observables¶
STIX 2.0 Cyber Observable Objects.
Embedded observable object types, such as Email MIME Component, which is
embedded in Email Message objects, inherit from _STIXBase20
instead of
_Observable and do not have a _type
attribute.
-
class
AlternateDataStream
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - name (String, required)
- hashes (Hashes)
- size (Integer)
-
class
ArchiveExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - contains_refs (List of Object References, required)
- version (String)
- comment (String)
-
class
Artifact
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - mime_type (String)
- payload_bin (Binary)
- url (String)
- hashes (Hashes)
- extensions (Extensions)
-
class
AutonomousSystem
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - number (Integer, required)
- name (String)
- rir (String)
- extensions (Extensions)
-
class
Directory
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - path (String, required)
- path_enc (String)
- created (Timestamp)
- modified (Timestamp)
- accessed (Timestamp)
- contains_refs (List of Object References)
- extensions (Extensions)
-
class
DomainName
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- resolves_to_refs (List of Object References)
- extensions (Extensions)
-
class
EmailAddress
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- display_name (String)
- belongs_to_ref (Object Reference)
- extensions (Extensions)
-
class
EmailMIMEComponent
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - body (String)
- body_raw_ref (Object Reference)
- content_type (String)
- content_disposition (String)
-
class
EmailMessage
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - is_multipart (Boolean, required)
- date (Timestamp)
- content_type (String)
- from_ref (Object Reference)
- sender_ref (Object Reference)
- to_refs (List of Object References)
- cc_refs (List of Object References)
- bcc_refs (List of Object References)
- subject (String)
- received_lines (List of Strings)
- additional_header_fields (Dictionary)
- body (String)
- body_multipart (List of Embedded Objects)
- raw_email_ref (Object Reference)
- extensions (Extensions)
-
class
File
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - hashes (Hashes)
- size (Integer)
- name (String)
- name_enc (String)
- magic_number_hex (Hex)
- mime_type (String)
- created (Timestamp)
- modified (Timestamp)
- accessed (Timestamp)
- parent_directory_ref (Object Reference)
- is_encrypted (Boolean)
- encryption_algorithm (String)
- decryption_key (String)
- contains_refs (List of Object References)
- content_ref (Object Reference)
- extensions (Extensions)
-
class
HTTPRequestExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - request_method (String, required)
- request_value (String, required)
- request_version (String)
- request_header (Dictionary)
- message_body_length (Integer)
- message_body_data_ref (Object Reference)
-
class
ICMPExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - icmp_type_hex (Hex, required)
- icmp_code_hex (Hex, required)
-
class
IPv4Address
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- resolves_to_refs (List of Object References)
- belongs_to_refs (List of Object References)
- extensions (Extensions)
-
class
IPv6Address
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- resolves_to_refs (List of Object References)
- belongs_to_refs (List of Object References)
- extensions (Extensions)
-
class
MACAddress
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- extensions (Extensions)
-
class
Mutex
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - name (String, required)
- extensions (Extensions)
-
class
NTFSExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - sid (String)
- alternate_data_streams (List of Embedded Objects)
-
class
NetworkTraffic
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - start (Timestamp)
- end (Timestamp)
- is_active (Boolean)
- src_ref (Object Reference)
- dst_ref (Object Reference)
- src_port (Integer)
- dst_port (Integer)
- protocols (List of Strings, required)
- src_byte_count (Integer)
- dst_byte_count (Integer)
- src_packets (Integer)
- dst_packets (Integer)
- ipfix (Dictionary)
- src_payload_ref (Object Reference)
- dst_payload_ref (Object Reference)
- encapsulates_refs (List of Object References)
- encapsulates_by_ref (Object Reference)
- extensions (Extensions)
-
class
PDFExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - version (String)
- is_optimized (Boolean)
- document_info_dict (Dictionary)
- pdfid0 (String)
- pdfid1 (String)
-
class
Process
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - is_hidden (Boolean)
- pid (Integer)
- name (String)
- created (Timestamp)
- cwd (String)
- arguments (List of Strings)
- command_line (String)
- environment_variables (Dictionary)
- opened_connection_refs (List of Object References)
- creator_user_ref (Object Reference)
- binary_ref (Object Reference)
- parent_ref (Object Reference)
- child_refs (List of Object References)
- extensions (Extensions)
-
class
RasterImageExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - image_height (Integer)
- image_width (Integer)
- bits_per_pixel (Integer)
- image_compression_algorithm (String)
- exif_tags (Dictionary)
-
class
SocketExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - address_family (Enum, required)
- is_blocking (Boolean)
- is_listening (Boolean)
- protocol_family (Enum)
- options (Dictionary)
- socket_type (Enum)
- socket_descriptor (Integer)
- socket_handle (Integer)
-
class
Software
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - name (String, required)
- cpe (String)
- languages (List of Strings)
- vendor (String)
- version (String)
- extensions (Extensions)
-
class
TCPExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - src_flags_hex (Hex)
- dst_flags_hex (Hex)
-
class
UNIXAccountExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - gid (Integer)
- groups (List of Strings)
- home_dir (String)
- shell (String)
-
class
URL
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - value (String, required)
- extensions (Extensions)
-
class
UserAccount
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - user_id (String, required)
- account_login (String)
- account_type (String)
- display_name (String)
- is_service_account (Boolean)
- is_privileged (Boolean)
- can_escalate_privs (Boolean)
- is_disabled (Boolean)
- account_created (Timestamp)
- account_expires (Timestamp)
- password_last_changed (Timestamp)
- account_first_login (Timestamp)
- account_last_login (Timestamp)
- extensions (Extensions)
-
class
WindowsPEBinaryExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - pe_type (String, required)
- imphash (String)
- machine_hex (Hex)
- number_of_sections (Integer)
- time_date_stamp (Timestamp)
- pointer_to_symbol_table_hex (Hex)
- number_of_symbols (Integer)
- size_of_optional_header (Integer)
- characteristics_hex (Hex)
- file_header_hashes (Hashes)
- optional_header (Embedded Object)
- sections (List of Embedded Objects)
-
class
WindowsPEOptionalHeaderType
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - magic_hex (Hex)
- major_linker_version (Integer)
- minor_linker_version (Integer)
- size_of_code (Integer)
- size_of_initialized_data (Integer)
- size_of_uninitialized_data (Integer)
- address_of_entry_point (Integer)
- base_of_code (Integer)
- base_of_data (Integer)
- image_base (Integer)
- section_alignment (Integer)
- file_alignment (Integer)
- major_os_version (Integer)
- minor_os_version (Integer)
- major_image_version (Integer)
- minor_image_version (Integer)
- major_subsystem_version (Integer)
- minor_subsystem_version (Integer)
- win32_version_value_hex (Hex)
- size_of_image (Integer)
- size_of_headers (Integer)
- checksum_hex (Hex)
- subsystem_hex (Hex)
- dll_characteristics_hex (Hex)
- size_of_stack_reserve (Integer)
- size_of_stack_commit (Integer)
- size_of_heap_reserve (Integer)
- size_of_heap_commit (Integer)
- loader_flags_hex (Hex)
- number_of_rva_and_sizes (Integer)
- hashes (Hashes)
-
class
WindowsPESection
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - name (String, required)
- size (Integer)
- entropy (Float)
- hashes (Hashes)
-
class
WindowsProcessExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - aslr_enabled (Boolean)
- dep_enabled (Boolean)
- priority (String)
- owner_sid (String)
- window_title (String)
- startup_info (Dictionary)
-
class
WindowsRegistryKey
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - key (String, required)
- values (List of Embedded Objects)
- modified (Timestamp)
- creator_user_ref (Object Reference)
- number_of_subkeys (Integer)
- extensions (Extensions)
-
class
WindowsRegistryValueType
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - name (String, required)
- data (String)
- data_type (Enum)
-
class
WindowsServiceExt
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - service_name (String, required)
- descriptions (List of Strings)
- display_name (String)
- group_name (String)
- start_type (Enum)
- service_dll_refs (List of Object References)
- service_type (Enum)
- service_status (Enum)
-
class
X509Certificate
(**kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - is_self_signed (Boolean)
- hashes (Hashes)
- version (String)
- serial_number (String)
- signature_algorithm (String)
- issuer (String)
- validity_not_before (Timestamp)
- validity_not_after (Timestamp)
- subject (String)
- subject_public_key_algorithm (String)
- subject_public_key_modulus (String)
- subject_public_key_exponent (Integer)
- x509_v3_extensions (Embedded Object)
- extensions (Extensions)
-
class
X509V3ExtensionsType
(allow_custom=False, **kwargs)¶ For more detailed information on this object’s properties, see the STIX 2.0 specification.
Properties: - basic_constraints (String)
- name_constraints (String)
- policy_constraints (String)
- key_usage (String)
- extended_key_usage (String)
- subject_key_identifier (String)
- authority_key_identifier (String)
- subject_alternative_name (String)
- issuer_alternative_name (String)
- subject_directory_attributes (String)
- crl_distribution_points (String)
- inhibit_any_policy (String)
- private_key_usage_period_not_before (Timestamp)
- private_key_usage_period_not_after (Timestamp)
- certificate_policies (String)
- policy_mappings (String)
-
CustomExtension
(type='x-custom-observable-ext', properties=None)¶ Decorator for custom extensions to STIX Cyber Observables.
-
CustomObservable
(type='x-custom-observable', properties=None)¶ Custom STIX Cyber Observable Object type decorator.
Example
>>> from stix2.v20 import CustomObservable >>> from stix2.properties import IntegerProperty, StringProperty >>> @CustomObservable('x-custom-observable', [ ... ('property1', StringProperty(required=True)), ... ('property2', IntegerProperty()), ... ]) ... class MyNewObservableType(): ... pass