patterns

Classes to aid in working with the STIX 2 patterning language.

class AndBooleanExpression(operands)

‘AND’ Boolean Pattern Expression. Only use if both operands are of the same root object.

Parameters:operands (list) – AND operands
class AndObservationExpression(operands)

‘AND’ Compound Observation Pattern Expression

Parameters:operands (str) – compound observation operands
class BasicObjectPathComponent(property_name, is_key=False)

Basic object path component (for an observation or expression)

By “Basic”, implies that the object path component is not a list, object reference or futher referenced property, i.e. terminal component

Parameters:
  • property_name (str) – object property name
  • is_key (bool) – is dictionary key, default: False
class BinaryConstant(value)

Pattern binary constant

Parameters:value (str) – base64 encoded string value
class BooleanConstant(value)

Pattern boolean constant

Parameters:value (str OR int) – (str) ‘true’, ‘t’ for True; ‘false’, ‘f’ for False (int) 1 for True; 0 for False
class EqualityComparisonExpression(lhs, rhs, negated=False)

Pattern Equality Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class FloatConstant(value)
class FollowedByObservationExpression(operands)

Pattern ‘Followed by’ Compound Observation Expression

Parameters:operands (str) – compound observation operands
class GreaterThanComparisonExpression(lhs, rhs, negated=False)

Pattern Greater-than Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class GreaterThanEqualComparisonExpression(lhs, rhs, negated=False)

Pattern Greater-Than-or-Equal-to Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class HashConstant(value, type)

Pattern hash constant

Parameters:
  • value (str) – hash value
  • type (str) – hash algorithm name. Supported hash algorithms: “MD5”, “MD6”, RIPEMD160”, “SHA1”, “SHA224”, “SHA256”, “SHA384”, “SHA512”, “SHA3224”, “SHA3256”, “SHA3384”, “SHA3512”, “SSDEEP”, “WHIRLPOOL”
class HexConstant(value)

Pattern hexadecimal constant

Parameters:value (str) – hexadecimal value
class InComparisonExpression(lhs, rhs, negated=False)

‘in’ Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class IntegerConstant(value)

Pattern interger constant

Parameters:value (int) – integer value
class IsSubsetComparisonExpression(lhs, rhs, negated=False)

‘is subset’ Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class IsSupersetComparisonExpression(lhs, rhs, negated=False)

‘is super set’ Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class LessThanComparisonExpression(lhs, rhs, negated=False)

Pattern Less-than Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class LessThanEqualComparisonExpression(lhs, rhs, negated=False)

Pattern Less-Than-or-Equal-to Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class LikeComparisonExpression(lhs, rhs, negated=False)

‘like’ Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class ListConstant(values)

Pattern list constant

Parameters:value (list) – list of values
class ListObjectPathComponent(property_name, index)

List object path component (for an observation or expression)

Parameters:
  • property_name (str) – list object property name
  • index (int) – index of the list property’s value that is specified
class MatchesComparisonExpression(lhs, rhs, negated=False)

‘Matches’ Comparison Expression

Parameters:
  • lhs (ObjectPath OR str) – object path of left-hand-side component of expression
  • rhs (ObjectPath OR str) – object path of right-hand-side component of expression
  • negated (bool) – comparison expression negated. Default: False
class ObjectPath(object_type_name, property_path)

Pattern operand object (property) path

Parameters:
  • object_type_name (str) – name of object type for corresponding object path component
  • property_path (_ObjectPathComponent OR str) – object path
static make_object_path(lhs)

Create ObjectPath from string encoded object path

Parameters:lhs (str) – object path of left-hand-side component of expression
merge(other)

Extend the object property with that of the supplied object property path

class ObservationExpression(operand)

Observation Expression

Parameters:operand (str) – observation expression operand
class OrBooleanExpression(operands)

‘OR’ Boolean Pattern Expression. Only use if both operands are of the same root object

Parameters:operands (list) – OR operands
class OrObservationExpression(operands)

Pattern ‘OR’ Compound Observation Expression

Parameters:operands (str) – compound observation operands
class ParentheticalExpression(exp)

Pattern Parenthetical Observation Expression

Parameters:exp (str) – observation expression
class QualifiedObservationExpression(observation_expression, qualifier)

Pattern Qualified Observation Expression

Parameters:
  • observation_expression (PatternExpression OR _CompoundObservationExpression OR) – pattern expression
  • qualifier (_ExpressionQualifier) – pattern expression qualifier
class ReferenceObjectPathComponent(reference_property_name)

Reference object path component (for an observation or expression)

Parameters:reference_property_name (str) – reference object property name
class RepeatQualifier(times_to_repeat)

Pattern Repeat Qualifier

Parameters:times_to_repeat (int) – times the qualifiers is repeated
class StartStopQualifier(start_time, stop_time)

Pattern Start/Stop Qualifier

Parameters:
  • start_time (TimestampConstant OR datetime.date) – start timestamp for qualifier
  • stop_time (TimestampConstant OR datetime.date) – stop timestamp for qualifier
class StringConstant(value)

Pattern string constant

Parameters:value (str) – string value
class TimestampConstant(value)

Pattern timestamp constant

Parameters:value (datetime.datetime OR str) – if string, must be a timestamp string
class WithinQualifier(number_of_seconds)

Pattern ‘Within’ Qualifier

Parameters:number_of_seconds (int) – seconds value for ‘within’ qualifier
escape_quotes_and_backslashes(s)
make_constant(value)

Convert value to Pattern constant, best effort attempt at determining root value type and corresponding conversion

Parameters:value – value to convert to Pattern constant