MISP
/
cti-python-stix2
mirror of https://github.com/MISP/cti-python-stix2
2
0
Fork 0
Code Issues Releases Wiki Activity
cti-python-stix2/stix2/v20/sdo.py

365 lines
15 KiB
Python
Raw Normal View History

Refactor library into separate files.
2017-02-10 22:35:02 +01:00
"""STIX 2.0 Domain Objects"""
Improve markings tests - Test markings functions with both dictionaries and our _STIXBase-derived classes as input. - Slightly improve test coverage. - Drop Python 2.6 support.
2017-09-01 22:37:49 +02:00
from collections import OrderedDict
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
Add custom STIX Object types
2017-06-12 22:15:12 +02:00
import stix2
Update package structure
2017-10-26 17:39:45 +02:00
from ..base import _STIXBase
from ..markings import _MarkingsMixin
from ..properties import (BooleanProperty, IDProperty, IntegerProperty,
ListProperty, PatternProperty, ReferenceProperty,
StringProperty, TimestampProperty, TypeProperty)
from ..utils import NOW
Merge pull request #42 from oasis-open/bundles Parse bundles correctly
2017-08-14 21:21:58 +02:00
from .common import ExternalReference, GranularMarking, KillChainPhase
Move ObservableProperty, ExtensionsProperty, and Observable parsing code into observables.py to prevent circular imports and fix #23.
2017-07-14 20:55:57 +02:00
from .observables import ObservableProperty
Refactor library into separate files.
2017-02-10 22:35:02 +01:00
Make MarkingsMixin private Partially so it doesn't clog up the markings API documentation.
2017-10-06 02:50:54 +02:00
class STIXDomainObject(_STIXBase, _MarkingsMixin):
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
pass
class AttackPattern(STIXDomainObject):
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
_type = 'attack-pattern'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Campaign(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'campaign'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('aliases', ListProperty(StringProperty)),
('first_seen', TimestampProperty()),
('last_seen', TimestampProperty()),
('objective', StringProperty()),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class CourseOfAction(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'course-of-action'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Identity(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'identity'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('identity_class', StringProperty(required=True)),
('sectors', ListProperty(StringProperty)),
('contact_information', StringProperty()),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Indicator(STIXDomainObject):
Refactor library into separate files.
2017-02-10 22:35:02 +01:00
_type = 'indicator'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty()),
('description', StringProperty()),
Merge remote-tracking branch 'origin/master' into datastores
2017-08-22 00:40:07 +02:00
('pattern', PatternProperty(required=True)),
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
('valid_from', TimestampProperty(default=lambda: NOW)),
('valid_until', TimestampProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)),
('revoked', BooleanProperty()),
Update required properties, indicator label and tests. closes #68
2017-10-06 16:29:30 +02:00
('labels', ListProperty(StringProperty, required=True)),
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Refactor library into separate files.
2017-02-10 22:35:02 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class IntrusionSet(STIXDomainObject):
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
_type = 'intrusion-set'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('aliases', ListProperty(StringProperty)),
('first_seen', TimestampProperty()),
('last_seen ', TimestampProperty()),
('goals', ListProperty(StringProperty)),
('resource_level', StringProperty()),
('primary_motivation', StringProperty()),
('secondary_motivations', ListProperty(StringProperty)),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Malware(STIXDomainObject):
Refactor library into separate files.
2017-02-10 22:35:02 +01:00
_type = 'malware'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty, required=True)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Refactor library into separate files.
2017-02-10 22:35:02 +01:00
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class ObservedData(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'observed-data'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('first_observed', TimestampProperty(required=True)),
('last_observed', TimestampProperty(required=True)),
('number_observed', IntegerProperty(required=True)),
Update required properties, indicator label and tests. closes #68
2017-10-06 16:29:30 +02:00
('objects', ObservableProperty(required=True)),
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Report(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'report'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
Update required properties, indicator label and tests. closes #68
2017-10-06 16:29:30 +02:00
('published', TimestampProperty(required=True)),
('object_refs', ListProperty(ReferenceProperty, required=True)),
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty, required=True)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class ThreatActor(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'threat-actor'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('aliases', ListProperty(StringProperty)),
('roles', ListProperty(StringProperty)),
('goals', ListProperty(StringProperty)),
('sophistication', StringProperty()),
('resource_level', StringProperty()),
('primary_motivation', StringProperty()),
('secondary_motivations', ListProperty(StringProperty)),
('personal_motivations', ListProperty(StringProperty)),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty, required=True)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Tool(STIXDomainObject):
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
_type = 'tool'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)),
('tool_version', StringProperty()),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty, required=True)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Add KillChainPhase, AttackPattern, IntrusionSet, Tool
2017-02-22 16:06:35 +01:00
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class Vulnerability(STIXDomainObject):
Add more SDO skeletons - Campaign - CourseOfAction - Identity - ObservedData - Report - ThreatActor - Vulnerability
2017-02-23 16:11:56 +01:00
_type = 'vulnerability'
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('name', StringProperty(required=True)),
('description', StringProperty()),
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
def CustomObject(type='x-custom-type', properties=None):
Improve autodoc output - Add markings and sources - Tidy up some docstrings
2017-09-22 16:01:00 +02:00
"""Custom STIX Object type decorator.
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
Improve autodoc output - Add markings and sources - Tidy up some docstrings
2017-09-22 16:01:00 +02:00
Example:
>>> @CustomObject('x-type-name', [
... ('property1', StringProperty(required=True)),
... ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
... pass
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
Improve docstrings for Sphinx output Also remove package and module names from classes and functions. Also remove stix2.base from docs. We hide all private classes and functions from the docs, so the only thing the documentation for base included was STIXJSONEncoder.
2017-09-22 17:03:25 +02:00
Supply an ``__init__()`` function to add any special validations to the custom
type. Don't call ``super().__init__()`` though - doing so will cause an error.
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
Improve autodoc output - Add markings and sources - Tidy up some docstrings
2017-09-22 16:01:00 +02:00
Example:
>>> @CustomObject('x-type-name', [
... ('property1', StringProperty(required=True)),
... ('property2', IntegerProperty()),
... ])
... class MyNewObjectType():
... def __init__(self, property2=None, **kwargs):
... if property2 and property2 < 10:
... raise ValueError("'property2' is too small.")
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
"""
Add custom STIX Object types
2017-06-12 22:15:12 +02:00
def custom_builder(cls):
Add STIXDomainObject and STIXRelationshipObject
2017-10-03 21:01:55 +02:00
class _Custom(cls, STIXDomainObject):
Add custom STIX Object types
2017-06-12 22:15:12 +02:00
_type = type
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
_properties = OrderedDict()
_properties.update([
('type', TypeProperty(_type)),
('id', IDProperty(_type)),
('created_by_ref', ReferenceProperty(type="identity")),
('created', TimestampProperty(default=lambda: NOW, precision='millisecond')),
('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')),
])
Minor changes to custom object decorators. Add new marking decorator.
2017-08-28 20:30:53 +02:00
if not properties or not isinstance(properties, list):
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
raise ValueError("Must supply a list, containing tuples. For example, [('property1', IntegerProperty())]")
Minor changes to custom object decorators. Add new marking decorator.
2017-08-28 20:30:53 +02:00
_properties.update([x for x in properties if not x[0].startswith("x_")])
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
Change SDOs to OrderedDict approach. Removed COMMON_PROPERTIES.
2017-08-11 21:12:45 +02:00
# This is to follow the general properties structure.
_properties.update([
('revoked', BooleanProperty()),
('labels', ListProperty(StringProperty)),
('external_references', ListProperty(ExternalReference)),
('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))),
('granular_markings', ListProperty(GranularMarking)),
])
Update CustomObject docstring, re-organize object properties.
2017-08-14 15:06:20 +02:00
# Put all custom properties at the bottom, sorted alphabetically.
Minor changes to custom object decorators. Add new marking decorator.
2017-08-28 20:30:53 +02:00
_properties.update(sorted([x for x in properties if x[0].startswith("x_")], key=lambda x: x[0]))
Update CustomObject docstring, re-organize object properties.
2017-08-14 15:06:20 +02:00
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
def __init__(self, **kwargs):
_STIXBase.__init__(self, **kwargs)
Fix errors when instantiating custom classes Defining a custom object/observable/extension class with no custom __init__() function would result in an `AttributeError` or `TypeError`, depending on if the class sub-classed `object` or not.
2017-09-20 23:13:51 +02:00
try:
cls.__init__(self, **kwargs)
except (AttributeError, TypeError) as e:
# Don't accidentally catch errors raised in a custom __init__()
if ("has no attribute '__init__'" in str(e) or
str(e) == "object.__init__() takes no parameters"):
return
raise e
Allow adding validation to custom object types _Custom.__init__() is a solution to recursion errors arising from using a decorator. See https://stackoverflow.com/q/14739809/1013457
2017-06-13 16:26:43 +02:00
Update package structure
2017-10-26 17:39:45 +02:00
stix2._register_type(_Custom, version="2.0")
Add custom STIX Object types
2017-06-12 22:15:12 +02:00
return _Custom
return custom_builder