# Creating STIX Content¶

## Creating STIX Domain Objects¶

To create a STIX object, provide keyword arguments to the type’s constructor:

[3]:

from stix2 import Indicator

indicator = Indicator(name="File hash for malware variant",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")
print(indicator)

[3]:

{
"type": "indicator",
"id": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",
"created": "2019-05-13T13:14:48.509Z",
"modified": "2019-05-13T13:14:48.509Z",
"name": "File hash for malware variant",
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"valid_from": "2019-05-13T13:14:48.509629Z",
"labels": [
"malicious-activity"
]
}


Certain required attributes of all objects will be set automatically if not provided as keyword arguments:

• If not provided, type will be set automatically to the correct type. You can also provide the type explicitly, but this is not necessary:
[4]:

indicator2 = Indicator(type='indicator',
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")


Passing a value for type that does not match the class being constructed will cause an error:

[5]:

indicator3 = Indicator(type='xxx',
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")

InvalidValueError: Invalid value for Indicator 'type': must equal 'indicator'.


• If not provided, id will be generated randomly. If you provide an id argument, it must begin with the correct prefix:
[6]:

indicator4 = Indicator(id="campaign--63ce9068-b5ab-47fa-a2cf-a602ea01f21a",
labels=["malicious-activity"],
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")

InvalidValueError: Invalid value for Indicator 'id': must start with 'indicator--'.



For indicators, labels and pattern are required and cannot be set automatically. Trying to create an indicator that is missing one of these properties will result in an error:

[7]:

indicator = Indicator()

MissingPropertiesError: No values for required properties for Indicator: (labels, pattern).



However, the required valid_from attribute on Indicators will be set to the current time if not provided as a keyword argument.

Once created, the object acts like a frozen dictionary. Properties can be accessed using the standard Python dictionary syntax:

[8]:

indicator['name']

[8]:

'File hash for malware variant'


Or access properties using the standard Python attribute syntax:

[9]:

indicator.name

[9]:

'File hash for malware variant'


Attempting to modify any attributes will raise an error:

[10]:

indicator['name'] = "This is a revised name"

TypeError: 'Indicator' object does not support item assignment


[11]:

indicator.name = "This is a revised name"

ImmutableError: Cannot modify 'name' property in 'Indicator' after creation.



To update the properties of an object, see the Versioning section.

Creating a Malware object follows the same pattern:

[12]:

from stix2 import Malware

malware = Malware(name="Poison Ivy",
labels=['remote-access-trojan'])
print(malware)

[12]:

{
"type": "malware",
"id": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67",
"created": "2019-05-13T13:15:04.698Z",
"modified": "2019-05-13T13:15:04.698Z",
"name": "Poison Ivy",
"labels": [
"remote-access-trojan"
]
}


As with indicators, the type, id, created, and modified properties will be set automatically if not provided. For Malware objects, the labels and name properties must be provided.

You can see the full list of SDO classes here.

## Creating Relationships¶

STIX 2 Relationships are separate objects, not properties of the object on either side of the relationship. They are constructed similarly to other STIX objects. The type, id, created, and modified properties are added automatically if not provided. Callers must provide the relationship_type, source_ref, and target_ref properties.

[13]:

from stix2 import Relationship

relationship = Relationship(relationship_type='indicates',
source_ref=indicator.id,
target_ref=malware.id)
print(relationship)

[13]:

{
"type": "relationship",
"id": "relationship--80c174fa-36d1-47c2-9a9d-ce0c636bedcc",
"created": "2019-05-13T13:15:13.152Z",
"modified": "2019-05-13T13:15:13.152Z",
"relationship_type": "indicates",
"source_ref": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",
"target_ref": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67"
}


The source_ref and target_ref properties can be either the ID’s of other STIX objects, or the STIX objects themselves. For readability, Relationship objects can also be constructed with the source_ref, relationship_type, and target_ref as positional (non-keyword) arguments:

[14]:

relationship2 = Relationship(indicator, 'indicates', malware)
print(relationship2)

[14]:

{
"type": "relationship",
"id": "relationship--47395d23-dedd-45d4-8db1-c9ffaf44493d",
"created": "2019-05-13T13:15:16.566Z",
"modified": "2019-05-13T13:15:16.566Z",
"relationship_type": "indicates",
"source_ref": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",
"target_ref": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67"
}


## Creating Bundles¶

STIX Bundles can be created by passing objects as arguments to the Bundle constructor. All required properties (type, id, and spec_version) will be set automatically if not provided, or can be provided as keyword arguments:

[15]:

from stix2 import Bundle

bundle = Bundle(indicator, malware, relationship)
print(bundle)

[15]:

{
"type": "bundle",
"id": "bundle--388c9b2c-936c-420a-baa5-04f48d682a01",
"spec_version": "2.0",
"objects": [
{
"type": "indicator",
"id": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",
"created": "2019-05-13T13:14:48.509Z",
"modified": "2019-05-13T13:14:48.509Z",
"name": "File hash for malware variant",
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"valid_from": "2019-05-13T13:14:48.509629Z",
"labels": [
"malicious-activity"
]
},
{
"type": "malware",
"id": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67",
"created": "2019-05-13T13:15:04.698Z",
"modified": "2019-05-13T13:15:04.698Z",
"name": "Poison Ivy",
"labels": [
"remote-access-trojan"
]
},
{
"type": "relationship",
"id": "relationship--80c174fa-36d1-47c2-9a9d-ce0c636bedcc",
"created": "2019-05-13T13:15:13.152Z",
"modified": "2019-05-13T13:15:13.152Z",
"relationship_type": "indicates",
"source_ref": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",
"target_ref": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67"
}
]
}


## Creating Cyber Observable References¶

Cyber Observable Objects have properties that can reference other Cyber Observable Objects. In order to create those references, use the _valid_refs property as shown in the following examples. It should be noted that _valid_refs is necessary when creating references to Cyber Observable Objects since some embedded references can only point to certain types, and _valid_refs helps ensure consistency.

There are two cases.

### Case 1: Specifying the type of the Cyber Observable Objects being referenced¶

In the following example, the IPv4Address object has its resolves_to_refs property specified. As per the spec, this property’s value must be a list of reference(s) to MACAddress objects. In this case, those references are strings that state the type of the Cyber Observable Object being referenced, and are provided in _valid_refs.

[16]:

from stix2 import IPv4Address

value="177.60.40.7",
resolves_to_refs=["1", "2"]
)

print(ip4)

[16]:

{
"value": "177.60.40.7",
"resolves_to_refs": [
"1",
"2"
]
}


### Case 2: Specifying the name of the Cyber Observable Objects being referenced¶

The following example is just like the one provided in Case 1 above, with one key difference: instead of using strings to specify the type of the Cyber Observable Objects being referenced in _valid_refs, the referenced Cyber Observable Objects are created beforehand and then their names are provided in _valid_refs.

[17]:

from stix2 import MACAddress

value="177.60.40.7",
resolves_to_refs=["1", "2"]
)

print(ip4_valid_refs)

[17]:

{