This is an OASIS Open Repository. See the Governance section for more information.
This repository provides Python APIs for serializing and de-serializing STIX 2 JSON content, along with higher-level APIs for common tasks, including data markings, versioning, and for resolving STIX IDs across multiple data sources.
Install with pip
:
pip install stix2
To create a STIX object, provide keyword arguments to the type's constructor:
from stix2 import Indicator
indicator = Indicator(name="File hash for malware variant",
labels=['malicious-activity'],
pattern='file:hashes.md5 = "d41d8cd98f00b204e9800998ecf8427e"')
Certain required attributes of all objects will be set automatically if not provided as keyword arguments:
-
If not provided,
type
will be set automatically to the correct type. You can also provide the type explicitly, but this is not necessary:indicator = Indicator(type='indicator', ...)
Passing a value for
type
that does not match the class being constructed will cause an error:>>> indicator = Indicator(type='xxx', ...) ValueError: Indicators must have type='indicator'
-
If not provided,
id
will be generated randomly. If you provide anid
argument, it must begin with the correct prefix:>>> indicator = Indicator(id="campaign--63ce9068-b5ab-47fa-a2cf-a602ea01f21a") ValueError: Invalid value for Indicator 'id': must start with 'indicator--'.
-
If not provided,
created
andmodified
will be set to the (same) current time.
For indicators, labels
and pattern
are required and cannot be set
automatically. Trying to create an indicator that is missing one of these fields
will result in an error:
>>> indicator = Indicator()
ValueError: Missing required field(s) for Indicator: (labels, pattern).
However, the required valid_from
attribute on Indicators will be set to the
current time if not provided as a keyword argument.
Once created, the object acts like a frozen dictionary. Properties can be accessed using the standard Python dictionary syntax:
>>> indicator['name']
'File hash for malware variant'
TBD: Should we allow property access using the standard Python attribute syntax?
>>> indicator.name
'File hash for malware variant'
Attempting to modify any attributes will raise an error:
>>>indicator['name'] = "This is a revised name"
ValueError: Cannot modify properties after creation.
To update the properties of an object, see Versioning below.
Creating a Malware object follows the same pattern:
from stix2 import Malware
malware = Malware(name="Poison Ivy",
labels=['remote-access-trojan'])
As with indicators, the type
, id
, created
, and modified
properties will
be set automatically if not provided. For Malware objects, the labels
and
name
properties must be provided.
STIX 2 Relationships are separate objects, not properties of the object on
either side of the relationship. They are constructed similarly to other STIX
objects. The type
, id
, created
, and modified
properties are added
automatically if not provided. Callers must provide the relationship_type
,
source_ref
, and target_ref
properties.
from stix2 import Relationship
relationship = Relationship(relationship_type='indicates',
source_ref=indicator.id,
target_ref=malware.id)
The source_ref
and target_ref
properties can be either the ID's of other
STIX objects, or the STIX objects themselves. For readability, Relationship
objects can also be constructed with the source_ref
, relationship_type
, and
target_ref
as positional (non-keyword) arguments:
relationship = Relationship(indicator, 'indicates', malware)
STIX Bundles can be created by passing objects as arguments to the Bundle
constructor. All required properties (type
, id
, and spec_version
) will be
set automatically if not provided, or can be provided as keyword arguments:
from stix2 import bundle
bundle = Bundle(indicator, malware, relationship)
The string representation of all STIX classes is a valid STIX JSON object.
indicator = Indicator(...)
print(str(indicator))
TBD
This GitHub public repository ( https://github.com/oasis-open/cti-python-stix2 ) was proposed and approved [bis] by the OASIS Cyber Threat Intelligence (CTI) TC as an OASIS Open Repository to support development of open source resources related to Technical Committee work.
While this Open Repository remains associated with the sponsor TC, its development priorities, leadership, intellectual property terms, participation rules, and other matters of governance are separate and distinct from the OASIS TC Process and related policies.
All contributions made to this Open Repository are subject to open source license terms expressed in the BSD-3-Clause License. That license was selected as the declared "Applicable License" when the Open Repository was created.
As documented in "Public Participation Invited", contributions to this OASIS Open Repository are invited from all parties, whether affiliated with OASIS or not. Participants must have a GitHub account, but no fees or OASIS membership obligations are required. Participation is expected to be consistent with the OASIS Open Repository Guidelines and Procedures, the open source LICENSE designated for this particular repository, and the requirement for an Individual Contributor License Agreement that governs intellectual property.
Open Repository Maintainers are responsible for oversight of this project's community development activities, including evaluation of GitHub pull requests and preserving open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences.
Initially, the associated TC members have designated one or more persons to serve as Maintainer(s); subsequently, participating community members may select additional or substitute Maintainers, per consensus agreements.
Current Maintainers of this Open Repository
- Greg Back; GitHub ID: https://github.com/gtback/; WWW: MITRE Corporation
- Chris Lenk; GitHub ID: https://github.com/clenk/; WWW: MITRE Corporation
- Open Repositories: Overview and Resources
- Frequently Asked Questions
- Open Source Licenses
- Contributor License Agreements (CLAs)
- Maintainers' Guidelines and Agreement
Questions or comments about this Open Repository's activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the Maintainer(s) listed above. Please send general questions about Open Repository participation to OASIS Staff at [email protected] and any specific CLA-related questions to [email protected].