum, required)
  • is_blocking (Boolean)
  • is_listening (Boolean)
  • protocol_family (Enum)
  • options (Dictionary)
  • socket_type (Enum)
  • socket_descriptor (Integer)
  • socket_handle (Integer)
class Software(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • name (String, required)
  • cpe (String)
  • swid (String)
  • languages (List of Strings)
  • vendor (String)
  • version (String)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class TCPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • src_flags_hex (Hex)
  • dst_flags_hex (Hex)
class UNIXAccountExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • gid (Integer)
  • groups (List of Strings)
  • home_dir (String)
  • shell (String)
class UserAccount(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • user_id (String)
  • credential (String)
  • account_login (String)
  • account_type (String)
  • display_name (String)
  • is_service_account (Boolean)
  • is_privileged (Boolean)
  • can_escalate_privs (Boolean)
  • is_disabled (Boolean)
  • account_created (Timestamp)
  • account_expires (Timestamp)
  • credential_last_changed (Timestamp)
  • account_first_login (Timestamp)
  • account_last_login (Timestamp)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class WindowsPEBinaryExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • pe_type (String, required)
  • imphash (String)
  • machine_hex (Hex)
  • number_of_sections (Integer)
  • time_date_stamp (Timestamp)
  • pointer_to_symbol_table_hex (Hex)
  • number_of_symbols (Integer)
  • size_of_optional_header (Integer)
  • characteristics_hex (Hex)
  • file_header_hashes (Hashes)
  • optional_header (Embedded Object)
  • sections (List of Embedded Objects)
class WindowsPEOptionalHeaderType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • magic_hex (Hex)
  • major_linker_version (Integer)
  • minor_linker_version (Integer)
  • size_of_code (Integer)
  • size_of_initialized_data (Integer)
  • size_of_uninitialized_data (Integer)
  • address_of_entry_point (Integer)
  • base_of_code (Integer)
  • base_of_data (Integer)
  • image_base (Integer)
  • section_alignment (Integer)
  • file_alignment (Integer)
  • major_os_version (Integer)
  • minor_os_version (Integer)
  • major_image_version (Integer)
  • minor_image_version (Integer)
  • major_subsystem_version (Integer)
  • minor_subsystem_version (Integer)
  • win32_version_value_hex (Hex)
  • size_of_image (Integer)
  • size_of_headers (Integer)
  • checksum_hex (Hex)
  • subsystem_hex (Hex)
  • dll_characteristics_hex (Hex)
  • size_of_stack_reserve (Integer)
  • size_of_stack_commit (Integer)
  • size_of_heap_reserve (Integer)
  • size_of_heap_commit (Integer)
  • loader_flags_hex (Hex)
  • number_of_rva_and_sizes (Integer)
  • hashes (Hashes)
class WindowsPESection(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String, required)
  • size (Integer)
  • entropy (Float)
  • hashes (Hashes)
class WindowsProcessExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • aslr_enabled (Boolean)
  • dep_enabled (Boolean)
  • priority (String)
  • owner_sid (String)
  • window_title (String)
  • startup_info (Dictionary)
  • integrity_level (Enum)
class WindowsRegistryKey(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • key (String)
  • values (List of Embedded Objects)
  • modified_time (Timestamp)
  • creator_user_ref (Reference)
  • number_of_subkeys (Integer)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class WindowsRegistryValueType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • name (String)
  • data (String)
  • data_type (Enum)
class WindowsServiceExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • service_name (String)
  • descriptions (List of Strings)
  • display_name (String)
  • group_name (String)
  • start_type (Enum)
  • service_dll_refs (List of References)
  • service_type (Enum)
  • service_status (Enum)
class X509Certificate(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • id (ID)
  • is_self_signed (Boolean)
  • hashes (Hashes)
  • version (String)
  • serial_number (String)
  • signature_algorithm (String)
  • issuer (String)
  • validity_not_before (Timestamp)
  • validity_not_after (Timestamp)
  • subject (String)
  • subject_public_key_algorithm (String)
  • subject_public_key_modulus (String)
  • subject_public_key_exponent (Integer)
  • x509_v3_extensions (Embedded Object)
  • extensions (Extensions)
  • spec_version (String)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • defanged (Boolean)
class X509V3ExtenstionsType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • basic_constraints (String)
  • name_constraints (String)
  • policy_constraints (String)
  • key_usage (String)
  • extended_key_usage (String)
  • subject_key_identifier (String)
  • authority_key_identifier (String)
  • subject_alternative_name (String)
  • issuer_alternative_name (String)
  • subject_directory_attributes (String)
  • crl_distribution_points (String)
  • inhibit_any_policy (String)
  • private_key_usage_period_not_before (Timestamp)
  • private_key_usage_period_not_after (Timestamp)
  • certificate_policies (String)
  • policy_mappings (String)
class AttackPattern(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Campaign(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • objective (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class CourseOfAction(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Grouping(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • created_by_ref (Reference)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • name (String)
  • description (String)
  • context (String, required)
  • object_refs (List of References, required)
class Identity(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • roles (List of Strings)
  • identity_class (String)
  • sectors (List of Strings)
  • contact_information (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Indicator(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • indicator_types (List of Strings)
  • pattern (Pattern, required)
  • pattern_type (String, required)
  • pattern_version (String)
  • valid_from (Timestamp, required, default: current date/time)
  • valid_until (Timestamp)
  • kill_chain_phases (List of Kill Chain Phases)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Infrastructure(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • name (String, required)
  • description (String)
  • infrastructure_types (List of Strings)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
class IntrusionSet(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • goals (List of Strings)
  • resource_level (String)
  • primary_motivation (String)
  • secondary_motivations (List of Strings)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Location(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • latitude (Float)
  • longitude (Float)
  • precision (Float)
  • region (String)
  • country (String)
  • administrative_area (String)
  • city (String)
  • street_address (String)
  • postal_code (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
to_maps_url(map_engine='Google Maps')

Return URL to this location in an online map engine.

Google Maps is the default, but Bing maps are also supported.

Parameters:map_engine (str) – Which map engine to find the location in
Returns:The URL of the location in the given map engine.
class Malware(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String)
  • description (String)
  • malware_types (List of Strings)
  • is_family (Boolean, required)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • operating_system_refs (List of References)
  • architecture_execution_envs (List of Strings)
  • implementation_languages (List of Strings)
  • capabilities (List of Strings)
  • sample_refs (List of References)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class MalwareAnalysis(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • created_by_ref (Reference)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
  • product (String, required)
  • version (String)
  • host_vm_ref (Reference)
  • operating_system_ref (Reference)
  • installed_software_refs (List of References)
  • configuration_version (String)
  • modules (List of Strings)
  • analysis_engine_version (String)
  • analysis_definition_version (String)
  • submitted (Timestamp)
  • analysis_started (Timestamp)
  • analysis_ended (Timestamp)
  • result_name (String)
  • result (String)
  • analysis_sco_refs (List of References)
  • sample_ref (Reference)
class Note(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • abstract (String)
  • content (String, required)
  • authors (List of Strings)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class ObservedData(*args, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • first_observed (Timestamp, required)
  • last_observed (Timestamp, required)
  • number_observed (Integer, required)
  • objects (Observable)
  • object_refs (List of References)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Opinion(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • explanation (String)
  • authors (List of Strings)
  • opinion (Enum, required)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Report(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • report_types (List of Strings)
  • published (Timestamp, required)
  • object_refs (List of References, required)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class ThreatActor(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • threat_actor_types (List of Strings)
  • aliases (List of Strings)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • roles (List of Strings)
  • goals (List of Strings)
  • sophistication (String)
  • resource_level (String)
  • primary_motivation (String)
  • secondary_motivations (List of Strings)
  • personal_motivations (List of Strings)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Tool(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • tool_types (List of Strings)
  • aliases (List of Strings)
  • kill_chain_phases (List of Kill Chain Phases)
  • tool_version (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Vulnerability(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • name (String, required)
  • description (String)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Relationship(source_ref=None, relationship_type=None, target_ref=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • relationship_type (String, required)
  • description (String)
  • source_ref (Reference, required)
  • target_ref (Reference, required)
  • start_time (Timestamp)
  • stop_time (Timestamp)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
class Sighting(sighting_of_ref=None, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.1 specification.

Properties:
  • spec_version (String)
  • id (ID)
  • created_by_ref (Reference)
  • created (Timestamp, default: current date/time)
  • modified (Timestamp, default: current date/time)
  • description (String)
  • first_seen (Timestamp)
  • last_seen (Timestamp)
  • count (Integer)
  • sighting_of_ref (Reference, required)
  • observed_data_refs (List of References)
  • where_sighted_refs (List of References)
  • summary (Boolean)
  • revoked (Boolean)
  • labels (List of Strings)
  • confidence (Integer)
  • lang (String)
  • external_references (List of External References)
  • object_marking_refs (List of References)
  • granular_markings (List of Granular Markings)
CustomMarking(type='x-custom-marking', properties=None)

Custom STIX Marking decorator.

Example

>>> from stix2.v21 import CustomMarking
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomMarking('x-custom-marking', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewMarkingObjectType():
...     pass
CustomExtension(observable=None, type='x-custom-observable-ext', properties=None)

Decorator for custom extensions to STIX Cyber Observables.

CustomObservable(type='x-custom-observable', properties=None, id_contrib_props=None)

Custom STIX Cyber Observable Object type decorator.

Example

>>> from stix2.v21 import CustomObservable
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObservable('x-custom-observable', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObservableType():
...     pass
CustomObject(type='x-custom-type', properties=None)

Custom STIX Object type decorator.

Example

>>> from stix2.v21 import CustomObject
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObject('x-type-name', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
...     pass

Supply an __init__() function to add any special validations to the custom type. Don’t call super().__init__() though - doing so will cause an error.

Example

>>> from stix2.v21 import CustomObject
>>> from stix2.properties import IntegerProperty, StringProperty
>>> @CustomObject('x-type-name', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
...     def __init__(self, property2=None, **kwargs):
...         if property2 and property2 < 10:
...             raise ValueError("'property2' is too small.")