patterns¶
Classes to aid in working with the STIX 2 patterning language.
-
class
AndBooleanExpression
(operands)¶ ‘AND’ Boolean Pattern Expression. Only use if both operands are of the same root object.
Parameters: operands (list) – AND operands
-
class
AndObservationExpression
(operands)¶ ‘AND’ Compound Observation Pattern Expression
Parameters: operands (str) – compound observation operands
-
class
BasicObjectPathComponent
(property_name, is_key=False)¶ Basic object path component (for an observation or expression)
By “Basic”, implies that the object path component is not a list, object reference or futher referenced property, i.e. terminal component
Parameters: - property_name (str) – object property name
- is_key (bool) – is dictionary key, default: False
-
class
BinaryConstant
(value)¶ Pattern binary constant
Parameters: value (str) – base64 encoded string value
-
class
BooleanConstant
(value)¶ Pattern boolean constant
Parameters: value (str OR int) – (str) ‘true’, ‘t’ for True; ‘false’, ‘f’ for False (int) 1 for True; 0 for False
-
class
EqualityComparisonExpression
(lhs, rhs, negated=False)¶ Pattern Equality Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
FloatConstant
(value)¶
-
class
FollowedByObservationExpression
(operands)¶ Pattern ‘Followed by’ Compound Observation Expression
Parameters: operands (str) – compound observation operands
-
class
GreaterThanComparisonExpression
(lhs, rhs, negated=False)¶ Pattern Greater-than Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
GreaterThanEqualComparisonExpression
(lhs, rhs, negated=False)¶ Pattern Greater-Than-or-Equal-to Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
HashConstant
(value, type)¶ Pattern hash constant
Parameters: - value (str) – hash value
- type (str) – hash algorithm name. Supported hash algorithms: “MD5”, “MD6”, RIPEMD160”, “SHA1”, “SHA224”, “SHA256”, “SHA384”, “SHA512”, “SHA3224”, “SHA3256”, “SHA3384”, “SHA3512”, “SSDEEP”, “WHIRLPOOL”
-
class
HexConstant
(value)¶ Pattern hexadecimal constant
Parameters: value (str) – hexadecimal value
-
class
InComparisonExpression
(lhs, rhs, negated=False)¶ ‘in’ Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
IntegerConstant
(value)¶ Pattern interger constant
Parameters: value (int) – integer value
-
class
IsSubsetComparisonExpression
(lhs, rhs, negated=False)¶ ‘is subset’ Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
IsSupersetComparisonExpression
(lhs, rhs, negated=False)¶ ‘is super set’ Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
LessThanComparisonExpression
(lhs, rhs, negated=False)¶ Pattern Less-than Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
LessThanEqualComparisonExpression
(lhs, rhs, negated=False)¶ Pattern Less-Than-or-Equal-to Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
LikeComparisonExpression
(lhs, rhs, negated=False)¶ ‘like’ Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
ListConstant
(values)¶ Pattern list constant
Parameters: value (list) – list of values
-
class
ListObjectPathComponent
(property_name, index)¶ List object path component (for an observation or expression)
Parameters: - property_name (str) – list object property name
- index (int) – index of the list property’s value that is specified
-
class
MatchesComparisonExpression
(lhs, rhs, negated=False)¶ ‘Matches’ Comparison Expression
Parameters: - lhs (ObjectPath OR str) – object path of left-hand-side component of expression
- rhs (ObjectPath OR str) – object path of right-hand-side component of expression
- negated (bool) – comparison expression negated. Default: False
-
class
ObjectPath
(object_type_name, property_path)¶ Pattern operand object (property) path
Parameters: - object_type_name (str) – name of object type for corresponding object path component
- property_path (_ObjectPathComponent OR str) – object path
-
static
make_object_path
(lhs)¶ Create ObjectPath from string encoded object path
Parameters: lhs (str) – object path of left-hand-side component of expression
-
merge
(other)¶ Extend the object property with that of the supplied object property path
-
class
ObservationExpression
(operand)¶ Observation Expression
Parameters: operand (str) – observation expression operand
-
class
OrBooleanExpression
(operands)¶ ‘OR’ Boolean Pattern Expression. Only use if both operands are of the same root object
Parameters: operands (list) – OR operands
-
class
OrObservationExpression
(operands)¶ Pattern ‘OR’ Compound Observation Expression
Parameters: operands (str) – compound observation operands
-
class
ParentheticalExpression
(exp)¶ Pattern Parenthetical Observation Expression
Parameters: exp (str) – observation expression
-
class
QualifiedObservationExpression
(observation_expression, qualifier)¶ Pattern Qualified Observation Expression
Parameters: - observation_expression (PatternExpression OR _CompoundObservationExpression OR) – pattern expression
- qualifier (_ExpressionQualifier) – pattern expression qualifier
-
class
ReferenceObjectPathComponent
(reference_property_name)¶ Reference object path component (for an observation or expression)
Parameters: reference_property_name (str) – reference object property name
-
class
RepeatQualifier
(times_to_repeat)¶ Pattern Repeat Qualifier
Parameters: times_to_repeat (int) – times the qualifiers is repeated
-
class
StartStopQualifier
(start_time, stop_time)¶ Pattern Start/Stop Qualifier
Parameters: - start_time (TimestampConstant OR datetime.date) – start timestamp for qualifier
- stop_time (TimestampConstant OR datetime.date) – stop timestamp for qualifier
-
class
StringConstant
(value)¶ Pattern string constant
Parameters: value (str) – string value
-
class
TimestampConstant
(value)¶ Pattern timestamp constant
Parameters: value (datetime.datetime OR str) – if string, must be a timestamp string
-
class
WithinQualifier
(number_of_seconds)¶ Pattern ‘Within’ Qualifier
Parameters: number_of_seconds (int) – seconds value for ‘within’ qualifier
-
escape_quotes_and_backslashes
(s)¶
-
make_constant
(value)¶ Convert value to Pattern constant, best effort attempt at determining root value type and corresponding conversion
Parameters: value – value to convert to Pattern constant