environment

Python STIX2 Environment API.

class Environment(factory=<stix2.environment.ObjectFactory object>, store=None, source=None, sink=None)

Abstract away some of the nasty details of working with STIX content.

Parameters:
  • factory (ObjectFactory, optional) – Factory for creating objects with common defaults for certain properties.
  • store (DataStore, optional) – Data store providing the source and sink for the environment.
  • source (DataSource, optional) – Source for retrieving STIX objects.
  • sink (DataSink, optional) – Destination for saving STIX objects. Invalid if store is also provided.
get(*args, **kwargs)

Retrieve the most recent version of a single STIX object by ID.

Translate get() call to the appropriate DataSource call.

Parameters:stix_id (str) – the id of the STIX object to retrieve.
Returns:stix_obj
the single most recent version of the STIX
object specified by the “id”.
all_versions(*args, **kwargs)

Retrieve all versions of a single STIX object by ID.

Translate all_versions() call to the appropriate DataSource call.

Parameters:stix_id (str) – the id of the STIX object to retrieve.
Returns:list – All versions of the specified STIX object.
query(*args, **kwargs)

Retrieve STIX objects matching a set of filters.

Translate query() call to the appropriate DataSource call.

Parameters:query (list) – a list of filters (which collectively are the query) to conduct search on.
Returns:list – The STIX objects matching the query.
creator_of(obj)

Retrieve the Identity refered to by the object’s created_by_ref.

Parameters:obj – The STIX object whose created_by_ref property will be looked up.
Returns:str
The STIX object’s creator, or None, if the object contains no
created_by_ref property or the object’s creator cannot be found.
relationships(*args, **kwargs)

Retrieve Relationships involving the given STIX object.

Translate relationships() call to the appropriate DataSource call.

Only one of source_only and target_only may be True.

Parameters:
  • obj (STIX object OR dict OR str) – The STIX object (or its ID) whose relationships will be looked up.
  • relationship_type (str) – Only retrieve Relationships of this type. If None, all relationships will be returned, regardless of type.
  • source_only (bool) – Only retrieve Relationships for which this object is the source_ref. Default: False.
  • target_only (bool) – Only retrieve Relationships for which this object is the target_ref. Default: False.
Returns:

list – The Relationship objects involving the given STIX object.

related_to(*args, **kwargs)

Retrieve STIX Objects that have a Relationship involving the given STIX object.

Translate related_to() call to the appropriate DataSource call.

Only one of source_only and target_only may be True.

Parameters:
  • obj (STIX object OR dict OR str) – The STIX object (or its ID) whose related objects will be looked up.
  • relationship_type (str) – Only retrieve objects related by this Relationships type. If None, all related objects will be returned, regardless of type.
  • source_only (bool) – Only examine Relationships for which this object is the source_ref. Default: False.
  • target_only (bool) – Only examine Relationships for which this object is the target_ref. Default: False.
  • filters (list) – list of additional filters the related objects must match.
Returns:

list – The STIX objects related to the given STIX object.

add(*args, **kwargs)

Method for storing STIX objects.

Defines custom behavior before storing STIX objects using the appropriate method call on the associated DataSink.

Parameters:stix_objs (list) – a list of STIX objects
add_filter(*args, **kwargs)
add_filters(*args, **kwargs)
create(*args, **kwargs)

Create a STIX object using object factory defaults.

Parameters:
  • cls – the python-stix2 class of the object to be created (eg. Indicator)
  • **kwargs – The property/value pairs of the STIX object to be created
creator_of(obj)

Retrieve the Identity refered to by the object’s created_by_ref.

Parameters:obj – The STIX object whose created_by_ref property will be looked up.
Returns:str
The STIX object’s creator, or None, if the object contains no
created_by_ref property or the object’s creator cannot be found.
static graph_equivalence(ds1, ds2, prop_scores={}, threshold=70, ignore_spec_version=False, versioning_checks=False, max_depth=1, **weight_dict)

This method returns a true/false value if two graphs are semantically equivalent. Internally, it calls the graph_similarity function and compares it against the given threshold value.

Parameters:
  • ds1 – A DataStore object instance representing your graph
  • ds2 – A DataStore object instance representing your graph
  • prop_scores – A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights.
  • threshold – A numerical value between 0 and 100 to determine the minimum score to result in successfully calling both graphs equivalent. This value can be tuned.
  • ignore_spec_version – A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped.
  • versioning_checks – A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step.
  • max_depth – A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm.
  • weight_dict – A dictionary that can be used to override what checks are done to objects in the similarity process.
Returns:

bool

True if the result of the graph similarity is greater than or equal to

the threshold value. False otherwise.

Warning

Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under stix2.equivalence.graph can give you an idea on how to add new entries and pass them via the weight_dict argument. Similarly, the values or methods can be fine tuned for a particular use case.

Note

Default weight_dict:

{
     "attack-pattern": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "campaign": {
         "name": [
             60,
             partial_string_based
         ],
         "aliases": [
             40,
             partial_list_based
         ]
     },
     "course-of-action": {
         "name": [
             60,
             partial_string_based
         ],
         "external_references": [
             40,
             partial_external_reference_based
         ]
     },
     "grouping": {
         "name": [
             20,
             partial_string_based
         ],
         "context": [
             20,
             partial_string_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ]
     },
     "identity": {
         "name": [
             60,
             partial_string_based
         ],
         "identity_class": [
             20,
             exact_match
         ],
         "sectors": [
             20,
             partial_list_based
         ]
     },
     "incident": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "indicator": {
         "indicator_types": [
             15,
             partial_list_based
         ],
         "pattern": [
             80,
             custom_pattern_based
         ],
         "valid_from": [
             5,
             partial_timestamp_based
         ],
         "tdelta": 1
     },
     "intrusion-set": {
         "name": [
             20,
             partial_string_based
         ],
         "external_references": [
             60,
             partial_external_reference_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "location": {
         "longitude_latitude": [
             34,
             partial_location_distance
         ],
         "region": [
             33,
             exact_match
         ],
         "country": [
             33,
             exact_match
         ],
         "threshold": 1000.0
     },
     "malware": {
         "malware_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "marking-definition": {
         "name": [
             20,
             exact_match
         ],
         "definition": [
             60,
             exact_match
         ],
         "definition_type": [
             20,
             exact_match
         ]
     },
     "relationship": {
         "relationship_type": [
             20,
             exact_match
         ],
         "source_ref": [
             40,
             reference_check
         ],
         "target_ref": [
             40,
             reference_check
         ]
     },
     "report": {
         "name": [
             30,
             partial_string_based
         ],
         "published": [
             10,
             partial_timestamp_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ],
         "tdelta": 1
     },
     "sighting": {
         "first_seen": [
             5,
             partial_timestamp_based
         ],
         "last_seen": [
             5,
             partial_timestamp_based
         ],
         "sighting_of_ref": [
             40,
             reference_check
         ],
         "observed_data_refs": [
             20,
             list_reference_check
         ],
         "where_sighted_refs": [
             20,
             list_reference_check
         ],
         "summary": [
             10,
             exact_match
         ]
     },
     "threat-actor": {
         "name": [
             60,
             partial_string_based
         ],
         "threat_actor_types": [
             20,
             partial_list_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "tool": {
         "tool_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "vulnerability": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     }
 }

Note

This implementation follows the Semantic Equivalence Committee Note. see the Committee Note.

static graph_similarity(ds1, ds2, prop_scores={}, ignore_spec_version=False, versioning_checks=False, max_depth=1, **weight_dict)

This method returns a similarity score for two given graphs. Each DataStore can contain a connected or disconnected graph and the final result is weighted over the amount of objects we managed to compare. This approach builds on top of the object-based similarity process and each comparison can return a value between 0 and 100.

Parameters:
  • ds1 – A DataStore object instance representing your graph
  • ds2 – A DataStore object instance representing your graph
  • prop_scores – A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights.
  • ignore_spec_version – A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped.
  • versioning_checks – A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step.
  • max_depth – A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm.
  • weight_dict – A dictionary that can be used to override what checks are done to objects in the similarity process.
Returns:

float – A number between 0.0 and 100.0 as a measurement of similarity.

Warning

Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under stix2.equivalence.graph can give you an idea on how to add new entries and pass them via the weight_dict argument. Similarly, the values or methods can be fine tuned for a particular use case.

Note

Default weight_dict:

{
     "attack-pattern": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "campaign": {
         "name": [
             60,
             partial_string_based
         ],
         "aliases": [
             40,
             partial_list_based
         ]
     },
     "course-of-action": {
         "name": [
             60,
             partial_string_based
         ],
         "external_references": [
             40,
             partial_external_reference_based
         ]
     },
     "grouping": {
         "name": [
             20,
             partial_string_based
         ],
         "context": [
             20,
             partial_string_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ]
     },
     "identity": {
         "name": [
             60,
             partial_string_based
         ],
         "identity_class": [
             20,
             exact_match
         ],
         "sectors": [
             20,
             partial_list_based
         ]
     },
     "incident": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "indicator": {
         "indicator_types": [
             15,
             partial_list_based
         ],
         "pattern": [
             80,
             custom_pattern_based
         ],
         "valid_from": [
             5,
             partial_timestamp_based
         ],
         "tdelta": 1
     },
     "intrusion-set": {
         "name": [
             20,
             partial_string_based
         ],
         "external_references": [
             60,
             partial_external_reference_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "location": {
         "longitude_latitude": [
             34,
             partial_location_distance
         ],
         "region": [
             33,
             exact_match
         ],
         "country": [
             33,
             exact_match
         ],
         "threshold": 1000.0
     },
     "malware": {
         "malware_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "marking-definition": {
         "name": [
             20,
             exact_match
         ],
         "definition": [
             60,
             exact_match
         ],
         "definition_type": [
             20,
             exact_match
         ]
     },
     "relationship": {
         "relationship_type": [
             20,
             exact_match
         ],
         "source_ref": [
             40,
             reference_check
         ],
         "target_ref": [
             40,
             reference_check
         ]
     },
     "report": {
         "name": [
             30,
             partial_string_based
         ],
         "published": [
             10,
             partial_timestamp_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ],
         "tdelta": 1
     },
     "sighting": {
         "first_seen": [
             5,
             partial_timestamp_based
         ],
         "last_seen": [
             5,
             partial_timestamp_based
         ],
         "sighting_of_ref": [
             40,
             reference_check
         ],
         "observed_data_refs": [
             20,
             list_reference_check
         ],
         "where_sighted_refs": [
             20,
             list_reference_check
         ],
         "summary": [
             10,
             exact_match
         ]
     },
     "threat-actor": {
         "name": [
             60,
             partial_string_based
         ],
         "threat_actor_types": [
             20,
             partial_list_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "tool": {
         "tool_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "vulnerability": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     }
 }

Note

This implementation follows the Semantic Equivalence Committee Note. see the Committee Note.

static object_equivalence(obj1, obj2, prop_scores={}, threshold=70, ds1=None, ds2=None, ignore_spec_version=False, versioning_checks=False, max_depth=1, **weight_dict)

This method returns a true/false value if two objects are semantically equivalent. Internally, it calls the object_similarity function and compares it against the given threshold value.

Parameters:
  • obj1 – A stix2 object instance
  • obj2 – A stix2 object instance
  • prop_scores – A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights.
  • threshold – A numerical value between 0 and 100 to determine the minimum score to result in successfully calling both objects equivalent. This value can be tuned.
  • ds1 (optional) – A DataStore object instance from which to pull related objects
  • ds2 (optional) – A DataStore object instance from which to pull related objects
  • ignore_spec_version – A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped.
  • versioning_checks – A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step.
  • max_depth – A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm.
  • weight_dict – A dictionary that can be used to override what checks are done to objects in the similarity process.
Returns:

bool

True if the result of the object similarity is greater than or equal to

the threshold value. False otherwise.

Warning

Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under stix2.equivalence.object can give you an idea on how to add new entries and pass them via the weight_dict argument. Similarly, the values or methods can be fine tuned for a particular use case.

Note

Default weight_dict:

{
     "attack-pattern": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "campaign": {
         "name": [
             60,
             partial_string_based
         ],
         "aliases": [
             40,
             partial_list_based
         ]
     },
     "course-of-action": {
         "name": [
             60,
             partial_string_based
         ],
         "external_references": [
             40,
             partial_external_reference_based
         ]
     },
     "grouping": {
         "name": [
             20,
             partial_string_based
         ],
         "context": [
             20,
             partial_string_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ]
     },
     "identity": {
         "name": [
             60,
             partial_string_based
         ],
         "identity_class": [
             20,
             exact_match
         ],
         "sectors": [
             20,
             partial_list_based
         ]
     },
     "incident": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "indicator": {
         "indicator_types": [
             15,
             partial_list_based
         ],
         "pattern": [
             80,
             custom_pattern_based
         ],
         "valid_from": [
             5,
             partial_timestamp_based
         ],
         "tdelta": 1
     },
     "intrusion-set": {
         "name": [
             20,
             partial_string_based
         ],
         "external_references": [
             60,
             partial_external_reference_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "location": {
         "longitude_latitude": [
             34,
             partial_location_distance
         ],
         "region": [
             33,
             exact_match
         ],
         "country": [
             33,
             exact_match
         ],
         "threshold": 1000.0
     },
     "malware": {
         "malware_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "marking-definition": {
         "name": [
             20,
             exact_match
         ],
         "definition": [
             60,
             exact_match
         ],
         "definition_type": [
             20,
             exact_match
         ]
     },
     "relationship": {
         "relationship_type": [
             20,
             exact_match
         ],
         "source_ref": [
             40,
             reference_check
         ],
         "target_ref": [
             40,
             reference_check
         ]
     },
     "report": {
         "name": [
             30,
             partial_string_based
         ],
         "published": [
             10,
             partial_timestamp_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ],
         "tdelta": 1
     },
     "sighting": {
         "first_seen": [
             5,
             partial_timestamp_based
         ],
         "last_seen": [
             5,
             partial_timestamp_based
         ],
         "sighting_of_ref": [
             40,
             reference_check
         ],
         "observed_data_refs": [
             20,
             list_reference_check
         ],
         "where_sighted_refs": [
             20,
             list_reference_check
         ],
         "summary": [
             10,
             exact_match
         ]
     },
     "threat-actor": {
         "name": [
             60,
             partial_string_based
         ],
         "threat_actor_types": [
             20,
             partial_list_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "tool": {
         "tool_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "vulnerability": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     }
 }

Note

This implementation follows the Semantic Equivalence Committee Note. see the Committee Note.

static object_similarity(obj1, obj2, prop_scores={}, ds1=None, ds2=None, ignore_spec_version=False, versioning_checks=False, max_depth=1, **weight_dict)

This method returns a measure of how similar the two objects are.

Parameters:
  • obj1 – A stix2 object instance
  • obj2 – A stix2 object instance
  • prop_scores – A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights.
  • ds1 (optional) – A DataStore object instance from which to pull related objects
  • ds2 (optional) – A DataStore object instance from which to pull related objects
  • ignore_spec_version – A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped.
  • versioning_checks – A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step.
  • max_depth – A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm.
  • weight_dict – A dictionary that can be used to override what checks are done to objects in the similarity process.
Returns:

float – A number between 0.0 and 100.0 as a measurement of similarity.

Warning

Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under stix2.equivalence.object can give you an idea on how to add new entries and pass them via the weight_dict argument. Similarly, the values or methods can be fine tuned for a particular use case.

Note

Default weight_dict:

{
     "attack-pattern": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "campaign": {
         "name": [
             60,
             partial_string_based
         ],
         "aliases": [
             40,
             partial_list_based
         ]
     },
     "course-of-action": {
         "name": [
             60,
             partial_string_based
         ],
         "external_references": [
             40,
             partial_external_reference_based
         ]
     },
     "grouping": {
         "name": [
             20,
             partial_string_based
         ],
         "context": [
             20,
             partial_string_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ]
     },
     "identity": {
         "name": [
             60,
             partial_string_based
         ],
         "identity_class": [
             20,
             exact_match
         ],
         "sectors": [
             20,
             partial_list_based
         ]
     },
     "incident": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     },
     "indicator": {
         "indicator_types": [
             15,
             partial_list_based
         ],
         "pattern": [
             80,
             custom_pattern_based
         ],
         "valid_from": [
             5,
             partial_timestamp_based
         ],
         "tdelta": 1
     },
     "intrusion-set": {
         "name": [
             20,
             partial_string_based
         ],
         "external_references": [
             60,
             partial_external_reference_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "location": {
         "longitude_latitude": [
             34,
             partial_location_distance
         ],
         "region": [
             33,
             exact_match
         ],
         "country": [
             33,
             exact_match
         ],
         "threshold": 1000.0
     },
     "malware": {
         "malware_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "marking-definition": {
         "name": [
             20,
             exact_match
         ],
         "definition": [
             60,
             exact_match
         ],
         "definition_type": [
             20,
             exact_match
         ]
     },
     "relationship": {
         "relationship_type": [
             20,
             exact_match
         ],
         "source_ref": [
             40,
             reference_check
         ],
         "target_ref": [
             40,
             reference_check
         ]
     },
     "report": {
         "name": [
             30,
             partial_string_based
         ],
         "published": [
             10,
             partial_timestamp_based
         ],
         "object_refs": [
             60,
             list_reference_check
         ],
         "tdelta": 1
     },
     "sighting": {
         "first_seen": [
             5,
             partial_timestamp_based
         ],
         "last_seen": [
             5,
             partial_timestamp_based
         ],
         "sighting_of_ref": [
             40,
             reference_check
         ],
         "observed_data_refs": [
             20,
             list_reference_check
         ],
         "where_sighted_refs": [
             20,
             list_reference_check
         ],
         "summary": [
             10,
             exact_match
         ]
     },
     "threat-actor": {
         "name": [
             60,
             partial_string_based
         ],
         "threat_actor_types": [
             20,
             partial_list_based
         ],
         "aliases": [
             20,
             partial_list_based
         ]
     },
     "tool": {
         "tool_types": [
             20,
             partial_list_based
         ],
         "name": [
             80,
             partial_string_based
         ]
     },
     "vulnerability": {
         "name": [
             30,
             partial_string_based
         ],
         "external_references": [
             70,
             partial_external_reference_based
         ]
     }
 }

Note

This implementation follows the Semantic Equivalence Committee Note. see the Committee Note.

parse(*args, **kwargs)

Convert a string, dict or file-like object into a STIX object.

Parameters:
  • data (str, dict, file-like object) – The STIX 2 content to be parsed.
  • allow_custom (bool) – Whether to allow custom properties as well unknown custom objects. Note that unknown custom objects cannot be parsed into STIX objects, and will be returned as is. Default: False.
  • version (str) – If present, it forces the parser to use the version provided. Otherwise, the library will make the best effort based on checking the “spec_version” property. If none of the above are possible, it will use the default version specified by the library.
Returns:

An instantiated Python STIX object.

Warning

‘allow_custom=True’ will allow for the return of any supplied STIX dict(s) that cannot be found to map to any known STIX object types (both STIX2 domain objects or defined custom STIX2 objects); NO validation is done. This is done to allow the processing of possibly unknown custom STIX objects (example scenario: I need to query a third-party TAXII endpoint that could provide custom STIX objects that I don’t know about ahead of time)

set_default_created(*args, **kwargs)

Set default value for the created property.

set_default_creator(*args, **kwargs)

Set default value for the created_by_ref property.

set_default_external_refs(*args, **kwargs)

Set default external references.

set_default_object_marking_refs(*args, **kwargs)

Set default object markings.

class ObjectFactory(created_by_ref=None, created=None, external_references=None, object_marking_refs=None, list_append=True)

Easily create STIX objects with default values for certain properties.

Parameters:
  • created_by_ref (optional) – Default created_by_ref value to apply to all objects created by this factory.
  • created (optional) – Default created value to apply to all objects created by this factory.
  • external_references (optional) – Default external_references value to apply to all objects created by this factory.
  • object_marking_refs (optional) – Default object_marking_refs value to apply to all objects created by this factory.
  • list_append (bool, optional) – When a default is set for a list property like external_references or object_marking_refs and a value for that property is passed into create(), if this is set to True, that value will be added to the list alongside the default. If this is set to False, the passed in value will replace the default. Defaults to True.
create(cls, **kwargs)

Create a STIX object using object factory defaults.

Parameters:
  • cls – the python-stix2 class of the object to be created (eg. Indicator)
  • **kwargs – The property/value pairs of the STIX object to be created
set_default_created(created=None)

Set default value for the created property.

set_default_creator(creator=None)

Set default value for the created_by_ref property.

set_default_external_refs(external_references=None)

Set default external references.

set_default_object_marking_refs(object_marking_refs=None)

Set default object markings.