2017-02-10 22:35:02 +01:00
|
|
|
"""STIX 2.0 Domain Objects"""
|
|
|
|
|
2017-08-11 21:12:45 +02:00
|
|
|
from collections import OrderedDict
|
|
|
|
|
2017-06-12 22:15:12 +02:00
|
|
|
import stix2
|
|
|
|
|
2017-02-10 22:35:02 +01:00
|
|
|
from .base import _STIXBase
|
2017-07-14 20:55:57 +02:00
|
|
|
from .observables import ObservableProperty
|
2017-08-11 21:12:45 +02:00
|
|
|
from .other import ExternalReference, GranularMarking, KillChainPhase
|
|
|
|
from .properties import (BooleanProperty, IDProperty, IntegerProperty,
|
|
|
|
ListProperty, ReferenceProperty, StringProperty,
|
|
|
|
TimestampProperty, TypeProperty)
|
2017-02-10 22:35:02 +01:00
|
|
|
from .utils import NOW
|
|
|
|
|
|
|
|
|
2017-02-22 16:06:35 +01:00
|
|
|
class AttackPattern(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'attack-pattern'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('kill_chain_phases', ListProperty(KillChainPhase)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-22 16:06:35 +01:00
|
|
|
|
|
|
|
|
2017-02-23 16:11:56 +01:00
|
|
|
class Campaign(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'campaign'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('aliases', ListProperty(StringProperty)),
|
|
|
|
('first_seen', TimestampProperty()),
|
|
|
|
('last_seen', TimestampProperty()),
|
|
|
|
('objective', StringProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
|
|
|
class CourseOfAction(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'course-of-action'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
|
|
|
class Identity(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'identity'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('identity_class', StringProperty(required=True)),
|
|
|
|
('sectors', ListProperty(StringProperty)),
|
|
|
|
('contact_information', StringProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
2017-02-10 22:35:02 +01:00
|
|
|
class Indicator(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'indicator'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('labels', ListProperty(StringProperty, required=True)),
|
|
|
|
('name', StringProperty()),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('pattern', StringProperty(required=True)),
|
|
|
|
('valid_from', TimestampProperty(default=lambda: NOW)),
|
|
|
|
('valid_until', TimestampProperty()),
|
|
|
|
('kill_chain_phases', ListProperty(KillChainPhase)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-10 22:35:02 +01:00
|
|
|
|
|
|
|
|
2017-02-22 16:06:35 +01:00
|
|
|
class IntrusionSet(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'intrusion-set'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('aliases', ListProperty(StringProperty)),
|
|
|
|
('first_seen', TimestampProperty()),
|
|
|
|
('last_seen ', TimestampProperty()),
|
|
|
|
('goals', ListProperty(StringProperty)),
|
|
|
|
('resource_level', StringProperty()),
|
|
|
|
('primary_motivation', StringProperty()),
|
|
|
|
('secondary_motivations', ListProperty(StringProperty)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-22 16:06:35 +01:00
|
|
|
|
|
|
|
|
2017-02-10 22:35:02 +01:00
|
|
|
class Malware(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'malware'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('kill_chain_phases', ListProperty(KillChainPhase)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty, required=True)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-10 22:35:02 +01:00
|
|
|
|
2017-02-22 16:06:35 +01:00
|
|
|
|
2017-02-23 16:11:56 +01:00
|
|
|
class ObservedData(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'observed-data'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('first_observed', TimestampProperty(required=True)),
|
|
|
|
('last_observed', TimestampProperty(required=True)),
|
|
|
|
('number_observed', IntegerProperty(required=True)),
|
|
|
|
('objects', ObservableProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
|
|
|
class Report(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'report'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('published', TimestampProperty()),
|
|
|
|
('object_refs', ListProperty(ReferenceProperty)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty, required=True)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
|
|
|
class ThreatActor(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'threat-actor'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('aliases', ListProperty(StringProperty)),
|
|
|
|
('roles', ListProperty(StringProperty)),
|
|
|
|
('goals', ListProperty(StringProperty)),
|
|
|
|
('sophistication', StringProperty()),
|
|
|
|
('resource_level', StringProperty()),
|
|
|
|
('primary_motivation', StringProperty()),
|
|
|
|
('secondary_motivations', ListProperty(StringProperty)),
|
|
|
|
('personal_motivations', ListProperty(StringProperty)),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty, required=True)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
|
2017-02-22 16:06:35 +01:00
|
|
|
class Tool(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'tool'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('kill_chain_phases', ListProperty(KillChainPhase)),
|
|
|
|
('tool_version', StringProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty, required=True)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
2017-02-22 16:06:35 +01:00
|
|
|
|
2017-02-23 16:11:56 +01:00
|
|
|
|
|
|
|
class Vulnerability(_STIXBase):
|
|
|
|
|
|
|
|
_type = 'vulnerability'
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('name', StringProperty(required=True)),
|
|
|
|
('description', StringProperty()),
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
|
|
|
|
|
|
|
|
|
|
|
def CustomObject(type='x-custom-type', properties=None):
|
2017-06-13 16:26:43 +02:00
|
|
|
"""Custom STIX Object type decorator
|
|
|
|
|
|
|
|
Example 1:
|
|
|
|
|
2017-06-14 15:34:42 +02:00
|
|
|
@CustomObject('x-type-name', {
|
2017-06-13 16:26:43 +02:00
|
|
|
'property1': StringProperty(required=True),
|
|
|
|
'property2': IntegerProperty(),
|
|
|
|
})
|
|
|
|
class MyNewObjectType():
|
|
|
|
pass
|
|
|
|
|
|
|
|
Supply an __init__() function to add any special validations to the custom
|
|
|
|
type. Don't call super().__init() though - doing so will cause an error.
|
|
|
|
|
|
|
|
Example 2:
|
|
|
|
|
2017-06-14 15:34:42 +02:00
|
|
|
@CustomObject('x-type-name', {
|
2017-06-13 16:26:43 +02:00
|
|
|
'property1': StringProperty(required=True),
|
|
|
|
'property2': IntegerProperty(),
|
|
|
|
})
|
|
|
|
class MyNewObjectType():
|
|
|
|
def __init__(self, property2=None, **kwargs):
|
|
|
|
if property2 and property2 < 10:
|
|
|
|
raise ValueError("'property2' is too small.")
|
|
|
|
"""
|
2017-06-12 22:15:12 +02:00
|
|
|
|
|
|
|
def custom_builder(cls):
|
|
|
|
|
2017-06-13 16:26:43 +02:00
|
|
|
class _Custom(cls, _STIXBase):
|
2017-06-12 22:15:12 +02:00
|
|
|
_type = type
|
2017-08-11 21:12:45 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('created_by_ref', ReferenceProperty(type="identity")),
|
|
|
|
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
|
|
|
|
])
|
|
|
|
|
|
|
|
if properties is None:
|
|
|
|
raise ValueError("Must supply a list, containing tuples. For example, [('property1', IntegerProperty())]")
|
|
|
|
|
2017-06-12 22:15:12 +02:00
|
|
|
_properties.update(properties)
|
2017-06-13 16:26:43 +02:00
|
|
|
|
2017-08-11 21:12:45 +02:00
|
|
|
# This is to follow the general properties structure.
|
|
|
|
_properties.update([
|
|
|
|
('revoked', BooleanProperty()),
|
|
|
|
('labels', ListProperty(StringProperty)),
|
|
|
|
('external_references', ListProperty(ExternalReference)),
|
|
|
|
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
|
|
|
|
('granular_markings', ListProperty(GranularMarking)),
|
|
|
|
])
|
|
|
|
|
2017-06-13 16:26:43 +02:00
|
|
|
def __init__(self, **kwargs):
|
|
|
|
_STIXBase.__init__(self, **kwargs)
|
|
|
|
cls.__init__(self, **kwargs)
|
|
|
|
|
2017-06-12 22:15:12 +02:00
|
|
|
stix2._register_type(_Custom)
|
|
|
|
return _Custom
|
|
|
|
|
|
|
|
return custom_builder
|