observables

STIX 2.0 Cyber Observable Objects.

Embedded observable object types, such as Email MIME Component, which is embedded in Email Message objects, inherit from _STIXBase instead of Observable and do not have a _type attribute.

class AlternateDataStream(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • name (String, required)
  • hashes (Hashes)
  • size (Integer)
class ArchiveExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • contains_refs (List of Object References, required)
  • version (String)
  • comment (String)
class Artifact(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • mime_type (String)
  • payload_bin (Binary)
  • url (String)
  • hashes (Hashes)
  • extensions (Extensions)
class AutonomousSystem(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • number (Integer, required)
  • name (String)
  • rir (String)
  • extensions (Extensions)
class Directory(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • path (String, required)
  • path_enc (String)
  • created (Timestamp)
  • modified (Timestamp)
  • accessed (Timestamp)
  • contains_refs (List of Object References)
  • extensions (Extensions)
class DomainName(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • resolves_to_refs (List of Object References)
  • extensions (Extensions)
class EmailAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • display_name (String)
  • belongs_to_ref (Object Reference)
  • extensions (Extensions)
class EmailMIMEComponent(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • body (String)
  • body_raw_ref (Object Reference)
  • content_type (String)
  • content_disposition (String)
class EmailMessage(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • is_multipart (Boolean, required)
  • date (Timestamp)
  • content_type (String)
  • from_ref (Object Reference)
  • sender_ref (Object Reference)
  • to_refs (List of Object References)
  • cc_refs (List of Object References)
  • bcc_refs (List of Object References)
  • subject (String)
  • received_lines (List of Strings)
  • additional_header_fields (Dictionary)
  • body (String)
  • body_multipart (List of Embedded Objects)
  • raw_email_ref (Object Reference)
  • extensions (Extensions)
class ExtensionsProperty(allow_custom=False, enclosing_type=None, required=False)

Property for representing extensions on Observable objects.

clean(value)
class File(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • hashes (Hashes)
  • size (Integer)
  • name (String)
  • name_enc (String)
  • magic_number_hex (Hex)
  • mime_type (String)
  • created (Timestamp)
  • modified (Timestamp)
  • accessed (Timestamp)
  • parent_directory_ref (Object Reference)
  • is_encrypted (Boolean)
  • encryption_algorithm (String)
  • decryption_key (String)
  • contains_refs (List of Object References)
  • content_ref (Object Reference)
  • extensions (Extensions)
class HTTPRequestExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • request_method (String, required)
  • request_value (String, required)
  • request_version (String)
  • request_header (Dictionary)
  • message_body_length (Integer)
  • message_body_data_ref (Object Reference)
class ICMPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • icmp_type_hex (Hex, required)
  • icmp_code_hex (Hex, required)
class IPv4Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • resolves_to_refs (List of Object References)
  • belongs_to_refs (List of Object References)
  • extensions (Extensions)
class IPv6Address(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • resolves_to_refs (List of Object References)
  • belongs_to_refs (List of Object References)
  • extensions (Extensions)
class MACAddress(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • extensions (Extensions)
class Mutex(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • name (String, required)
  • extensions (Extensions)
class NTFSExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • sid (String)
  • alternate_data_streams (List of Embedded Objects)
class NetworkTraffic(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • start (Timestamp)
  • end (Timestamp)
  • is_active (Boolean)
  • src_ref (Object Reference)
  • dst_ref (Object Reference)
  • src_port (Integer)
  • dst_port (Integer)
  • protocols (List of Strings, required)
  • src_byte_count (Integer)
  • dst_byte_count (Integer)
  • src_packets (Integer)
  • dst_packets (Integer)
  • ipfix (Dictionary)
  • src_payload_ref (Object Reference)
  • dst_payload_ref (Object Reference)
  • encapsulates_refs (List of Object References)
  • encapsulates_by_ref (Object Reference)
  • extensions (Extensions)
class ObservableProperty(allow_custom=False, *args, **kwargs)

Property for holding Cyber Observable Objects.

clean(value)
class PDFExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • version (String)
  • is_optimized (Boolean)
  • document_info_dict (Dictionary)
  • pdfid0 (String)
  • pdfid1 (String)
class Process(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • is_hidden (Boolean)
  • pid (Integer)
  • name (String)
  • created (Timestamp)
  • cwd (String)
  • arguments (List of Strings)
  • command_line (String)
  • environment_variables (Dictionary)
  • opened_connection_refs (List of Object References)
  • creator_user_ref (Object Reference)
  • binary_ref (Object Reference)
  • parent_ref (Object Reference)
  • child_refs (List of Object References)
  • extensions (Extensions)
class RasterImageExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • image_height (Integer)
  • image_width (Integer)
  • bits_per_pixel (Integer)
  • image_compression_algorithm (String)
  • exif_tags (Dictionary)
class SocketExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • address_family (Enum, required)
  • is_blocking (Boolean)
  • is_listening (Boolean)
  • protocol_family (Enum)
  • options (Dictionary)
  • socket_type (Enum)
  • socket_descriptor (Integer)
  • socket_handle (Integer)
class Software(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • name (String, required)
  • cpe (String)
  • languages (List of Strings)
  • vendor (String)
  • version (String)
  • extensions (Extensions)
class TCPExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • src_flags_hex (Hex)
  • dst_flags_hex (Hex)
class UNIXAccountExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • gid (Integer)
  • groups (List of Strings)
  • home_dir (String)
  • shell (String)
class URL(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • value (String, required)
  • extensions (Extensions)
class UserAccount(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • user_id (String, required)
  • account_login (String)
  • account_type (String)
  • display_name (String)
  • is_service_account (Boolean)
  • is_privileged (Boolean)
  • can_escalate_privs (Boolean)
  • is_disabled (Boolean)
  • account_created (Timestamp)
  • account_expires (Timestamp)
  • password_last_changed (Timestamp)
  • account_first_login (Timestamp)
  • account_last_login (Timestamp)
  • extensions (Extensions)
class WindowsPEBinaryExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • pe_type (String, required)
  • imphash (String)
  • machine_hex (Hex)
  • number_of_sections (Integer)
  • time_date_stamp (Timestamp)
  • pointer_to_symbol_table_hex (Hex)
  • number_of_symbols (Integer)
  • size_of_optional_header (Integer)
  • characteristics_hex (Hex)
  • file_header_hashes (Hashes)
  • optional_header (Embedded Object)
  • sections (List of Embedded Objects)
class WindowsPEOptionalHeaderType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • magic_hex (Hex)
  • major_linker_version (Integer)
  • minor_linker_version (Integer)
  • size_of_code (Integer)
  • size_of_initialized_data (Integer)
  • size_of_uninitialized_data (Integer)
  • address_of_entry_point (Integer)
  • base_of_code (Integer)
  • base_of_data (Integer)
  • image_base (Integer)
  • section_alignment (Integer)
  • file_alignment (Integer)
  • major_os_version (Integer)
  • minor_os_version (Integer)
  • major_image_version (Integer)
  • minor_image_version (Integer)
  • major_subsystem_version (Integer)
  • minor_subsystem_version (Integer)
  • win32_version_value_hex (Hex)
  • size_of_image (Integer)
  • size_of_headers (Integer)
  • checksum_hex (Hex)
  • subsystem_hex (Hex)
  • dll_characteristics_hex (Hex)
  • size_of_stack_reserve (Integer)
  • size_of_stack_commit (Integer)
  • size_of_heap_reserve (Integer)
  • size_of_heap_commit (Integer)
  • loader_flags_hex (Hex)
  • number_of_rva_and_sizes (Integer)
  • hashes (Hashes)
class WindowsPESection(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • name (String, required)
  • size (Integer)
  • entropy (Float)
  • hashes (Hashes)
class WindowsProcessExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • aslr_enabled (Boolean)
  • dep_enabled (Boolean)
  • priority (String)
  • owner_sid (String)
  • window_title (String)
  • startup_info (Dictionary)
class WindowsRegistryKey(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • key (String, required)
  • values (List of Embedded Objects)
  • modified (Timestamp)
  • creator_user_ref (Object Reference)
  • number_of_subkeys (Integer)
  • extensions (Extensions)
values
class WindowsRegistryValueType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • name (String, required)
  • data (String)
  • data_type (Enum)
class WindowsServiceExt(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • service_name (String, required)
  • descriptions (List of Strings)
  • display_name (String)
  • group_name (String)
  • start_type (Enum)
  • service_dll_refs (List of Object References)
  • service_type (Enum)
  • service_status (Enum)
class X509Certificate(**kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • is_self_signed (Boolean)
  • hashes (Hashes)
  • version (String)
  • serial_number (String)
  • signature_algorithm (String)
  • issuer (String)
  • validity_not_before (Timestamp)
  • validity_not_after (Timestamp)
  • subject (String)
  • subject_public_key_algorithm (String)
  • subject_public_key_modulus (String)
  • subject_public_key_exponent (Integer)
  • x509_v3_extensions (Embedded Object)
  • extensions (Extensions)
class X509V3ExtenstionsType(allow_custom=False, **kwargs)

For more detailed information on this object’s properties, see the STIX 2.0 specification.

Properties:
  • basic_constraints (String)
  • name_constraints (String)
  • policy_constraints (String)
  • key_usage (String)
  • extended_key_usage (String)
  • subject_key_identifier (String)
  • authority_key_identifier (String)
  • subject_alternative_name (String)
  • issuer_alternative_name (String)
  • subject_directory_attributes (String)
  • crl_distribution_points (String)
  • inhibit_any_policy (String)
  • private_key_usage_period_not_before (Timestamp)
  • private_key_usage_period_not_after (Timestamp)
  • certificate_policies (String)
  • policy_mappings (String)
CustomExtension(observable=None, type='x-custom-observable', properties=None)

Decorator for custom extensions to STIX Cyber Observables.

CustomObservable(type='x-custom-observable', properties=None)

Custom STIX Cyber Observable Object type decorator.

Example

>>> @CustomObservable('x-custom-observable', [
...     ('property1', StringProperty(required=True)),
...     ('property2', IntegerProperty()),
... ])
... class MyNewObservableType():
...     pass
parse_observable(data, _valid_refs=None, allow_custom=False)

Deserialize a string or file-like object into a STIX Cyber Observable object.

Parameters:
  • data – The STIX 2 string to be parsed.
  • _valid_refs – A list of object references valid for the scope of the object being parsed. Use empty list if no valid refs are present.
  • allow_custom – Whether to allow custom properties or not. Default: False.
Returns:

An instantiated Python STIX Cyber Observable object.