{\n",
" "type": "bundle",\n",
- " "id": "bundle--388c9b2c-936c-420a-baa5-04f48d682a01",\n",
- " "spec_version": "2.0",\n",
+ " "id": "bundle--177c6477-2dee-43d5-b4c9-8b7f3f5ec517",\n",
" "objects": [\n",
" {\n",
" "type": "indicator",\n",
- " "id": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",\n",
- " "created": "2019-05-13T13:14:48.509Z",\n",
- " "modified": "2019-05-13T13:14:48.509Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--a862ff86-68d9-42e5-8095-cd80c040e112",\n",
+ " "created": "2020-06-24T15:04:40.048932Z",\n",
+ " "modified": "2020-06-24T15:04:40.048932Z",\n",
" "name": "File hash for malware variant",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2019-05-13T13:14:48.509629Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T15:04:40.048932Z"\n",
" },\n",
" {\n",
" "type": "malware",\n",
- " "id": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67",\n",
- " "created": "2019-05-13T13:15:04.698Z",\n",
- " "modified": "2019-05-13T13:15:04.698Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--389c934c-258c-44fb-ae4b-14c6c12270f6",\n",
+ " "created": "2020-06-24T14:53:20.156644Z",\n",
+ " "modified": "2020-06-24T14:53:20.156644Z",\n",
" "name": "Poison Ivy",\n",
- " "labels": [\n",
- " "remote-access-trojan"\n",
- " ]\n",
+ " "is_family": false\n",
" },\n",
" {\n",
" "type": "relationship",\n",
- " "id": "relationship--80c174fa-36d1-47c2-9a9d-ce0c636bedcc",\n",
- " "created": "2019-05-13T13:15:13.152Z",\n",
- " "modified": "2019-05-13T13:15:13.152Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "relationship--2f6a8785-e27b-487e-b870-b85a2121502d",\n",
+ " "created": "2020-06-24T15:05:18.250605Z",\n",
+ " "modified": "2020-06-24T15:05:18.250605Z",\n",
" "relationship_type": "indicates",\n",
- " "source_ref": "indicator--2f3d4926-163d-4aef-bcd2-19dea96916ae",\n",
- " "target_ref": "malware--1f2aba70-f0ae-49cd-9267-6fcb1e43be67"\n",
+ " "source_ref": "indicator--a862ff86-68d9-42e5-8095-cd80c040e112",\n",
+ " "target_ref": "malware--389c934c-258c-44fb-ae4b-14c6c12270f6"\n",
" }\n",
" ]\n",
"}\n",
@@ -865,7 +867,7 @@
""
]
},
- "execution_count": 15,
+ "execution_count": 21,
"metadata": {},
"output_type": "execute_result"
}
@@ -882,22 +884,14 @@
"metadata": {},
"source": [
"### Creating Cyber Observable References\n",
- "Cyber Observable Objects have properties that can reference other Cyber Observable Objects. In order to create those references, use the ``_valid_refs`` property as shown in the following examples. It should be noted that ``_valid_refs`` is necessary when creating references to Cyber Observable Objects since some embedded references can only point to certain types, and ``_valid_refs`` helps ensure consistency. \n",
+ "Cyber Observable Objects have properties that can reference other Cyber Observable Objects. In order to create those references, either supply the ID string of the object being referenced, or pass in the object itself.\n",
"\n",
- "There are two cases."
- ]
- },
- {
- "cell_type": "markdown",
- "metadata": {},
- "source": [
- "#### Case 1: Specifying the type of the Cyber Observable Objects being referenced\n",
- "In the following example, the IPv4Address object has its ``resolves_to_refs`` property specified. As per the spec, this property's value must be a list of reference(s) to MACAddress objects. In this case, those references are strings that state the type of the Cyber Observable Object being referenced, and are provided in ``_valid_refs``."
+ "For example, the IPv4Address object has a ``resolves_to_refs`` property which must hold a list of references to MACAddress objects. We could specify the id string:"
]
},
{
"cell_type": "code",
- "execution_count": 16,
+ "execution_count": 22,
"metadata": {},
"outputs": [
{
@@ -973,11 +967,12 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "ipv4-addr",\n",
+ " "id": "ipv4-addr--dc63603e-e634-5357-b239-d4b562bc5445",\n",
" "value": "177.60.40.7",\n",
" "resolves_to_refs": [\n",
- " "1",\n",
- " "2"\n",
- " ]\n",
+ " "mac-addr--43f380fd-37c6-476d-8643-60849bf9240e"\n",
+ " ],\n",
+ " "spec_version": "2.1"\n",
"}\n",
"{\n",
" "type": "ipv4-addr",\n",
+ " "id": "ipv4-addr--dc63603e-e634-5357-b239-d4b562bc5445",\n",
" "value": "177.60.40.7",\n",
" "resolves_to_refs": [\n",
- " "1",\n",
- " "2"\n",
- " ]\n",
+ " "mac-addr--f72d7d00-86bd-5cd2-8c86-52f7a83bef62",\n",
+ " "mac-addr--875ad625-177b-5c2a-9101-d44b0ad55938"\n",
+ " ],\n",
+ " "spec_version": "2.1"\n",
"}\n",
"{\n",
" "type": "identity",\n",
- " "id": "identity--d6996982-5fb7-4364-b716-b618516989b6",\n",
- " "created": "2020-03-05T05:06:27.349Z",\n",
- " "modified": "2020-03-05T05:06:27.349Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "identity--a4c49251-0ad1-44e6-8cfc-3dbd75e73fbd",\n",
+ " "created": "2020-06-24T18:29:07.107425Z",\n",
+ " "modified": "2020-06-24T18:29:07.107425Z",\n",
" "name": "John Smith",\n",
" "identity_class": "individual",\n",
" "x_foo": "bar"\n",
@@ -287,9 +289,10 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "identity",\n",
- " "id": "identity--a167d2de-9fc4-4734-a1ae-57a548aad22a",\n",
- " "created": "2020-03-05T05:06:29.180Z",\n",
- " "modified": "2020-03-05T05:06:29.180Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "identity--50c33f36-362b-4815-9f97-f3c7f39aa691",\n",
+ " "created": "2020-06-24T18:29:15.435425Z",\n",
+ " "modified": "2020-06-24T18:29:15.435425Z",\n",
" "name": "John Smith",\n",
" "identity_class": "individual",\n",
" "x_foo": "bar"\n",
@@ -317,7 +320,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "Likewise, when parsing STIX content with custom properties, pass ``allow_custom=True`` to [parse()](../api/stix2.core.rst#stix2.core.parse):"
+ "Likewise, when parsing STIX content with custom properties, pass ``allow_custom=True`` to [parse()](../api/stix2.parsing.rst#stix2.parsing.parse):"
]
},
{
@@ -413,6 +416,7 @@
"\n",
"input_string = \"\"\"{\n",
" \"type\": \"identity\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"id\": \"identity--311b2d2d-f010-4473-83ec-1edf84858f4c\",\n",
" \"created\": \"2015-12-21T19:59:11Z\",\n",
" \"modified\": \"2015-12-21T19:59:11Z\",\n",
@@ -428,7 +432,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "To remove a custom properties, use `new_version()` and set it to `None`."
+ "To remove a custom properties, use `new_version()` and set that property to `None`."
]
},
{
@@ -509,9 +513,10 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "identity",\n",
+ " "spec_version": "2.1",\n",
" "id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",\n",
" "created": "2015-12-21T19:59:11.000Z",\n",
- " "modified": "2020-03-05T05:06:32.934Z",\n",
+ " "modified": "2020-06-24T18:29:24.099Z",\n",
" "name": "John Smith",\n",
" "identity_class": "individual"\n",
"}\n",
@@ -537,7 +542,7 @@
"source": [
"### Custom STIX Object Types\n",
"\n",
- "To create a custom STIX object type, define a class with the @[CustomObject](../api/v20/stix2.v20.sdo.rst#stix2.v20.sdo.CustomObject) decorator. It takes the type name and a list of property tuples, each tuple consisting of the property name and a property instance. Any special validation of the properties can be added by supplying an ``__init__`` function.\n",
+ "To create a custom STIX object type, define a class with the @[CustomObject](../api/v21/stix2.v21.sdo.rst#stix2.v21.sdo.CustomObject) decorator. It takes the type name and a list of property tuples, each tuple consisting of the property name and a property instance. Any special validation of the properties can be added by supplying an ``__init__`` function.\n",
"\n",
"Let's say zoo animals have become a serious cyber threat and we want to model them in STIX using a custom object type. Let's use a ``species`` property to store the kind of animal, and make that property required. We also want a property to store the class of animal, such as \"mammal\" or \"bird\" but only want to allow specific values in it. We can add some logic to validate this property in ``__init__``."
]
@@ -645,9 +650,10 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "x-animal",\n",
- " "id": "x-animal--1f7ce0ad-fd3a-4cf0-9cd7-13f7bef9ecd4",\n",
- " "created": "2020-03-05T05:06:38.010Z",\n",
- " "modified": "2020-03-05T05:06:38.010Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "x-animal--c7dbda16-360a-4622-b9c7-91f0497167cc",\n",
+ " "created": "2020-06-24T18:33:29.856926Z",\n",
+ " "modified": "2020-06-24T18:33:29.856926Z",\n",
" "species": "lion",\n",
" "animal_class": "mammal"\n",
"}\n",
@@ -703,7 +709,7 @@
},
{
"cell_type": "code",
- "execution_count": 11,
+ "execution_count": 12,
"metadata": {},
"outputs": [
{
@@ -784,7 +790,7 @@
""
]
},
- "execution_count": 11,
+ "execution_count": 12,
"metadata": {},
"output_type": "execute_result"
}
@@ -795,6 +801,7 @@
" \"id\": \"x-animal--941f1471-6815-456b-89b8-7051ddf13e4b\",\n",
" \"created\": \"2015-12-21T19:59:11Z\",\n",
" \"modified\": \"2015-12-21T19:59:11Z\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"species\": \"shark\",\n",
" \"animal_class\": \"fish\"\n",
"}\"\"\"\n",
@@ -811,7 +818,7 @@
},
{
"cell_type": "code",
- "execution_count": 12,
+ "execution_count": 13,
"metadata": {},
"outputs": [
{
@@ -841,12 +848,12 @@
"source": [
"### Custom Cyber Observable Types\n",
"\n",
- "Similar to custom STIX object types, use a decorator to create [custom Cyber Observable](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomObservable) types. Just as before, ``__init__()`` can hold additional validation, but it is not necessary."
+ "Similar to custom STIX object types, use a decorator to create [custom Cyber Observable](../api/v21/stix2.v21.observables.rst#stix2.v21.observables.CustomObservable) types. Just as before, ``__init__()`` can hold additional validation, but it is not necessary."
]
},
{
"cell_type": "code",
- "execution_count": 13,
+ "execution_count": 14,
"metadata": {},
"outputs": [
{
@@ -922,6 +929,7 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "x-new-observable",\n",
+ " "id": "x-new-observable--fdb5fd26-533e-44f4-9463-e8ade73e08c0",\n",
" "a_property": "something",\n",
" "property_2": 10\n",
"}\n",
@@ -931,7 +939,7 @@
""
]
},
- "execution_count": 13,
+ "execution_count": 14,
"metadata": {},
"output_type": "execute_result"
}
@@ -962,7 +970,7 @@
},
{
"cell_type": "code",
- "execution_count": 14,
+ "execution_count": 16,
"metadata": {},
"outputs": [
{
@@ -1043,7 +1051,7 @@
""
]
},
- "execution_count": 14,
+ "execution_count": 16,
"metadata": {},
"output_type": "execute_result"
},
@@ -1125,7 +1133,7 @@
""
]
},
- "execution_count": 14,
+ "execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
@@ -1136,6 +1144,7 @@
"input_string4 = \"\"\"{\n",
" \"type\": \"observed-data\",\n",
" \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\n",
" \"created\": \"2016-04-06T19:58:16.000Z\",\n",
" \"modified\": \"2016-04-06T19:58:16.000Z\",\n",
@@ -1171,7 +1180,7 @@
},
{
"cell_type": "code",
- "execution_count": 15,
+ "execution_count": 17,
"metadata": {},
"outputs": [
{
@@ -1247,7 +1256,7 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "x-new-observable-2",\n",
- " "id": "x-new-observable-2--6bc655d6-dcb8-52a3-a862-46848c17e599",\n",
+ " "id": "x-new-observable-2--cafee477-4edc-58fd-81c1-2e23e93f9326",\n",
" "a_property": "A property",\n",
" "property_2": 2000\n",
"}\n",
@@ -1257,7 +1266,7 @@
""
]
},
- "execution_count": 15,
+ "execution_count": 17,
"metadata": {},
"output_type": "execute_result"
},
@@ -1334,7 +1343,7 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "x-new-observable-2",\n",
- " "id": "x-new-observable-2--6bc655d6-dcb8-52a3-a862-46848c17e599",\n",
+ " "id": "x-new-observable-2--cafee477-4edc-58fd-81c1-2e23e93f9326",\n",
" "a_property": "A property",\n",
" "property_2": 3000\n",
"}\n",
@@ -1344,7 +1353,7 @@
""
]
},
- "execution_count": 15,
+ "execution_count": 17,
"metadata": {},
"output_type": "execute_result"
},
@@ -1421,7 +1430,7 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "x-new-observable-2",\n",
- " "id": "x-new-observable-2--1e56f9c3-a73b-5fbd-b348-83c76523c4df",\n",
+ " "id": "x-new-observable-2--2945b948-7361-5204-a630-31b828af920c",\n",
" "a_property": "A different property",\n",
" "property_2": 3000\n",
"}\n",
@@ -1431,13 +1440,13 @@
""
]
},
- "execution_count": 15,
+ "execution_count": 17,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
- "from stix2.v21 import CustomObservable # IDs and Deterministic IDs are NOT part of STIX 2.0 Custom Observables\n",
+ "from stix2 import CustomObservable\n",
"\n",
"@CustomObservable('x-new-observable-2', [\n",
" ('a_property', properties.StringProperty(required=True)),\n",
@@ -1473,12 +1482,12 @@
"source": [
"### Custom Cyber Observable Extensions\n",
"\n",
- "Finally, custom extensions to existing Cyber Observable types can also be created. Just use the @[CustomExtension](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomExtension) decorator. Note that you must provide the Cyber Observable class to which the extension applies. Again, any extra validation of the properties can be implemented by providing an ``__init__()`` but it is not required. Let's say we want to make an extension to the ``File`` Cyber Observable Object:"
+ "Finally, custom extensions to existing Cyber Observable types can also be created. Just use the @[CustomExtension](../api/v21/stix2.v21.observables.rst#stix2.v21.observables.CustomExtension) decorator. Note that you must provide the Cyber Observable class to which the extension applies. Again, any extra validation of the properties can be implemented by providing an ``__init__()`` but it is not required. Let's say we want to make an extension to the ``File`` Cyber Observable Object:"
]
},
{
"cell_type": "code",
- "execution_count": 16,
+ "execution_count": 18,
"metadata": {},
"outputs": [
{
@@ -1562,7 +1571,7 @@
""
]
},
- "execution_count": 16,
+ "execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
@@ -1591,7 +1600,7 @@
},
{
"cell_type": "code",
- "execution_count": 17,
+ "execution_count": 20,
"metadata": {},
"outputs": [
{
@@ -1672,7 +1681,7 @@
""
]
},
- "execution_count": 17,
+ "execution_count": 20,
"metadata": {},
"output_type": "execute_result"
},
@@ -1754,7 +1763,7 @@
""
]
},
- "execution_count": 17,
+ "execution_count": 20,
"metadata": {},
"output_type": "execute_result"
}
@@ -1763,6 +1772,7 @@
"input_string5 = \"\"\"{\n",
" \"type\": \"observed-data\",\n",
" \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\n",
" \"created\": \"2016-04-06T19:58:16.000Z\",\n",
" \"modified\": \"2016-04-06T19:58:16.000Z\",\n",
@@ -1793,21 +1803,21 @@
],
"metadata": {
"kernelspec": {
- "display_name": "Python 2",
+ "display_name": "Python 3",
"language": "python",
- "name": "python2"
+ "name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
- "version": 2
+ "version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
- "pygments_lexer": "ipython2",
- "version": "2.7.15+"
+ "pygments_lexer": "ipython3",
+ "version": "3.9.0a6"
}
},
"nbformat": 4,
diff --git a/docs/guide/datastore.ipynb b/docs/guide/datastore.ipynb
index e4aad79..9f8e310 100644
--- a/docs/guide/datastore.ipynb
+++ b/docs/guide/datastore.ipynb
@@ -4,7 +4,6 @@
"cell_type": "code",
"execution_count": 1,
"metadata": {
- "collapsed": true,
"nbsphinx": "hidden"
},
"outputs": [],
@@ -16,6 +15,7 @@
"def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
" exception_only=False, running_compiled_code=False):\n",
" etype, value, tb = sys.exc_info()\n",
+ " value.__cause__ = None # suppress chained exceptions\n",
" return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
"\n",
"ipython.showtraceback = hide_traceback"
@@ -25,7 +25,6 @@
"cell_type": "code",
"execution_count": 2,
"metadata": {
- "collapsed": true,
"nbsphinx": "hidden"
},
"outputs": [],
@@ -87,7 +86,7 @@
},
{
"cell_type": "code",
- "execution_count": 4,
+ "execution_count": 9,
"metadata": {},
"outputs": [
{
@@ -163,6 +162,7 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "intrusion-set",\n",
+ " "spec_version": "2.1",\n",
" "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a",\n",
" "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",\n",
" "created": "2017-05-31T21:31:53.197Z",\n",
@@ -204,7 +204,7 @@
""
]
},
- "execution_count": 4,
+ "execution_count": 9,
"metadata": {},
"output_type": "execute_result"
},
@@ -281,19 +281,22 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "indicator",\n",
- " "id": "indicator--02b90f02-a96a-43ee-88f1-1e87297941f2",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",\n",
" "created": "2017-11-13T07:00:24.000Z",\n",
" "modified": "2017-11-13T07:00:24.000Z",\n",
" "name": "Ransomware IP Blocklist",\n",
" "description": "IP Blocklist address from abuse.ch",\n",
- " "pattern": "[ ipv4-addr:value = '91.237.247.24' ]",\n",
- " "valid_from": "2017-11-13T07:00:24Z",\n",
- " "labels": [\n",
+ " "indicator_types": [\n",
" "malicious-activity",\n",
" "Ransomware",\n",
" "Botnet",\n",
" "C&C"\n",
" ],\n",
+ " "pattern": "[ ipv4-addr:value = '91.237.247.24' ]",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2017-11-13T07:00:24Z",\n",
" "external_references": [\n",
" {\n",
" "source_name": "abuse.ch",\n",
@@ -307,7 +310,7 @@
""
]
},
- "execution_count": 4,
+ "execution_count": 9,
"metadata": {},
"output_type": "execute_result"
}
@@ -320,7 +323,7 @@
"fs = FileSystemSource(\"/tmp/stix2_source\")\n",
"\n",
"# create TAXIICollectionSource\n",
- "colxn = Collection('http://127.0.0.1:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/')\n",
+ "colxn = Collection('http://127.0.0.1:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/', user=\"user1\", password=\"Password1\")\n",
"ts = TAXIICollectionSource(colxn)\n",
"\n",
"# add them both to the CompositeDataSource\n",
@@ -332,7 +335,7 @@
"print(intrusion_set)\n",
"\n",
"# get an object that is only in the TAXII collection\n",
- "ind = cs.get('indicator--02b90f02-a96a-43ee-88f1-1e87297941f2')\n",
+ "ind = cs.get('indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7')\n",
"print(ind)"
]
},
@@ -357,6 +360,7 @@
"\n",
"* added_after\n",
"* id\n",
+ "* spec_version\n",
"* type\n",
"* version\n",
"\n",
@@ -386,10 +390,8 @@
},
{
"cell_type": "code",
- "execution_count": 3,
- "metadata": {
- "collapsed": true
- },
+ "execution_count": 10,
+ "metadata": {},
"outputs": [],
"source": [
"import sys\n",
@@ -420,7 +422,7 @@
},
{
"cell_type": "code",
- "execution_count": 6,
+ "execution_count": 11,
"metadata": {},
"outputs": [],
"source": [
@@ -454,7 +456,8 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "**Note: The `defanged` property is now always included (implicitly) for STIX 2.1 Cyber Observable Objects (SCOs)**\n\n",
+ "**Note: The `defanged` property is now always included (implicitly) for STIX 2.1 Cyber Observable Objects (SCOs)**\n",
+ "\n",
"This is important to remember if you are writing a filter that involves checking the `objects` property of a STIX 2.1 `ObservedData` object. If any of the objects associated with the `objects` property are STIX 2.1 SCOs, then your filter must include the `defanged` property. For an example, refer to `filters[14]` & `filters[15]` in stix2/test/v21/test_datastore_filters.py "
]
},
@@ -469,10 +472,8 @@
},
{
"cell_type": "code",
- "execution_count": 10,
- "metadata": {
- "collapsed": true
- },
+ "execution_count": 14,
+ "metadata": {},
"outputs": [],
"source": [
"from stix2 import Campaign, Identity, Indicator, Malware, Relationship\n",
@@ -480,8 +481,8 @@
"mem = MemoryStore()\n",
"cam = Campaign(name='Charge', description='Attack!')\n",
"idy = Identity(name='John Doe', identity_class=\"individual\")\n",
- "ind = Indicator(labels=['malicious-activity'], pattern=\"[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n",
- "mal = Malware(labels=['ransomware'], name=\"Cryptolocker\", created_by_ref=idy)\n",
+ "ind = Indicator(pattern_type='stix', pattern=\"[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n",
+ "mal = Malware(name=\"Cryptolocker\", is_family=False, created_by_ref=idy)\n",
"rel1 = Relationship(ind, 'indicates', mal,)\n",
"rel2 = Relationship(mal, 'targets', idy)\n",
"rel3 = Relationship(cam, 'uses', mal)\n",
@@ -492,12 +493,12 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "If a STIX object has a `created_by_ref` property, you can use the [creator_of()](../api/stix2.datastore.rst#stix2.datastore.DataSource.creator_of) method to retrieve the [Identity](../api/v20/stix2.v20.sdo.rst#stix2.v20.sdo.Identity) object that created it."
+ "If a STIX object has a `created_by_ref` property, you can use the [creator_of()](../api/stix2.datastore.rst#stix2.datastore.DataSource.creator_of) method to retrieve the [Identity](../api/v21/stix2.v21.sdo.rst#stix2.v21.sdo.Identity) object that created it."
]
},
{
"cell_type": "code",
- "execution_count": 11,
+ "execution_count": 15,
"metadata": {},
"outputs": [
{
@@ -573,9 +574,10 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "identity",\n",
- " "id": "identity--b67cf8d4-cc1a-4bb7-9402-fffcff17c9a9",\n",
- " "created": "2018-04-05T20:43:54.117Z",\n",
- " "modified": "2018-04-05T20:43:54.117Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "identity--a2628104-e357-44a0-b16f-d5f36c0fd0ec",\n",
+ " "created": "2020-06-26T13:59:21.924055Z",\n",
+ " "modified": "2020-06-26T13:59:21.924055Z",\n",
" "name": "John Doe",\n",
" "identity_class": "individual"\n",
"}\n",
@@ -585,7 +587,7 @@
""
]
},
- "execution_count": 11,
+ "execution_count": 15,
"metadata": {},
"output_type": "execute_result"
}
@@ -603,7 +605,7 @@
},
{
"cell_type": "code",
- "execution_count": 12,
+ "execution_count": 16,
"metadata": {},
"outputs": [
{
@@ -612,7 +614,7 @@
"3"
]
},
- "execution_count": 12,
+ "execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
@@ -631,16 +633,16 @@
},
{
"cell_type": "code",
- "execution_count": 13,
+ "execution_count": 17,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
- "[Relationship(type='relationship', id='relationship--3b9cb248-5c2c-425d-85d0-680bfef6e69d', created='2018-04-05T20:43:54.134Z', modified='2018-04-05T20:43:54.134Z', relationship_type='indicates', source_ref='indicator--61deb2a5-305a-490e-83b3-9839a9677368', target_ref='malware--9fe343d8-edf7-4f4a-bb6c-a221fb75142d')]"
+ "[Relationship(type='relationship', spec_version='2.1', id='relationship--ef837187-773c-41e4-ae86-c66189a832f5', created='2020-06-26T13:59:21.929336Z', modified='2020-06-26T13:59:21.929336Z', relationship_type='indicates', source_ref='indicator--9f10f6f2-b93d-488e-be35-72c3ec1087c3', target_ref='malware--315597db-2a74-4a29-8e54-38572e1ac07b')]"
]
},
- "execution_count": 13,
+ "execution_count": 17,
"metadata": {},
"output_type": "execute_result"
}
@@ -658,16 +660,16 @@
},
{
"cell_type": "code",
- "execution_count": 14,
+ "execution_count": 18,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
- "[Relationship(type='relationship', id='relationship--8d322508-423b-4d51-be85-a95ad083f8af', created='2018-04-05T20:43:54.134Z', modified='2018-04-05T20:43:54.134Z', relationship_type='targets', source_ref='malware--9fe343d8-edf7-4f4a-bb6c-a221fb75142d', target_ref='identity--b67cf8d4-cc1a-4bb7-9402-fffcff17c9a9')]"
+ "[Relationship(type='relationship', spec_version='2.1', id='relationship--43f5f7a7-8a99-4bbf-8d93-e6f3fd2951a3', created='2020-06-26T13:59:21.937132Z', modified='2020-06-26T13:59:21.937132Z', relationship_type='targets', source_ref='malware--315597db-2a74-4a29-8e54-38572e1ac07b', target_ref='identity--a2628104-e357-44a0-b16f-d5f36c0fd0ec')]"
]
},
- "execution_count": 14,
+ "execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
@@ -685,17 +687,17 @@
},
{
"cell_type": "code",
- "execution_count": 15,
+ "execution_count": 19,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
- "[Relationship(type='relationship', id='relationship--3b9cb248-5c2c-425d-85d0-680bfef6e69d', created='2018-04-05T20:43:54.134Z', modified='2018-04-05T20:43:54.134Z', relationship_type='indicates', source_ref='indicator--61deb2a5-305a-490e-83b3-9839a9677368', target_ref='malware--9fe343d8-edf7-4f4a-bb6c-a221fb75142d'),\n",
- " Relationship(type='relationship', id='relationship--93e5afe0-d1fb-4315-8d08-10951f7a99b6', created='2018-04-05T20:43:54.134Z', modified='2018-04-05T20:43:54.134Z', relationship_type='uses', source_ref='campaign--edfd885c-bc31-4051-9bc2-08e057542d56', target_ref='malware--9fe343d8-edf7-4f4a-bb6c-a221fb75142d')]"
+ "[Relationship(type='relationship', spec_version='2.1', id='relationship--ef837187-773c-41e4-ae86-c66189a832f5', created='2020-06-26T13:59:21.929336Z', modified='2020-06-26T13:59:21.929336Z', relationship_type='indicates', source_ref='indicator--9f10f6f2-b93d-488e-be35-72c3ec1087c3', target_ref='malware--315597db-2a74-4a29-8e54-38572e1ac07b'),\n",
+ " Relationship(type='relationship', spec_version='2.1', id='relationship--596c196f-2f05-4584-b643-2186b327a94f', created='2020-06-26T13:59:21.937354Z', modified='2020-06-26T13:59:21.937354Z', relationship_type='uses', source_ref='campaign--d359f872-7e44-4090-8e08-c5bd10bc5f2d', target_ref='malware--315597db-2a74-4a29-8e54-38572e1ac07b')]"
]
},
- "execution_count": 15,
+ "execution_count": 19,
"metadata": {},
"output_type": "execute_result"
}
@@ -713,16 +715,16 @@
},
{
"cell_type": "code",
- "execution_count": 16,
+ "execution_count": 20,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
- "[Campaign(type='campaign', id='campaign--edfd885c-bc31-4051-9bc2-08e057542d56', created='2018-04-05T20:43:54.117Z', modified='2018-04-05T20:43:54.117Z', name='Charge', description='Attack!')]"
+ "[Campaign(type='campaign', spec_version='2.1', id='campaign--d359f872-7e44-4090-8e08-c5bd10bc5f2d', created='2020-06-26T13:59:21.923792Z', modified='2020-06-26T13:59:21.923792Z', name='Charge', description='Attack!')]"
]
},
- "execution_count": 16,
+ "execution_count": 20,
"metadata": {},
"output_type": "execute_result"
}
@@ -748,7 +750,7 @@
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
- "version": "3.6.7"
+ "version": "3.9.0a6"
}
},
"nbformat": 4,
diff --git a/docs/guide/environment.ipynb b/docs/guide/environment.ipynb
index 8d22e39..a3417b5 100644
--- a/docs/guide/environment.ipynb
+++ b/docs/guide/environment.ipynb
@@ -15,6 +15,7 @@
"def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
" exception_only=False, running_compiled_code=False):\n",
" etype, value, tb = sys.exc_info()\n",
+ " value.__cause__ = None # suppress chained exceptions\n",
" return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
"\n",
"ipython.showtraceback = hide_traceback"
@@ -67,7 +68,7 @@
},
{
"cell_type": "code",
- "execution_count": 1,
+ "execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
@@ -113,7 +114,7 @@
"from stix2 import Indicator\n",
"\n",
"indicator = Indicator(id=\"indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7\",\n",
- " labels=[\"malicious-activity\"],\n",
+ " pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n",
"env.add(indicator)"
]
@@ -203,14 +204,14 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
" "id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",\n",
- " "created": "2018-04-05T19:27:53.923Z",\n",
- " "modified": "2018-04-05T19:27:53.923Z",\n",
+ " "created": "2020-06-26T14:46:08.384618Z",\n",
+ " "modified": "2020-06-26T14:46:08.384618Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:27:53.923548Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T14:46:08.384618Z"\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--c1b421c0-9c6b-4276-9b73-1b8684a5a0d2",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--4db1493b-8822-4b1c-a471-1c1cdc53ec6d",\n",
" "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",\n",
- " "created": "2018-04-05T19:28:48.776Z",\n",
- " "modified": "2018-04-05T19:28:48.776Z",\n",
+ " "created": "2020-06-26T14:46:36.666866Z",\n",
+ " "modified": "2020-06-26T14:46:36.666866Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:28:48.776442Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T14:46:36.666866Z"\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--30a3b39c-5f57-4e7f-9eaf-e1abcb643da4",\n",
- " "created": "2017-09-25T18:07:46.255Z",\n",
- " "modified": "2017-09-25T18:07:46.255Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--e7e92c87-df40-4ffb-a6da-9667b0acddb1",\n",
+ " "created": "2017-09-25T18:07:46.255472Z",\n",
+ " "modified": "2017-09-25T18:07:46.255472Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:28:53.268567Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T14:47:58.470047Z"\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--6c5bbaaf-6dac-44b0-a0df-86c27b3f6ecb",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--40540b9b-47a7-4855-81a3-b6d3ff6f8592",\n",
" "created_by_ref": "identity--962cabe5-f7f3-438a-9169-585a8c971d12",\n",
- " "created": "2017-09-25T18:07:46.255Z",\n",
- " "modified": "2017-09-25T18:07:46.255Z",\n",
+ " "created": "2017-09-25T18:07:46.255472Z",\n",
+ " "modified": "2017-09-25T18:07:46.255472Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:29:56.55129Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T14:48:11.028904Z"\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--d1b8c3f6-1de1-44c1-b079-3df307224a0d",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--3ab656d1-e549-4a6e-a2df-e84ff515fcd3",\n",
" "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",\n",
- " "created": "2018-04-05T19:29:59.605Z",\n",
- " "modified": "2018-04-05T19:29:59.605Z",\n",
+ " "created": "2020-06-26T14:48:20.238719Z",\n",
+ " "modified": "2020-06-26T14:48:20.238719Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:29:59.605463Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T14:48:20.238719Z"\n",
"}\n",
"{\n",
" "type": "malware",\n",
- " "id": "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841",\n",
" "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",\n",
- " "created": "2017-05-31T21:33:19.746Z",\n",
- " "modified": "2017-05-31T21:33:19.746Z",\n",
- " "name": "PowerDuke",\n",
- " "description": "PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.[[Citation: Volexity PowerDuke November 2016]]",\n",
- " "labels": [\n",
+ " "created": "2017-05-31T21:33:26.565Z",\n",
+ " "modified": "2017-05-31T21:33:26.565Z",\n",
+ " "name": "RTM",\n",
+ " "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]",\n",
+ " "malware_types": [\n",
" "malware"\n",
" ],\n",
+ " "is_family": false,\n",
" "external_references": [\n",
" {\n",
" "source_name": "mitre-attack",\n",
- " "url": "https://attack.mitre.org/wiki/Software/S0139",\n",
- " "external_id": "S0139"\n",
+ " "url": "https://attack.mitre.org/wiki/Software/S0148",\n",
+ " "external_id": "S0148"\n",
" },\n",
" {\n",
- " "source_name": "Volexity PowerDuke November 2016",\n",
- " "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",\n",
- " "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"\n",
+ " "source_name": "ESET RTM Feb 2017",\n",
+ " "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.",\n",
+ " "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"\n",
" }\n",
" ],\n",
" "object_marking_refs": [\n",
@@ -233,7 +236,7 @@
""
]
},
- "execution_count": 4,
+ "execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
@@ -245,8 +248,8 @@
"fs = FileSystemStore(\"/tmp/stix2_store\")\n",
"\n",
"# retrieve STIX2 content from FileSystemStore\n",
- "ap = fs.get(\"attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6\")\n",
- "mal = fs.get(\"malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a\")\n",
+ "ap = fs.get(\"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22\")\n",
+ "mal = fs.get(\"malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\")\n",
"\n",
"# for visual purposes\n",
"print(mal)"
@@ -254,32 +257,29 @@
},
{
"cell_type": "code",
- "execution_count": 2,
- "metadata": {
- "collapsed": true
- },
+ "execution_count": 8,
+ "metadata": {},
"outputs": [],
"source": [
"from stix2 import ThreatActor, Indicator\n",
"\n",
"# create new STIX threat-actor\n",
"ta = ThreatActor(name=\"Adjective Bear\",\n",
- " labels=[\"nation-state\"],\n",
- " sophistication=\"innovator\",\n",
- " resource_level=\"government\",\n",
- " goals=[\n",
- " \"compromising media outlets\",\n",
- " \"water-hole attacks geared towards political, military targets\",\n",
- " \"intelligence collection\"\n",
- " ])\n",
+ " sophistication=\"innovator\",\n",
+ " resource_level=\"government\",\n",
+ " goals=[\n",
+ " \"compromising media outlets\",\n",
+ " \"water-hole attacks geared towards political, military targets\",\n",
+ " \"intelligence collection\"\n",
+ " ])\n",
"\n",
"# create new indicators\n",
"ind = Indicator(description=\"Crusades C2 implant\",\n",
- " labels=[\"malicious-activity\"],\n",
+ " pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.'SHA-256' = '54b7e05e39a59428743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n",
"\n",
"ind1 = Indicator(description=\"Crusades C2 implant 2\",\n",
- " labels=[\"malicious-activity\"],\n",
+ " pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.'SHA-256' = '64c7e05e40a59511743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n",
"\n",
"# add STIX object (threat-actor) to FileSystemStore\n",
@@ -300,7 +300,7 @@
},
{
"cell_type": "code",
- "execution_count": 6,
+ "execution_count": 9,
"metadata": {},
"outputs": [
{
@@ -376,23 +376,34 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "attack-pattern",\n",
- " "id": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",\n",
" "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",\n",
- " "created": "2017-05-31T21:30:54.176Z",\n",
- " "modified": "2017-05-31T21:30:54.176Z",\n",
- " "name": "Indicator Removal from Tools",\n",
- " "description": "If a malicious...command-line parameters, Process monitoring",\n",
+ " "created": "2017-05-31T21:30:19.735Z",\n",
+ " "modified": "2017-05-31T21:30:19.735Z",\n",
+ " "name": "Credential Dumping",\n",
+ " "description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\\n\\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\\n\\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \\n\\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\\n\\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n\\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\\n\\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs",\n",
" "kill_chain_phases": [\n",
" {\n",
" "kill_chain_name": "mitre-attack",\n",
- " "phase_name": "defense-evasion"\n",
+ " "phase_name": "credential-access"\n",
" }\n",
" ],\n",
" "external_references": [\n",
" {\n",
" "source_name": "mitre-attack",\n",
- " "url": "https://attack.mitre.org/wiki/Technique/T1066",\n",
- " "external_id": "T1066"\n",
+ " "url": "https://attack.mitre.org/wiki/Technique/T1003",\n",
+ " "external_id": "T1003"\n",
+ " },\n",
+ " {\n",
+ " "source_name": "Github Mimikatz Module sekurlsa",\n",
+ " "description": "Delpy, B. (2014, September 14). Mimikatz module ~ sekurlsa. Retrieved January 10, 2016.",\n",
+ " "url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa"\n",
+ " },\n",
+ " {\n",
+ " "source_name": "Powersploit",\n",
+ " "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",\n",
+ " "url": "https://github.com/mattifestation/PowerSploit"\n",
" }\n",
" ],\n",
" "object_marking_refs": [\n",
@@ -405,7 +416,7 @@
""
]
},
- "execution_count": 6,
+ "execution_count": 9,
"metadata": {},
"output_type": "execute_result"
}
@@ -417,7 +428,7 @@
"fs_source = FileSystemSource(\"/tmp/stix2_source\")\n",
"\n",
"# retrieve STIX 2 objects\n",
- "ap = fs_source.get(\"attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6\")\n",
+ "ap = fs_source.get(\"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22\")\n",
"\n",
"# for visual purposes\n",
"print(ap)"
@@ -425,7 +436,7 @@
},
{
"cell_type": "code",
- "execution_count": 7,
+ "execution_count": 10,
"metadata": {},
"outputs": [
{
@@ -499,14 +510,14 @@
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
- ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */malware--96b08451-b27a-4ff6-893f-790e26393a8e\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\n",
"malware--96b08451-b27a-4ff6-893f-790e26393a8e\n",
+ "
malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
"malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
+ "
malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
+ "
malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
+ "
malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
+ "
malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n",
+ "
{\n",
" "type": "indicator",\n",
- " "id": "indicator--95a71cff-fad0-4ffb-a641-8a6eaa642290",\n",
- " "created": "2018-04-05T19:49:47.924Z",\n",
- " "modified": "2018-04-05T19:49:47.924Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--46498844-7689-4e7b-be25-b119d8401159",\n",
+ " "created": "2020-06-24T20:55:56.088861Z",\n",
+ " "modified": "2020-06-24T20:55:56.088861Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:47.924708Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:55:56.088861Z",\n",
" "object_marking_refs": [\n",
" "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
" ]\n",
@@ -164,7 +165,7 @@
""
]
},
- "execution_count": 7,
+ "execution_count": 3,
"metadata": {},
"output_type": "execute_result"
}
@@ -172,7 +173,7 @@
"source": [
"from stix2 import Indicator, TLP_AMBER\n",
"\n",
- "indicator = Indicator(labels=[\"malicious-activity\"],\n",
+ "indicator = Indicator(pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" object_marking_refs=TLP_AMBER)\n",
"print(indicator)"
@@ -185,6 +186,343 @@
"If you’re creating your own marking (for example, a ``Statement`` marking), first create the statement marking:"
]
},
+ {
+ "cell_type": "code",
+ "execution_count": 4,
+ "metadata": {},
+ "outputs": [
+ {
+ "data": {
+ "text/html": [
+ "{\n",
+ " "type": "marking-definition",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "marking-definition--9a4efc30-a7ac-42d0-8776-16f390a0fd44",\n",
+ " "created": "2020-06-24T20:56:06.779241Z",\n",
+ " "definition_type": "statement",\n",
+ " "definition": {\n",
+ " "statement": "Copyright 2017, Example Corp"\n",
+ " }\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--75d66696-9960-4229-ba89-2caac50891b3",\n",
+ " "created": "2020-06-24T20:56:29.80259Z",\n",
+ " "modified": "2020-06-24T20:56:29.80259Z",\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:56:29.80259Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--9a4efc30-a7ac-42d0-8776-16f390a0fd44"\n",
+ " ]\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--757ea853-138c-44e2-bb00-e78eebfaa378",\n",
+ " "created": "2020-06-24T20:56:43.703563Z",\n",
+ " "modified": "2020-06-24T20:56:43.703563Z",\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:56:43.703563Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " ]\n",
+ "}\n",
+ "{\n",
- " "type": "marking-definition",\n",
- " "id": "marking-definition--13680b12-3d19-4b42-abe6-0d31effe5368",\n",
- " "created": "2018-04-05T19:49:53.98008Z",\n",
- " "definition_type": "statement",\n",
- " "definition": {\n",
- " "statement": "Copyright 2017, Example Corp"\n",
- " }\n",
+ " "type": "malware",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--1752bbec-765a-4711-a304-f0e92ca902ae",\n",
+ " "created": "2020-06-24T21:21:07.148194Z",\n",
+ " "modified": "2020-06-24T21:21:07.148194Z",\n",
+ " "name": "Poison Ivy",\n",
+ " "description": "A ransomware related to ...",\n",
+ " "is_family": false,\n",
+ " "granular_markings": [\n",
+ " {\n",
+ " "marking_ref": "marking-definition--9a4efc30-a7ac-42d0-8776-16f390a0fd44",\n",
+ " "selectors": [\n",
+ " "description"\n",
+ " ]\n",
+ " },\n",
+ " {\n",
+ " "marking_ref": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",\n",
+ " "selectors": [\n",
+ " "name"\n",
+ " ]\n",
+ " }\n",
+ " ]\n",
"}\n",
"{\n",
- " "type": "indicator",\n",
- " "id": "indicator--7caeab49-2472-41bb-a988-2f990aea99bd",\n",
- " "created": "2018-04-05T19:49:55.763Z",\n",
- " "modified": "2018-04-05T19:49:55.763Z",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:55.763364Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
- " "object_marking_refs": [\n",
- " "marking-definition--13680b12-3d19-4b42-abe6-0d31effe5368"\n",
- " ]\n",
- "}\n",
- "{\n",
" "type": "indicator",\n",
- " "id": "indicator--4eb21bbe-b8a9-4348-86cf-1ed52f9abdd7",\n",
- " "created": "2018-04-05T19:49:57.248Z",\n",
- " "modified": "2018-04-05T19:49:57.248Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--46498844-7689-4e7b-be25-b119d8401159",\n",
+ " "created": "2020-06-24T20:55:56.088861Z",\n",
+ " "modified": "2020-06-24T21:21:39.898475Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:57.248658Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:55:56.088861Z",\n",
" "object_marking_refs": [\n",
- " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",\n",
+ " "marking-definition--9a4efc30-a7ac-42d0-8776-16f390a0fd44"\n",
" ]\n",
"}\n",
"{\n",
- " "type": "malware",\n",
- " "id": "malware--ef1eddbb-b5a5-47e0-b607-75b9870d8d91",\n",
- " "created": "2018-04-05T19:49:59.103Z",\n",
- " "modified": "2018-04-05T19:49:59.103Z",\n",
- " "name": "Poison Ivy",\n",
- " "description": "A ransomware related to ...",\n",
- " "labels": [\n",
- " "remote-access-trojan"\n",
- " ],\n",
- " "granular_markings": [\n",
- " {\n",
- " "marking_ref": "marking-definition--13680b12-3d19-4b42-abe6-0d31effe5368",\n",
- " "selectors": [\n",
- " "description"\n",
- " ]\n",
- " },\n",
- " {\n",
- " "marking_ref": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",\n",
- " "selectors": [\n",
- " "name"\n",
- " ]\n",
- " }\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--46498844-7689-4e7b-be25-b119d8401159",\n",
+ " "created": "2020-06-24T20:55:56.088861Z",\n",
+ " "modified": "2020-06-24T21:21:43.529702Z",\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:55:56.088861Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
" ]\n",
"}\n",
"{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--46498844-7689-4e7b-be25-b119d8401159",\n",
+ " "created": "2020-06-24T20:55:56.088861Z",\n",
+ " "modified": "2020-06-24T21:21:47.703212Z",\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:55:56.088861Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--9a4efc30-a7ac-42d0-8776-16f390a0fd44",\n",
+ " "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"\n",
+ " ]\n",
+ "}\n",
+ "{\n",
" "type": "indicator",\n",
- " "id": "indicator--95a71cff-fad0-4ffb-a641-8a6eaa642290",\n",
- " "created": "2018-04-05T19:49:47.924Z",\n",
- " "modified": "2018-04-05T19:50:03.387Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--46498844-7689-4e7b-be25-b119d8401159",\n",
+ " "created": "2020-06-24T20:55:56.088861Z",\n",
+ " "modified": "2020-06-24T21:21:53.287178Z",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:47.924708Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
- " "object_marking_refs": [\n",
- " "marking-definition--13680b12-3d19-4b42-abe6-0d31effe5368",\n",
- " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T20:55:56.088861Z"\n",
"}\n",
"{\n",
- " "type": "indicator",\n",
- " "id": "indicator--95a71cff-fad0-4ffb-a641-8a6eaa642290",\n",
- " "created": "2018-04-05T19:49:47.924Z",\n",
- " "modified": "2018-04-05T19:50:05.109Z",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:47.924708Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
- " "object_marking_refs": [\n",
- " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
- " ]\n",
- "}\n",
- "{\n",
- " "type": "indicator",\n",
- " "id": "indicator--95a71cff-fad0-4ffb-a641-8a6eaa642290",\n",
- " "created": "2018-04-05T19:49:47.924Z",\n",
- " "modified": "2018-04-05T19:50:06.773Z",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:47.924708Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
- " "object_marking_refs": [\n",
- " "marking-definition--13680b12-3d19-4b42-abe6-0d31effe5368",\n",
- " "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"\n",
- " ]\n",
- "}\n",
- "{\n",
- " "type": "indicator",\n",
- " "id": "indicator--95a71cff-fad0-4ffb-a641-8a6eaa642290",\n",
- " "created": "2018-04-05T19:49:47.924Z",\n",
- " "modified": "2018-04-05T19:50:08.616Z",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T19:49:47.924708Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
- "}\n",
- "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--f4004de9-a6d9-4c7b-823e-3d8199173c09",\n",
+ " "created": "2020-06-24T21:35:08.630228Z",\n",
+ " "modified": "2020-06-24T21:35:08.630228Z",\n",
+ " "description": "Una descripcion sobre este indicador",\n",
+ " "indicator_types": [\n",
+ " "malware"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T21:35:08.630228Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " ],\n",
+ " "granular_markings": [\n",
+ " {\n",
+ " "lang": "es",\n",
+ " "selectors": [\n",
+ " "description"\n",
+ " ]\n",
+ " },\n",
+ " {\n",
+ " "marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",\n",
+ " "selectors": [\n",
+ " "description"\n",
+ " ]\n",
+ " }\n",
+ " ]\n",
+ "}\n",
+ "['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da', 'es']\n",
+ "
['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da']\n",
+ "
{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--f4004de9-a6d9-4c7b-823e-3d8199173c09",\n",
+ " "created": "2020-06-24T21:35:08.630228Z",\n",
+ " "modified": "2020-06-24T21:35:14.54482Z",\n",
+ " "description": "Una descripcion sobre este indicador",\n",
+ " "indicator_types": [\n",
+ " "malware"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T21:35:08.630228Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " ]\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--f4004de9-a6d9-4c7b-823e-3d8199173c09",\n",
+ " "created": "2020-06-24T21:35:08.630228Z",\n",
+ " "modified": "2020-06-24T21:35:39.298138Z",\n",
+ " "description": "Una descripcion sobre este indicador",\n",
+ " "indicator_types": [\n",
+ " "malware"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T21:35:08.630228Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " ],\n",
+ " "granular_markings": [\n",
+ " {\n",
+ " "lang": "es",\n",
+ " "selectors": [\n",
+ " "description"\n",
+ " ]\n",
+ " }\n",
+ " ]\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--f4004de9-a6d9-4c7b-823e-3d8199173c09",\n",
+ " "created": "2020-06-24T21:35:08.630228Z",\n",
+ " "modified": "2020-06-24T21:35:42.684794Z",\n",
+ " "description": "Una descripcion sobre este indicador",\n",
+ " "indicator_types": [\n",
+ " "malware"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-24T21:35:08.630228Z",\n",
+ " "object_marking_refs": [\n",
+ " "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"\n",
+ " ],\n",
+ " "granular_markings": [\n",
+ " {\n",
+ " "marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",\n",
+ " "selectors": [\n",
+ " "description"\n",
+ " ]\n",
+ " }\n",
+ " ]\n",
+ "}\n",
+ "{\n",
" "type": "indicator",\n",
- " "id": "indicator--41a960c7-a6d4-406d-9156-0069cb3bd40d",\n",
- " "created": "2018-04-05T19:50:41.222Z",\n",
- " "modified": "2018-04-05T19:50:41.222Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--96120abd-f767-4292-b8b0-b739749e03b6",\n",
+ " "created": "2020-06-26T18:28:55.582226Z",\n",
+ " "modified": "2020-06-26T18:28:55.582226Z",\n",
" "description": "Crusades C2 implant",\n",
" "pattern": "[file:hashes.'SHA-256' = '54b7e05e39a59428743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']",\n",
- " "valid_from": "2018-04-05T19:50:41.222522Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T18:28:55.582226Z"\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--ba2a7acb-a3ac-420b-9288-09988aa99408",\n",
- " "created": "2018-04-05T19:50:43.343Z",\n",
- " "modified": "2018-04-05T19:50:43.343Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--dd5a0203-356d-415c-a118-fb6b0eae9de0",\n",
+ " "created": "2020-06-26T18:28:58.047811Z",\n",
+ " "modified": "2020-06-26T18:28:58.047811Z",\n",
" "description": "Crusades stage 2 implant variant",\n",
" "pattern": "[file:hashes.'SHA-256' = '31a45e777e4d58b97f4c43e38006f8cd6580ddabc4037905b2fad734712b582c']",\n",
- " "valid_from": "2018-04-05T19:50:43.343298Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T18:28:58.047811Z"\n",
"}\n",
"{\n",
" "type": "malware",\n",
- " "id": "malware--9e9b87ce-2b2b-455a-8d5b-26384ccc8d52",\n",
- " "created": "2018-04-05T19:50:43.346Z",\n",
- " "modified": "2018-04-05T19:50:43.346Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--6cee28b8-4d42-4e72-bd77-ea47897672c0",\n",
+ " "created": "2020-06-26T18:28:58.049244Z",\n",
+ " "modified": "2020-06-26T18:28:58.049244Z",\n",
" "name": "Alexios",\n",
- " "labels": [\n",
+ " "malware_types": [\n",
" "rootkit"\n",
- " ]\n",
+ " ],\n",
+ " "is_family": false\n",
"}\n",
"{\n",
" "type": "malware",\n",
- " "id": "malware--9e9b87ce-2b2b-455a-8d5b-26384ccc8d52",\n",
- " "created": "2018-04-05T19:50:43.346Z",\n",
- " "modified": "2018-04-05T19:50:43.346Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--6cee28b8-4d42-4e72-bd77-ea47897672c0",\n",
+ " "created": "2020-06-26T18:28:58.049244Z",\n",
+ " "modified": "2020-06-26T18:28:58.049244Z",\n",
" "name": "Alexios",\n",
- " "labels": [\n",
+ " "malware_types": [\n",
" "rootkit"\n",
- " ]\n",
+ " ],\n",
+ " "is_family": false\n",
"}\n",
"<class 'stix2.v20.sdo.ObservedData'>\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */<class 'stix2.v21.sdo.ObservedData'>\n",
"{\n",
" "type": "observed-data",\n",
+ " "spec_version": "2.1",\n",
" "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",\n",
" "created": "2016-04-06T19:58:16.000Z",\n",
" "modified": "2016-04-06T19:58:16.000Z",\n",
@@ -237,6 +239,8 @@
" "objects": {\n",
" "0": {\n",
" "type": "file",\n",
+ " "id": "file--5d0833b7-065e-571f-8bf2-657cb9569570",\n",
+ " "spec_version": "2.1",\n",
" "hashes": {\n",
" "SHA-256": "0969de02ecf8a5f003e3f6d063d848c8a193aada092623f8ce408c15bcb5f038"\n",
" }\n",
@@ -260,6 +264,7 @@
"input_string = \"\"\"{\n",
" \"type\": \"observed-data\",\n",
" \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"created\": \"2016-04-06T19:58:16.000Z\",\n",
" \"modified\": \"2016-04-06T19:58:16.000Z\",\n",
" \"first_observed\": \"2015-12-21T19:00:00Z\",\n",
@@ -363,7 +368,7 @@
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
- ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */<class 'stix2.v20.sdo.Identity'>\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */<class 'stix2.v21.sdo.Identity'>\n",
"{\n",
" "type": "identity",\n",
+ " "spec_version": "2.1",\n",
" "id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",\n",
" "created": "2015-12-21T19:59:11.000Z",\n",
" "modified": "2015-12-21T19:59:11.000Z",\n",
@@ -468,6 +474,7 @@
"input_dict = {\n",
" \"type\": \"identity\",\n",
" \"id\": \"identity--311b2d2d-f010-4473-83ec-1edf84858f4c\",\n",
+ " \"spec_version\": \"2.1\",\n",
" \"created\": \"2015-12-21T19:59:11Z\",\n",
" \"modified\": \"2015-12-21T19:59:11Z\",\n",
" \"name\": \"Cole Powers\",\n",
@@ -488,7 +495,7 @@
},
{
"cell_type": "code",
- "execution_count": 5,
+ "execution_count": 7,
"metadata": {},
"outputs": [
{
@@ -562,14 +569,14 @@
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
- ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */<class 'stix2.v20.sdo.CourseOfAction'>\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */<class 'stix2.v21.sdo.CourseOfAction'>\n",
"{\n",
" "type": "course-of-action",\n",
+ " "spec_version": "2.1",\n",
" "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",\n",
" "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",\n",
" "created": "2017-05-31T21:30:41.022Z",\n",
@@ -659,13 +667,13 @@
""
]
},
- "execution_count": 5,
+ "execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
- "file_handle = open(\"/tmp/stix2_store/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd.json\")\n",
+ "file_handle = open(\"/tmp/stix2_store/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json\")\n",
"\n",
"obj = parse(file_handle)\n",
"print(type(obj))\n",
@@ -683,7 +691,14 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "Parsing custom STIX objects and/or STIX objects with custom properties is also completed easily with [parse()](../api/stix2.core.rst#stix2.core.parse). Just supply the keyword argument ``allow_custom=True``. When ``allow_custom`` is specified, [parse()](../api/stix2.core.rst#stix2.core.parse) will attempt to convert the supplied STIX content to known STIX 2 domain objects and/or previously defined [custom STIX 2 objects](custom.ipynb). If the conversion cannot be completed (and ``allow_custom`` is specified), [parse()](../api/stix2.core.rst#stix2.core.parse) will treat the supplied STIX 2 content as valid STIX 2 objects and return them. **Warning: Specifying allow_custom may lead to critical errors if further processing (searching, filtering, modifying etc...) of the custom content occurs where the custom content supplied is not valid STIX 2**. This is an axiomatic possibility as the ``stix2`` library cannot guarantee proper processing of unknown custom STIX 2 objects that were explicitly flagged to be allowed, and thus may not be valid.\n",
+ "Parsing custom STIX objects and/or STIX objects with custom properties is also completed easily with [parse()](../api/stix2.parsing.rst#stix2.parsing.parse). Just supply the keyword argument ``allow_custom=True``. When ``allow_custom`` is specified, [parse()](../api/stix2.parsing.rst#stix2.parsing.parse) will attempt to convert the supplied STIX content to known STIX 2 domain objects and/or previously defined [custom STIX 2 objects](custom.ipynb). If the conversion cannot be completed (and ``allow_custom`` is specified), [parse()](../api/stix2.parsing.rst#stix2.parsing.parse) will treat the supplied STIX 2 content as valid STIX 2 objects and return them. This is an axiomatic possibility as the ``stix2`` library cannot guarantee proper processing of unknown custom STIX 2 objects that were explicitly flagged to be allowed, and thus may not be valid.\n",
+ "\n",
+ "\n",
+ "**Warning**\n",
+ "\n",
+ "Specifying allow_custom may lead to critical errors if further processing (searching, filtering, modifying etc...) of the custom content occurs where the custom content supplied is not valid STIX 2\n",
+ "\n",
+ "
\n",
"\n",
"For examples of parsing STIX 2 objects with custom STIX properties, see [Custom STIX Content: Custom Properties](custom.ipynb#Custom-Properties)\n",
"\n",
@@ -731,7 +746,7 @@
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
- "version": "3.6.3"
+ "version": "3.9.0a6"
}
},
"nbformat": 4,
diff --git a/docs/guide/patterns.ipynb b/docs/guide/patterns.ipynb
index ee06675..4dc0175 100644
--- a/docs/guide/patterns.ipynb
+++ b/docs/guide/patterns.ipynb
@@ -1,5 +1,58 @@
{
"cells": [
+ {
+ "cell_type": "code",
+ "execution_count": 1,
+ "metadata": {
+ "nbsphinx": "hidden"
+ },
+ "outputs": [],
+ "source": [
+ "# Delete this cell to re-enable tracebacks\n",
+ "import sys\n",
+ "ipython = get_ipython()\n",
+ "\n",
+ "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
+ " exception_only=False, running_compiled_code=False):\n",
+ " etype, value, tb = sys.exc_info()\n",
+ " value.__cause__ = None # suppress chained exceptions\n",
+ " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
+ "\n",
+ "ipython.showtraceback = hide_traceback"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": 2,
+ "metadata": {
+ "nbsphinx": "hidden"
+ },
+ "outputs": [],
+ "source": [
+ "# JSON output syntax highlighting\n",
+ "from __future__ import print_function\n",
+ "from pygments import highlight\n",
+ "from pygments.lexers import JsonLexer, TextLexer\n",
+ "from pygments.formatters import HtmlFormatter\n",
+ "from IPython.display import display, HTML\n",
+ "from IPython.core.interactiveshell import InteractiveShell\n",
+ "\n",
+ "InteractiveShell.ast_node_interactivity = \"all\"\n",
+ "\n",
+ "def json_print(inpt):\n",
+ " string = str(inpt)\n",
+ " formatter = HtmlFormatter()\n",
+ " if string[0] == '{':\n",
+ " lexer = JsonLexer()\n",
+ " else:\n",
+ " lexer = TextLexer()\n",
+ " return HTML('{}'.format(\n",
+ " formatter.get_style_defs('.highlight'),\n",
+ " highlight(string, lexer, formatter)))\n",
+ "\n",
+ "globals()['print'] = json_print"
+ ]
+ },
{
"cell_type": "markdown",
"metadata": {},
@@ -80,18 +133,172 @@
},
{
"cell_type": "code",
- "execution_count": 7,
+ "execution_count": 4,
"metadata": {},
"outputs": [
{
- "name": "stdout",
- "output_type": "stream",
- "text": [
- "\t[domain-name:value = 'site.of.interest.zaz']\n",
- "\n",
- "\t[file:parent_directory_ref.path = 'C:\\\\Windows\\\\System32']\n",
- "\n"
- ]
+ "data": {
+ "text/html": [
+ "\t[domain-name:value = 'site.of.interest.zaz']\n",
+ "
\t[file:parent_directory_ref.path = 'C:\\\\Windows\\\\System32']\n",
+ "
\t[file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.0]\n",
+ "
\t[network-traffic:dst_ref.value ISSUBSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']\n",
+ "
(AND)\n",
+ "[email-message:sender_ref.value = 'stark@example.com' AND email-message:subject = 'Conference Info']\n",
+ "
(OR)\n",
+ "[url:value = 'http://example.com/foo' OR url:value = 'http://example.com/bar']\n",
+ "
(OR,AND)\n",
+ "[(file:name = 'pdf.exe' OR file:size = 371712) AND file:created = 2014-01-13 07:03:17+00:00]\n",
+ "
(AND,OR,OR)\n",
+ "([file:name = 'foo.dll'] AND [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']) OR [process:name = 'fooproc' OR process:name = 'procfoo']\n",
+ "
(FollowedBy)\n",
+ "[file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']\n",
+ "
(WITHIN)\n",
+ "([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']) WITHIN 300 SECONDS\n",
+ "
(REPEAT, WITHIN)\n",
+ "[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'example.com'] REPEATS 5 TIMES WITHIN 180 SECONDS\n",
+ "
(START-STOP)\n",
+ "[file:name = 'foo.dll'] START t'2016-06-01T00:00:00Z' STOP t'2016-07-01T00:00:00Z'\n",
+ "
{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--30dbe788-c10c-4905-b2f0-8f738c847f4b",\n",
+ " "created": "2020-06-26T18:45:26.0832Z",\n",
+ " "modified": "2020-06-26T18:45:26.0832Z",\n",
+ " "name": "Cryptotorch",\n",
+ " "pattern": "[file:name = '$$t00rzch$$.elf']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T18:45:26.0832Z"\n",
+ "}\n",
+ "{\n",
" "type": "indicator",\n",
- " "id": "indicator--4336ace8-d985-413a-8e32-f749ba268dc3",\n",
- " "created": "2018-04-05T20:01:20.012Z",\n",
- " "modified": "2018-04-05T20:01:20.012Z",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--5e515461-93ad-41a8-a540-4f9d1a098939",\n",
+ " "created": "2020-06-26T18:47:20.215931Z",\n",
+ " "modified": "2020-06-26T18:47:20.215931Z",\n",
" "name": "File hash for malware variant",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2018-04-05T20:01:20.012209Z",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ]\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T18:47:20.215931Z"\n",
"}\n",
"{"name": "File hash for malware variant", "labels": ["malicious-activity"], "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']", "type": "indicator", "id": "indicator--4336ace8-d985-413a-8e32-f749ba268dc3", "created": "2018-04-05T20:01:20.012Z", "modified": "2018-04-05T20:01:20.012Z", "valid_from": "2018-04-05T20:01:20.012209Z"}\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{"name": "File hash for malware variant", "pattern_type": "stix", "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']", "pattern_version": "2.1", "type": "indicator", "spec_version": "2.1", "id": "indicator--5e515461-93ad-41a8-a540-4f9d1a098939", "created": "2020-06-26T18:47:20.215931Z", "modified": "2020-06-26T18:47:20.215931Z", "valid_from": "2020-06-26T18:47:20.215931Z"}\n",
"{\n",
" "name": "File hash for malware variant",\n",
- " "labels": [\n",
- " "malicious-activity"\n",
- " ],\n",
+ " "pattern_type": "stix",\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_version": "2.1",\n",
" "type": "indicator",\n",
- " "id": "indicator--4336ace8-d985-413a-8e32-f749ba268dc3",\n",
- " "created": "2018-04-05T20:01:20.012Z",\n",
- " "modified": "2018-04-05T20:01:20.012Z",\n",
- " "valid_from": "2018-04-05T20:01:20.012209Z"\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--5e515461-93ad-41a8-a540-4f9d1a098939",\n",
+ " "created": "2020-06-26T18:47:20.215931Z",\n",
+ " "modified": "2020-06-26T18:47:20.215931Z",\n",
+ " "valid_from": "2020-06-26T18:47:20.215931Z"\n",
"}\n",
"{\n",
+ " "type": "malware",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--c0931cc6-c75e-47e5-9036-78fabc95d4ec",\n",
+ " "created": "2017-01-27T13:49:53.997Z",\n",
+ " "modified": "2017-01-27T13:49:53.997Z",\n",
+ " "name": "Poison Ivy",\n",
+ " "description": "Poison Ivy",\n",
+ " "malware_types": [\n",
+ " "remote-access-trojan"\n",
+ " ],\n",
+ " "is_family": true\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6770298f-0fd8-471a-ab8c-1c658a46574e",\n",
+ " "created": "2016-11-03T12:30:59.000Z",\n",
+ " "modified": "2016-11-03T12:30:59.000Z",\n",
+ " "name": "Malicious site hosting downloader",\n",
+ " "description": "Accessing this url will infect your machine with malware.",\n",
+ " "indicator_types": [\n",
+ " "url-watchlist"\n",
+ " ],\n",
+ " "pattern": "[url:value = 'http://z4z10farb.cn/4712']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2017-01-27T13:49:53.935382Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6770298f-0fd8-471a-ab8c-1c658a46574e",\n",
+ " "created": "2016-11-03T12:30:59.000Z",\n",
+ " "modified": "2016-12-25T12:30:59.444Z",\n",
+ " "name": "Malicious site hosting downloader",\n",
+ " "description": "Accessing this url will infect your machine with malware. Updated indicator",\n",
+ " "indicator_types": [\n",
+ " "url-watchlist"\n",
+ " ],\n",
+ " "pattern": "[url:value = 'http://x4z9arb.cn/4712']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2017-01-27T13:49:53.935382Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6770298f-0fd8-471a-ab8c-1c658a46574e",\n",
+ " "created": "2016-11-03T12:30:59.000Z",\n",
+ " "modified": "2017-01-27T13:49:53.935Z",\n",
+ " "name": "Malicious site hosting downloader",\n",
+ " "description": "Accessing this url will infect your machine with malware. This is the last updated indicator",\n",
+ " "indicator_types": [\n",
+ " "url-watchlist"\n",
+ " ],\n",
+ " "pattern": "[url:value = 'http://x4z9arb.cn/4712']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2016-11-03T12:30:59Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--cd981c25-8042-4166-8945-51178443bdac",\n",
+ " "created": "2014-05-08T09:00:00.000Z",\n",
+ " "modified": "2014-05-08T09:00:00.000Z",\n",
+ " "name": "File hash for Poison Ivy variant",\n",
+ " "indicator_types": [\n",
+ " "file-hash-watchlist"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2014-05-08T09:00:00Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6770298f-0fd8-471a-ab8c-1c658a46574e",\n",
+ " "created": "2016-11-03T12:30:59.000Z",\n",
+ " "modified": "2017-01-27T13:49:53.935Z",\n",
+ " "name": "Malicious site hosting downloader",\n",
+ " "description": "Accessing this url will infect your machine with malware. This is the last updated indicator",\n",
+ " "indicator_types": [\n",
+ " "url-watchlist"\n",
+ " ],\n",
+ " "pattern": "[url:value = 'http://x4z9arb.cn/4712']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2016-11-03T12:30:59Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--d8f573d9-5796-4d3f-98fd-d3b953738520",\n",
+ " "created": "2020-06-26T19:04:05.608201Z",\n",
+ " "modified": "2020-06-26T19:04:05.608201Z",\n",
+ " "description": "Smokey Bear implant",\n",
+ " "pattern": "[file:hashes.'SHA-256' = '09c7e05a39a59428743635242e4a867c932140a909f12a1e54fa7ee6a440c73b']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T19:04:05.608201Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--acd03fef-b8df-4c45-bd89-1ede90c39959",\n",
+ " "created": "2020-06-26T19:04:09.476525Z",\n",
+ " "modified": "2020-06-26T19:04:09.476525Z",\n",
+ " "description": "Smokey Bear implant",\n",
+ " "pattern": "[file:hashes.'SHA-256' = '09c7e05a39a59428743635242e4a867c932140a909f12a1e54fa7ee6a440c73b']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T19:04:09.476525Z"\n",
+ "}\n",
+ "{\n",
+ " "type": "malware",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--c0931cc6-c75e-47e5-9036-78fabc95d4ec",\n",
+ " "created": "2017-01-27T13:49:53.997Z",\n",
+ " "modified": "2017-01-27T13:49:53.997Z",\n",
+ " "name": "Poison Ivy",\n",
+ " "description": "Poison Ivy",\n",
+ " "malware_types": [\n",
+ " "remote-access-trojan"\n",
+ " ],\n",
+ " "is_family": true\n",
+ "}\n",
+ "\n",
+ "\n",
+ "**Warning**\n",
+ "\n",
+ "The implicit import method can cause the code to break between major releases to support a newer approved committee specification. Therefore, not recommended for large scale applications relying on specific object support.\n",
+ "\n",
+ "
"
]
},
{
@@ -143,7 +150,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "or even,"
+ "or even, (less preferred)"
]
},
{
@@ -230,14 +237,14 @@
"metadata": {},
"source": [
"### How parsing works\n",
- "If the ``version`` positional argument is not provided. The library will make the best attempt using the \"spec_version\" property found on a Bundle, SDOs, and SROs.\n",
+ "If the ``version`` positional argument is not provided the library will make the best attempt using the \"spec_version\" property found on a Bundle, SDOs, SCOs, or SROs.\n",
"\n",
- "You can lock your [parse()](../api/stix2.core.rst#stix2.core.parse) method to a specific STIX version by:"
+ "You can lock your [parse()](../api/stix2.parsing.rst#stix2.parsing.parse) method to a specific STIX version by:"
]
},
{
"cell_type": "code",
- "execution_count": 2,
+ "execution_count": 3,
"metadata": {},
"outputs": [
{
@@ -329,7 +336,7 @@
""
]
},
- "execution_count": 2,
+ "execution_count": 3,
"metadata": {},
"output_type": "execute_result"
}
@@ -356,7 +363,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "Keep in mind that if a 2.1 or higher object is parsed, the operation will fail."
+ "In the example above if a 2.1 or higher object is parsed, the operation will fail."
]
},
{
@@ -365,31 +372,29 @@
"source": [
"### How custom content works\n",
"\n",
- "[CustomObject](../api/v20/stix2.v20.sdo.rst#stix2.v20.sdo.CustomObject), [CustomObservable](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomObservable), [CustomMarking](../api/v20/stix2.v20.common.rst#stix2.v20.common.CustomMarking) and [CustomExtension](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomExtension) must be registered explicitly by STIX version. This is a design decision since properties or requirements may change as the STIX Technical Specification advances.\n",
+ "[CustomObject](../api/v21/stix2.v21.sdo.rst#stix2.v21.sdo.CustomObject), [CustomObservable](../api/v21/stix2.v21.observables.rst#stix2.v21.observables.CustomObservable), [CustomMarking](../api/v21/stix2.v21.common.rst#stix2.v21.common.CustomMarking) and [CustomExtension](../api/v21/stix2.v21.observables.rst#stix2.v21.observables.CustomExtension) must be registered explicitly by STIX version. This is a design decision since properties or requirements may change as the STIX Technical Specification advances.\n",
"\n",
"You can perform this by:"
]
},
{
"cell_type": "code",
- "execution_count": null,
- "metadata": {
- "collapsed": true
- },
+ "execution_count": 4,
+ "metadata": {},
"outputs": [],
"source": [
"import stix2\n",
"\n",
"# Make my custom observable available in STIX 2.0\n",
"@stix2.v20.CustomObservable('x-new-object-type',\n",
- " ((\"prop\", stix2.properties.BooleanProperty())))\n",
+ " [(\"prop\", stix2.properties.BooleanProperty())])\n",
"class NewObject2(object):\n",
" pass\n",
"\n",
"\n",
"# Make my custom observable available in STIX 2.1\n",
"@stix2.v21.CustomObservable('x-new-object-type',\n",
- " ((\"prop\", stix2.properties.BooleanProperty())))\n",
+ " [(\"prop\", stix2.properties.BooleanProperty())])\n",
"class NewObject2(object):\n",
" pass"
]
@@ -411,7 +416,7 @@
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
- "version": "3.6.3"
+ "version": "3.9.0a6"
}
},
"nbformat": 4,
diff --git a/docs/guide/versioning.ipynb b/docs/guide/versioning.ipynb
index eb0708a..45686bf 100644
--- a/docs/guide/versioning.ipynb
+++ b/docs/guide/versioning.ipynb
@@ -15,6 +15,7 @@
"def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
" exception_only=False, running_compiled_code=False):\n",
" etype, value, tb = sys.exc_info()\n",
+ " value.__cause__ = None # suppress chained exceptions\n",
" return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
"\n",
"ipython.showtraceback = hide_traceback"
@@ -63,12 +64,12 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the label from \"anomalous-activity\" to \"malicious-activity\":"
+ "To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the indicator type from \"anomalous-activity\" to \"malicious-activity\":"
]
},
{
"cell_type": "code",
- "execution_count": 3,
+ "execution_count": 4,
"metadata": {},
"outputs": [
{
@@ -144,13 +145,19 @@
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */{\n",
" "type": "indicator",\n",
- " "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",\n",
" "created": "2016-01-01T08:00:00.000Z",\n",
- " "modified": "2019-07-25T17:59:34.815Z",\n",
+ " "modified": "2020-06-26T19:27:20.792845Z",\n",
" "name": "File hash for Foobar malware",\n",
" "description": "A file indicator",\n",
+ " "indicator_types": [\n",
+ " "anomalous-activity"\n",
+ " ],\n",
" "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2019-07-25T17:59:34.779826Z",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T19:27:20.759788Z",\n",
" "labels": [\n",
" "malicious-activity"\n",
" ]\n",
@@ -161,7 +168,7 @@
""
]
},
- "execution_count": 3,
+ "execution_count": 4,
"metadata": {},
"output_type": "execute_result"
}
@@ -172,7 +179,8 @@
"indicator = Indicator(created=\"2016-01-01T08:00:00.000Z\",\n",
" name=\"File hash for suspicious file\",\n",
" description=\"A file indicator\",\n",
- " labels=[\"anomalous-activity\"],\n",
+ " indicator_types=[\"anomalous-activity\"],\n",
+ " pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n",
"\n",
"indicator2 = indicator.new_version(name=\"File hash for Foobar malware\",\n",
@@ -189,7 +197,7 @@
},
{
"cell_type": "code",
- "execution_count": 4,
+ "execution_count": 5,
"metadata": {
"scrolled": true
},
@@ -214,119 +222,6 @@
"You can remove optional or custom properties by setting them to `None` when you call `new_version()`."
]
},
- {
- "cell_type": "code",
- "execution_count": 5,
- "metadata": {},
- "outputs": [
- {
- "data": {
- "text/html": [
- "{\n",
- " "type": "indicator",\n",
- " "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",\n",
- " "created": "2016-01-01T08:00:00.000Z",\n",
- " "modified": "2019-07-25T17:59:42.648Z",\n",
- " "name": "File hash for suspicious file",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2019-07-25T17:59:34.779826Z",\n",
- " "labels": [\n",
- " "anomalous-activity"\n",
- " ]\n",
- "}\n",
- "{\n",
" "type": "indicator",\n",
- " "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",\n",
" "created": "2016-01-01T08:00:00.000Z",\n",
- " "modified": "2019-07-25T17:59:52.198Z",\n",
+ " "modified": "2020-06-26T19:29:37.055139Z",\n",
" "name": "File hash for suspicious file",\n",
- " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
- " "valid_from": "2019-07-25T17:59:34.779826Z",\n",
- " "revoked": true,\n",
- " "labels": [\n",
+ " "indicator_types": [\n",
" "anomalous-activity"\n",
- " ]\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T19:27:20.759788Z"\n",
"}\n",
"{\n",
+ " "type": "indicator",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",\n",
+ " "created": "2016-01-01T08:00:00.000Z",\n",
+ " "modified": "2020-06-26T19:29:38.943037Z",\n",
+ " "name": "File hash for suspicious file",\n",
+ " "indicator_types": [\n",
+ " "anomalous-activity"\n",
+ " ],\n",
+ " "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2020-06-26T19:27:20.759788Z",\n",
+ " "revoked": true\n",
+ "}\n",
+ "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */indicator--cd981c25-8042-4166-8945-51178443bdac\n",
"malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111\n",
+ ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */malware--c0931cc6-c75e-47e5-9036-78fabc95d4ec\n",
"{\n",
" "type": "malware",\n",
- " "id": "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "malware--c0931cc6-c75e-47e5-9036-78fabc95d4ec",\n",
" "created": "2017-01-27T13:49:53.997Z",\n",
" "modified": "2017-01-27T13:49:53.997Z",\n",
" "name": "Poison Ivy",\n",
" "description": "Poison Ivy",\n",
- " "labels": [\n",
+ " "malware_types": [\n",
" "remote-access-trojan"\n",
- " ]\n",
+ " ],\n",
+ " "is_family": true\n",
"}\n",
"{\n",
" "type": "indicator",\n",
- " "id": "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",\n",
+ " "spec_version": "2.1",\n",
+ " "id": "indicator--cd981c25-8042-4166-8945-51178443bdac",\n",
" "created": "2014-05-08T09:00:00.000Z",\n",
" "modified": "2014-05-08T09:00:00.000Z",\n",
" "name": "File hash for Poison Ivy variant",\n",
- " "pattern": "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",\n",
- " "valid_from": "2014-05-08T09:00:00Z",\n",
- " "labels": [\n",
+ " "indicator_types": [\n",
" "file-hash-watchlist"\n",
- " ]\n",
+ " ],\n",
+ " "pattern": "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",\n",
+ " "pattern_type": "stix",\n",
+ " "pattern_version": "2.1",\n",
+ " "valid_from": "2014-05-08T09:00:00Z"\n",
"}\n",
"\n",
"\n",
- "**Warning:**\n",
+ "**Warning**\n",
"\n",
"The workbench layer replaces STIX Object classes with special versions of them that use \"wrappers\" to provide extra functionality. Because of this, we recommend that you **either use the workbench layer or the rest of the library, but not both**. In other words, don't import from both ``stix2.workbench`` and any other submodules of ``stix2``.\n",
"\n",
@@ -793,7 +799,7 @@
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
- "version": "3.6.3"
+ "version": "3.9.0a6"
}
},
"nbformat": 4,
diff --git a/stix2/__init__.py b/stix2/__init__.py
index 26eed6f..d0051ee 100644
--- a/stix2/__init__.py
+++ b/stix2/__init__.py
@@ -4,23 +4,25 @@
:toctree: api
confidence
- core
datastore
environment
exceptions
markings
+ parsing
+ pattern_visitor
patterns
properties
utils
v20
v21
+ versioning
workbench
"""
# flake8: noqa
-DEFAULT_VERSION = '2.0' # Default version will always be the latest STIX 2.X version
+DEFAULT_VERSION = '2.1' # Default version will always be the latest STIX 2.X version
from .confidence import scales
from .datastore import CompositeDataSource
@@ -53,7 +55,7 @@ from .patterns import (
RepeatQualifier, StartStopQualifier, StringConstant, TimestampConstant,
WithinQualifier,
)
-from .v20 import * # This import will always be the latest STIX 2.X version
+from .v21 import * # This import will always be the latest STIX 2.X version
from .version import __version__
from .versioning import new_version, revoke
diff --git a/stix2/datastore/taxii.py b/stix2/datastore/taxii.py
index b5c0827..063fabd 100644
--- a/stix2/datastore/taxii.py
+++ b/stix2/datastore/taxii.py
@@ -287,7 +287,7 @@ class TAXIICollectionSource(DataSource):
# query TAXII collection
try:
- all_data = self.collection.get_objects(**taxii_filters_dict)['objects']
+ all_data = self.collection.get_objects(**taxii_filters_dict).get('objects', [])
# deduplicate data (before filtering as reduces wasted filtering)
all_data = deduplicate(all_data)
diff --git a/stix2/environment.py b/stix2/environment.py
index 6e3c76a..4ba912c 100644
--- a/stix2/environment.py
+++ b/stix2/environment.py
@@ -200,6 +200,8 @@ class Environment(DataStoreMixin):
Args:
obj1: A stix2 object instance
obj2: A stix2 object instance
+ prop_scores: A dictionary that can hold individual property scores,
+ weights, contributing score, matching score and sum of weights.
weight_dict: A dictionary that can be used to override settings
in the semantic equivalence process
diff --git a/stix2/parsing.py b/stix2/parsing.py
index baa3b7b..c0c7bf8 100644
--- a/stix2/parsing.py
+++ b/stix2/parsing.py
@@ -1,4 +1,4 @@
-"""STIX2 Core Objects and Methods."""
+"""STIX2 Core parsing methods."""
import copy
import importlib
diff --git a/stix2/pattern_visitor.py b/stix2/pattern_visitor.py
index 4ec2b20..5b8300f 100644
--- a/stix2/pattern_visitor.py
+++ b/stix2/pattern_visitor.py
@@ -1,3 +1,5 @@
+"""STIX2 classes and methods to generate AST from patterns"""
+
import importlib
import inspect
diff --git a/stix2/patterns.py b/stix2/patterns.py
index 5d7c0a2..edcf017 100644
--- a/stix2/patterns.py
+++ b/stix2/patterns.py
@@ -1,4 +1,4 @@
-"""Classes to aid in working with the STIX 2 patterning language."""
+"""Classes to aid in working with the STIX2 patterning language."""
import base64
import binascii
diff --git a/stix2/properties.py b/stix2/properties.py
index 8bb0636..1ca2dbe 100644
--- a/stix2/properties.py
+++ b/stix2/properties.py
@@ -14,7 +14,7 @@ import stix2
from .base import _STIXBase
from .exceptions import (
CustomContentError, DictionaryKeyError, MissingPropertiesError,
- MutuallyExclusivePropertiesError,
+ MutuallyExclusivePropertiesError, STIXError,
)
from .parsing import STIX2_OBJ_MAPS, parse, parse_observable
from .utils import _get_dict, get_class_hierarchy_names, parse_into_datetime
@@ -168,6 +168,13 @@ class Property(object):
def __init__(self, required=False, fixed=None, default=None):
self.required = required
+
+ if required and default:
+ raise STIXError(
+ "Cant't use 'required' and 'default' together. 'required'"
+ "really means 'the user must provide this.'",
+ )
+
if fixed:
self._fixed_value = fixed
self.clean = self._default_clean
diff --git a/stix2/test/test_properties.py b/stix2/test/test_properties.py
new file mode 100644
index 0000000..dab713e
--- /dev/null
+++ b/stix2/test/test_properties.py
@@ -0,0 +1,346 @@
+import datetime as dt
+
+import pytest
+import pytz
+
+import stix2
+from stix2.exceptions import ExtraPropertiesError, STIXError
+from stix2.properties import (
+ BinaryProperty, BooleanProperty, EmbeddedObjectProperty, EnumProperty,
+ FloatProperty, HexProperty, IntegerProperty, ListProperty, Property,
+ StringProperty, TimestampProperty, TypeProperty,
+)
+
+
+def test_property():
+ p = Property()
+
+ assert p.required is False
+ assert p.clean('foo') == 'foo'
+ assert p.clean(3) == 3
+
+
+def test_basic_clean():
+ class Prop(Property):
+
+ def clean(self, value):
+ if value == 42:
+ return value
+ else:
+ raise ValueError("Must be 42")
+
+ p = Prop()
+
+ assert p.clean(42) == 42
+ with pytest.raises(ValueError):
+ p.clean(41)
+
+
+def test_property_default():
+ class Prop(Property):
+
+ def default(self):
+ return 77
+
+ p = Prop()
+
+ assert p.default() == 77
+
+
+def test_property_fixed():
+ p = Property(fixed="2.0")
+
+ assert p.clean("2.0")
+ with pytest.raises(ValueError):
+ assert p.clean("x") is False
+ with pytest.raises(ValueError):
+ assert p.clean(2.0) is False
+
+ assert p.default() == "2.0"
+ assert p.clean(p.default())
+
+
+def test_property_fixed_and_required():
+ with pytest.raises(STIXError):
+ Property(default=lambda: 3, required=True)
+
+
+def test_list_property():
+ p = ListProperty(StringProperty)
+
+ assert p.clean(['abc', 'xyz'])
+ with pytest.raises(ValueError):
+ p.clean([])
+
+
+def test_list_property_property_type_custom():
+ class TestObj(stix2.base._STIXBase):
+ _type = "test"
+ _properties = {
+ "foo": StringProperty(),
+ }
+ p = ListProperty(EmbeddedObjectProperty(type=TestObj))
+
+ objs_custom = [
+ TestObj(foo="abc", bar=123, allow_custom=True),
+ TestObj(foo="xyz"),
+ ]
+
+ assert p.clean(objs_custom)
+
+ dicts_custom = [
+ {"foo": "abc", "bar": 123},
+ {"foo": "xyz"},
+ ]
+
+ # no opportunity to set allow_custom=True when using dicts
+ with pytest.raises(ExtraPropertiesError):
+ p.clean(dicts_custom)
+
+
+def test_list_property_object_type():
+ class TestObj(stix2.base._STIXBase):
+ _type = "test"
+ _properties = {
+ "foo": StringProperty(),
+ }
+ p = ListProperty(TestObj)
+
+ objs = [TestObj(foo="abc"), TestObj(foo="xyz")]
+ assert p.clean(objs)
+
+ dicts = [{"foo": "abc"}, {"foo": "xyz"}]
+ assert p.clean(dicts)
+
+
+def test_list_property_object_type_custom():
+ class TestObj(stix2.base._STIXBase):
+ _type = "test"
+ _properties = {
+ "foo": StringProperty(),
+ }
+ p = ListProperty(TestObj)
+
+ objs_custom = [
+ TestObj(foo="abc", bar=123, allow_custom=True),
+ TestObj(foo="xyz"),
+ ]
+
+ assert p.clean(objs_custom)
+
+ dicts_custom = [
+ {"foo": "abc", "bar": 123},
+ {"foo": "xyz"},
+ ]
+
+ # no opportunity to set allow_custom=True when using dicts
+ with pytest.raises(ExtraPropertiesError):
+ p.clean(dicts_custom)
+
+
+def test_list_property_bad_element_type():
+ with pytest.raises(TypeError):
+ ListProperty(1)
+
+
+def test_list_property_bad_value_type():
+ class TestObj(stix2.base._STIXBase):
+ _type = "test"
+ _properties = {
+ "foo": StringProperty(),
+ }
+
+ list_prop = ListProperty(TestObj)
+ with pytest.raises(ValueError):
+ list_prop.clean([1])
+
+
+def test_string_property():
+ prop = StringProperty()
+
+ assert prop.clean('foobar')
+ assert prop.clean(1)
+ assert prop.clean([1, 2, 3])
+
+
+def test_type_property():
+ prop = TypeProperty('my-type')
+
+ assert prop.clean('my-type')
+ with pytest.raises(ValueError):
+ prop.clean('not-my-type')
+ assert prop.clean(prop.default())
+
+
+@pytest.mark.parametrize(
+ "value", [
+ 2,
+ -1,
+ 3.14,
+ False,
+ ],
+)
+def test_integer_property_valid(value):
+ int_prop = IntegerProperty()
+ assert int_prop.clean(value) is not None
+
+
+@pytest.mark.parametrize(
+ "value", [
+ -1,
+ -100,
+ -50 * 6,
+ ],
+)
+def test_integer_property_invalid_min_with_constraints(value):
+ int_prop = IntegerProperty(min=0, max=180)
+ with pytest.raises(ValueError) as excinfo:
+ int_prop.clean(value)
+ assert "minimum value is" in str(excinfo.value)
+
+
+@pytest.mark.parametrize(
+ "value", [
+ 181,
+ 200,
+ 50 * 6,
+ ],
+)
+def test_integer_property_invalid_max_with_constraints(value):
+ int_prop = IntegerProperty(min=0, max=180)
+ with pytest.raises(ValueError) as excinfo:
+ int_prop.clean(value)
+ assert "maximum value is" in str(excinfo.value)
+
+
+@pytest.mark.parametrize(
+ "value", [
+ "something",
+ StringProperty(),
+ ],
+)
+def test_integer_property_invalid(value):
+ int_prop = IntegerProperty()
+ with pytest.raises(ValueError):
+ int_prop.clean(value)
+
+
+@pytest.mark.parametrize(
+ "value", [
+ 2,
+ -1,
+ 3.14,
+ False,
+ ],
+)
+def test_float_property_valid(value):
+ int_prop = FloatProperty()
+ assert int_prop.clean(value) is not None
+
+
+@pytest.mark.parametrize(
+ "value", [
+ "something",
+ StringProperty(),
+ ],
+)
+def test_float_property_invalid(value):
+ int_prop = FloatProperty()
+ with pytest.raises(ValueError):
+ int_prop.clean(value)
+
+
+@pytest.mark.parametrize(
+ "value", [
+ True,
+ False,
+ 'True',
+ 'False',
+ 'true',
+ 'false',
+ 'TRUE',
+ 'FALSE',
+ 'T',
+ 'F',
+ 't',
+ 'f',
+ 1,
+ 0,
+ ],
+)
+def test_boolean_property_valid(value):
+ bool_prop = BooleanProperty()
+
+ assert bool_prop.clean(value) is not None
+
+
+@pytest.mark.parametrize(
+ "value", [
+ 'abc',
+ ['false'],
+ {'true': 'true'},
+ 2,
+ -1,
+ ],
+)
+def test_boolean_property_invalid(value):
+ bool_prop = BooleanProperty()
+ with pytest.raises(ValueError):
+ bool_prop.clean(value)
+
+
+@pytest.mark.parametrize(
+ "value", [
+ '2017-01-01T12:34:56Z',
+ ],
+)
+def test_timestamp_property_valid(value):
+ ts_prop = TimestampProperty()
+ assert ts_prop.clean(value) == dt.datetime(2017, 1, 1, 12, 34, 56, tzinfo=pytz.utc)
+
+
+def test_timestamp_property_invalid():
+ ts_prop = TimestampProperty()
+ with pytest.raises(TypeError):
+ ts_prop.clean(1)
+ with pytest.raises(ValueError):
+ ts_prop.clean("someday sometime")
+
+
+def test_binary_property():
+ bin_prop = BinaryProperty()
+
+ assert bin_prop.clean("TG9yZW0gSXBzdW0=")
+ with pytest.raises(ValueError):
+ bin_prop.clean("foobar")
+
+
+def test_hex_property():
+ hex_prop = HexProperty()
+
+ assert hex_prop.clean("4c6f72656d20497073756d")
+ with pytest.raises(ValueError):
+ hex_prop.clean("foobar")
+
+
+@pytest.mark.parametrize(
+ "value", [
+ ['a', 'b', 'c'],
+ ('a', 'b', 'c'),
+ 'b',
+ ],
+)
+def test_enum_property_valid(value):
+ enum_prop = EnumProperty(value)
+ assert enum_prop.clean('b')
+
+
+def test_enum_property_clean():
+ enum_prop = EnumProperty(['1'])
+ assert enum_prop.clean(1) == '1'
+
+
+def test_enum_property_invalid():
+ enum_prop = EnumProperty(['a', 'b', 'c'])
+ with pytest.raises(ValueError):
+ enum_prop.clean('z')
diff --git a/stix2/test/test_workbench.py b/stix2/test/test_workbench.py
index d946547..433bf81 100644
--- a/stix2/test/test_workbench.py
+++ b/stix2/test/test_workbench.py
@@ -4,12 +4,14 @@ import os
import stix2
from stix2.workbench import (
_STIX_VID, AttackPattern, Bundle, Campaign, CourseOfAction,
- ExternalReference, File, FileSystemSource, Filter, Identity, Indicator,
- IntrusionSet, Malware, MarkingDefinition, NTFSExt, ObservedData,
+ ExternalReference, File, FileSystemSource, Filter, Grouping, Identity,
+ Indicator, Infrastructure, IntrusionSet, Location, Malware,
+ MalwareAnalysis, MarkingDefinition, Note, NTFSExt, ObservedData, Opinion,
Relationship, Report, StatementMarking, ThreatActor, Tool, Vulnerability,
add_data_source, all_versions, attack_patterns, campaigns,
- courses_of_action, create, get, identities, indicators, intrusion_sets,
- malware, observed_data, query, reports, save, set_default_created,
+ courses_of_action, create, get, groupings, identities, indicators,
+ infrastructures, intrusion_sets, locations, malware, malware_analyses,
+ notes, observed_data, opinions, query, reports, save, set_default_created,
set_default_creator, set_default_external_refs,
set_default_object_marking_refs, threat_actors, tools, vulnerabilities,
)
@@ -35,7 +37,7 @@ def test_workbench_environment():
save(ind)
resp = get(constants.INDICATOR_ID)
- assert resp['labels'][0] == 'malicious-activity'
+ assert resp['indicator_types'][0] == 'malicious-activity'
resp = all_versions(constants.INDICATOR_ID)
assert len(resp) == 1
@@ -77,6 +79,15 @@ def test_workbench_get_all_courses_of_action():
assert resp[0].id == constants.COURSE_OF_ACTION_ID
+def test_workbench_get_all_groupings():
+ grup = Grouping(id=constants.GROUPING_ID, **constants.GROUPING_KWARGS)
+ save(grup)
+
+ resp = groupings()
+ assert len(resp) == 1
+ assert resp[0].id == constants.GROUPING_ID
+
+
def test_workbench_get_all_identities():
idty = Identity(id=constants.IDENTITY_ID, **constants.IDENTITY_KWARGS)
save(idty)
@@ -92,6 +103,15 @@ def test_workbench_get_all_indicators():
assert resp[0].id == constants.INDICATOR_ID
+def test_workbench_get_all_infrastructures():
+ inf = Infrastructure(id=constants.INFRASTRUCTURE_ID, **constants.INFRASTRUCTURE_KWARGS)
+ save(inf)
+
+ resp = infrastructures()
+ assert len(resp) == 1
+ assert resp[0].id == constants.INFRASTRUCTURE_ID
+
+
def test_workbench_get_all_intrusion_sets():
ins = IntrusionSet(
id=constants.INTRUSION_SET_ID, **constants.INTRUSION_SET_KWARGS
@@ -103,6 +123,15 @@ def test_workbench_get_all_intrusion_sets():
assert resp[0].id == constants.INTRUSION_SET_ID
+def test_workbench_get_all_locations():
+ loc = Location(id=constants.LOCATION_ID, **constants.LOCATION_KWARGS)
+ save(loc)
+
+ resp = locations()
+ assert len(resp) == 1
+ assert resp[0].id == constants.LOCATION_ID
+
+
def test_workbench_get_all_malware():
mal = Malware(id=constants.MALWARE_ID, **constants.MALWARE_KWARGS)
save(mal)
@@ -112,6 +141,24 @@ def test_workbench_get_all_malware():
assert resp[0].id == constants.MALWARE_ID
+def test_workbench_get_all_malware_analyses():
+ mal = MalwareAnalysis(id=constants.MALWARE_ANALYSIS_ID, **constants.MALWARE_ANALYSIS_KWARGS)
+ save(mal)
+
+ resp = malware_analyses()
+ assert len(resp) == 1
+ assert resp[0].id == constants.MALWARE_ANALYSIS_ID
+
+
+def test_workbench_get_all_notes():
+ note = Note(id=constants.NOTE_ID, **constants.NOTE_KWARGS)
+ save(note)
+
+ resp = notes()
+ assert len(resp) == 1
+ assert resp[0].id == constants.NOTE_ID
+
+
def test_workbench_get_all_observed_data():
od = ObservedData(
id=constants.OBSERVED_DATA_ID, **constants.OBSERVED_DATA_KWARGS
@@ -123,6 +170,15 @@ def test_workbench_get_all_observed_data():
assert resp[0].id == constants.OBSERVED_DATA_ID
+def test_workbench_get_all_opinions():
+ op = Opinion(id=constants.OPINION_ID, **constants.OPINION_KWARGS)
+ save(op)
+
+ resp = opinions()
+ assert len(resp) == 1
+ assert resp[0].id == constants.OPINION_ID
+
+
def test_workbench_get_all_reports():
rep = Report(id=constants.REPORT_ID, **constants.REPORT_KWARGS)
save(rep)
@@ -210,6 +266,7 @@ def test_workbench_related():
def test_workbench_related_with_filters():
malware = Malware(
labels=["ransomware"], name="CryptorBit", created_by_ref=constants.IDENTITY_ID,
+ is_family=False,
)
rel = Relationship(malware.id, 'variant-of', constants.MALWARE_ID)
save([malware, rel])
diff --git a/stix2/test/v20/test_custom.py b/stix2/test/v20/test_custom.py
index 57f8aac..33be3e2 100644
--- a/stix2/test/v20/test_custom.py
+++ b/stix2/test/v20/test_custom.py
@@ -288,6 +288,18 @@ def test_custom_marking_no_init_2():
assert no2.property1 == 'something'
+def test_register_duplicate_marking():
+ with pytest.raises(DuplicateRegistrationError) as excinfo:
+ @stix2.v20.CustomMarking(
+ 'x-new-obj2', [
+ ('property1', stix2.properties.StringProperty(required=True)),
+ ],
+ )
+ class NewObj2():
+ pass
+ assert "cannot be registered again" in str(excinfo.value)
+
+
@stix2.v20.CustomObject(
'x-new-type', [
('property1', stix2.properties.StringProperty(required=True)),
@@ -1119,15 +1131,3 @@ def test_register_duplicate_observable_extension():
class NewExtension2():
pass
assert "cannot be registered again" in str(excinfo.value)
-
-
-def test_register_duplicate_marking():
- with pytest.raises(DuplicateRegistrationError) as excinfo:
- @stix2.v20.CustomMarking(
- 'x-new-obj-2', [
- ('property1', stix2.properties.StringProperty(required=True)),
- ],
- )
- class NewObj2():
- pass
- assert "cannot be registered again" in str(excinfo.value)
diff --git a/stix2/test/v20/test_datastore_taxii.py b/stix2/test/v20/test_datastore_taxii.py
index b0c6b77..0b21981 100644
--- a/stix2/test/v20/test_datastore_taxii.py
+++ b/stix2/test/v20/test_datastore_taxii.py
@@ -28,7 +28,7 @@ class MockTAXIICollectionEndpoint(Collection):
def add_objects(self, bundle):
self._verify_can_write()
if isinstance(bundle, six.string_types):
- bundle = json.loads(bundle, encoding='utf-8')
+ bundle = json.loads(bundle)
for object in bundle.get("objects", []):
self.objects.append(object)
self.manifests.append(
diff --git a/stix2/test/v20/test_parsing.py b/stix2/test/v20/test_parsing.py
index 32c3e8b..6eb554e 100644
--- a/stix2/test/v20/test_parsing.py
+++ b/stix2/test/v20/test_parsing.py
@@ -1,3 +1,5 @@
+from collections import OrderedDict
+
import pytest
import stix2
@@ -67,8 +69,12 @@ def test_parse_observable_with_no_version():
def test_register_marking_with_version():
- parsing._register_marking(stix2.v20.TLP_WHITE.__class__, version='2.0')
+ class NewMarking1:
+ _type = 'x-new-marking1'
+ _properties = OrderedDict()
+
+ parsing._register_marking(NewMarking1, version='2.0')
v = 'v20'
- assert stix2.v20.TLP_WHITE.definition._type in parsing.STIX2_OBJ_MAPS[v]['markings']
- assert v in str(stix2.v20.TLP_WHITE.__class__)
+ assert NewMarking1._type in parsing.STIX2_OBJ_MAPS[v]['markings']
+ assert v in str(parsing.STIX2_OBJ_MAPS[v]['markings'][NewMarking1._type])
diff --git a/stix2/test/v20/test_properties.py b/stix2/test/v20/test_properties.py
index 6810966..b03879c 100644
--- a/stix2/test/v20/test_properties.py
+++ b/stix2/test/v20/test_properties.py
@@ -6,175 +6,16 @@ import stix2
import stix2.base
from stix2.exceptions import (
AtLeastOnePropertyError, CustomContentError, DictionaryKeyError,
- ExtraPropertiesError,
)
from stix2.properties import (
- BinaryProperty, BooleanProperty, DictionaryProperty,
- EmbeddedObjectProperty, EnumProperty, ExtensionsProperty, FloatProperty,
- HashesProperty, HexProperty, IDProperty, IntegerProperty, ListProperty,
- Property, ReferenceProperty, STIXObjectProperty, StringProperty,
- TimestampProperty, TypeProperty,
+ DictionaryProperty, EmbeddedObjectProperty, ExtensionsProperty,
+ HashesProperty, IDProperty, ListProperty, ReferenceProperty,
+ STIXObjectProperty,
)
from stix2.v20.common import MarkingProperty
from . import constants
-
-def test_property():
- p = Property()
-
- assert p.required is False
- assert p.clean('foo') == 'foo'
- assert p.clean(3) == 3
-
-
-def test_basic_clean():
- class Prop(Property):
-
- def clean(self, value):
- if value == 42:
- return value
- else:
- raise ValueError("Must be 42")
-
- p = Prop()
-
- assert p.clean(42) == 42
- with pytest.raises(ValueError):
- p.clean(41)
-
-
-def test_property_default():
- class Prop(Property):
-
- def default(self):
- return 77
-
- p = Prop()
-
- assert p.default() == 77
-
-
-def test_fixed_property():
- p = Property(fixed="2.0")
-
- assert p.clean("2.0")
- with pytest.raises(ValueError):
- assert p.clean("x") is False
- with pytest.raises(ValueError):
- assert p.clean(2.0) is False
-
- assert p.default() == "2.0"
- assert p.clean(p.default())
-
-
-def test_list_property_property_type():
- p = ListProperty(StringProperty)
-
- assert p.clean(['abc', 'xyz'])
- with pytest.raises(ValueError):
- p.clean([])
-
-
-def test_list_property_property_type_custom():
- class TestObj(stix2.base._STIXBase):
- _type = "test"
- _properties = {
- "foo": StringProperty(),
- }
- p = ListProperty(EmbeddedObjectProperty(type=TestObj))
-
- objs_custom = [
- TestObj(foo="abc", bar=123, allow_custom=True),
- TestObj(foo="xyz"),
- ]
-
- assert p.clean(objs_custom)
-
- dicts_custom = [
- {"foo": "abc", "bar": 123},
- {"foo": "xyz"},
- ]
-
- # no opportunity to set allow_custom=True when using dicts
- with pytest.raises(ExtraPropertiesError):
- p.clean(dicts_custom)
-
-
-def test_list_property_object_type():
- class TestObj(stix2.base._STIXBase):
- _type = "test"
- _properties = {
- "foo": StringProperty(),
- }
- p = ListProperty(TestObj)
-
- objs = [TestObj(foo="abc"), TestObj(foo="xyz")]
- assert p.clean(objs)
-
- dicts = [{"foo": "abc"}, {"foo": "xyz"}]
- assert p.clean(dicts)
-
-
-def test_list_property_object_type_custom():
- class TestObj(stix2.base._STIXBase):
- _type = "test"
- _properties = {
- "foo": StringProperty(),
- }
- p = ListProperty(TestObj)
-
- objs_custom = [
- TestObj(foo="abc", bar=123, allow_custom=True),
- TestObj(foo="xyz"),
- ]
-
- assert p.clean(objs_custom)
-
- dicts_custom = [
- {"foo": "abc", "bar": 123},
- {"foo": "xyz"},
- ]
-
- # no opportunity to set allow_custom=True when using dicts
- with pytest.raises(ExtraPropertiesError):
- p.clean(dicts_custom)
-
-
-def test_list_property_bad_element_type():
- with pytest.raises(TypeError):
- ListProperty(1)
-
-
-def test_list_property_bad_value_type():
- class TestObj(stix2.base._STIXBase):
- _type = "test"
- _properties = {
- "foo": StringProperty(),
- }
-
- list_prop = ListProperty(TestObj)
- with pytest.raises(ValueError):
- list_prop.clean([1])
-
-
-def test_string_property():
- prop = StringProperty()
-
- assert prop.clean('foobar')
- assert prop.clean(1)
- assert prop.clean([1, 2, 3])
-
-
-def test_type_property():
- prop = TypeProperty('my-type')
-
- assert prop.clean('my-type')
- with pytest.raises(ValueError):
- prop.clean('not-my-type')
- assert prop.clean(prop.default())
-
-
ID_PROP = IDProperty('my-type', spec_version="2.0")
MY_ID = 'my-type--232c9d3f-49fc-4440-bb01-607f638778e7'
@@ -242,123 +83,6 @@ def test_id_property_default():
assert ID_PROP.clean(default) == default
-@pytest.mark.parametrize(
- "value", [
- 2,
- -1,
- 3.14,
- False,
- ],
-)
-def test_integer_property_valid(value):
- int_prop = IntegerProperty()
- assert int_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- -1,
- -100,
- -5 * 6,
- ],
-)
-def test_integer_property_invalid_min_with_constraints(value):
- int_prop = IntegerProperty(min=0, max=180)
- with pytest.raises(ValueError) as excinfo:
- int_prop.clean(value)
- assert "minimum value is" in str(excinfo.value)
-
-
-@pytest.mark.parametrize(
- "value", [
- 181,
- 200,
- 50 * 6,
- ],
-)
-def test_integer_property_invalid_max_with_constraints(value):
- int_prop = IntegerProperty(min=0, max=180)
- with pytest.raises(ValueError) as excinfo:
- int_prop.clean(value)
- assert "maximum value is" in str(excinfo.value)
-
-
-@pytest.mark.parametrize(
- "value", [
- "something",
- StringProperty(),
- ],
-)
-def test_integer_property_invalid(value):
- int_prop = IntegerProperty()
- with pytest.raises(ValueError):
- int_prop.clean(value)
-
-
-@pytest.mark.parametrize(
- "value", [
- 2,
- -1,
- 3.14,
- False,
- ],
-)
-def test_float_property_valid(value):
- int_prop = FloatProperty()
- assert int_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- "something",
- StringProperty(),
- ],
-)
-def test_float_property_invalid(value):
- int_prop = FloatProperty()
- with pytest.raises(ValueError):
- int_prop.clean(value)
-
-
-@pytest.mark.parametrize(
- "value", [
- True,
- False,
- 'True',
- 'False',
- 'true',
- 'false',
- 'TRUE',
- 'FALSE',
- 'T',
- 'F',
- 't',
- 'f',
- 1,
- 0,
- ],
-)
-def test_boolean_property_valid(value):
- bool_prop = BooleanProperty()
-
- assert bool_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- 'abc',
- ['false'],
- {'true': 'true'},
- 2,
- -1,
- ],
-)
-def test_boolean_property_invalid(value):
- bool_prop = BooleanProperty()
- with pytest.raises(ValueError):
- bool_prop.clean(value)
-
-
def test_reference_property():
ref_prop = ReferenceProperty(valid_types="my-type", spec_version="2.0")
@@ -381,40 +105,6 @@ def test_reference_property_specific_type():
"my-type--8a8e8758-f92c-4058-ba38-f061cd42a0cf"
-@pytest.mark.parametrize(
- "value", [
- '2017-01-01T12:34:56Z',
- ],
-)
-def test_timestamp_property_valid(value):
- ts_prop = TimestampProperty()
- assert ts_prop.clean(value) == constants.FAKE_TIME
-
-
-def test_timestamp_property_invalid():
- ts_prop = TimestampProperty()
- with pytest.raises(TypeError):
- ts_prop.clean(1)
- with pytest.raises(ValueError):
- ts_prop.clean("someday sometime")
-
-
-def test_binary_property():
- bin_prop = BinaryProperty()
-
- assert bin_prop.clean("TG9yZW0gSXBzdW0=")
- with pytest.raises(ValueError):
- bin_prop.clean("foobar")
-
-
-def test_hex_property():
- hex_prop = HexProperty()
-
- assert hex_prop.clean("4c6f72656d20497073756d")
- with pytest.raises(ValueError):
- hex_prop.clean("foobar")
-
-
@pytest.mark.parametrize(
"d", [
{'description': 'something'},
@@ -522,24 +212,6 @@ def test_embedded_property():
emb_prop.clean("string")
-@pytest.mark.parametrize(
- "value", [
- ['a', 'b', 'c'],
- ('a', 'b', 'c'),
- 'b',
- ],
-)
-def test_enum_property_valid(value):
- enum_prop = EnumProperty(value)
- assert enum_prop.clean('b')
-
-
-def test_enum_property_invalid():
- enum_prop = EnumProperty(['a', 'b', 'c'])
- with pytest.raises(ValueError):
- enum_prop.clean('z')
-
-
def test_extension_property_valid():
ext_prop = ExtensionsProperty(spec_version="2.0", enclosing_type='file')
assert ext_prop({
diff --git a/stix2/test/v21/constants.py b/stix2/test/v21/constants.py
index c3ce3c0..78ee076 100644
--- a/stix2/test/v21/constants.py
+++ b/stix2/test/v21/constants.py
@@ -14,6 +14,7 @@ INFRASTRUCTURE_ID = "infrastructure--3000ae1b-784c-f03d-8abc-0a625b2ff018"
INTRUSION_SET_ID = "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29"
LOCATION_ID = "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64"
MALWARE_ID = "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e"
+MALWARE_ANALYSIS_ID = "malware-analysis--b46ee0ad-9443-41c5-a8e3-0fa053262805"
MARKING_DEFINITION_ID = "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
NOTE_ID = "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061"
OBSERVED_DATA_ID = "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"
@@ -102,6 +103,10 @@ INTRUSION_SET_KWARGS = dict(
name="Bobcat Breakin",
)
+LOCATION_KWARGS = dict(
+ region="africa",
+)
+
MALWARE_KWARGS = dict(
malware_types=['ransomware'],
name="Cryptolocker",
@@ -119,6 +124,16 @@ MALWARE_MORE_KWARGS = dict(
is_family=False,
)
+MALWARE_ANALYSIS_KWARGS = dict(
+ product="microsoft",
+ result="malicious",
+)
+
+NOTE_KWARGS = dict(
+ content="Heartbleed",
+ object_refs=[CAMPAIGN_ID],
+)
+
OBSERVED_DATA_KWARGS = dict(
first_observed=FAKE_TIME,
last_observed=FAKE_TIME,
@@ -131,6 +146,11 @@ OBSERVED_DATA_KWARGS = dict(
},
)
+OPINION_KWARGS = dict(
+ opinion="agree",
+ object_refs=[CAMPAIGN_ID],
+)
+
REPORT_KWARGS = dict(
report_types=["campaign"],
name="Bad Cybercrime",
diff --git a/stix2/test/v21/test_custom.py b/stix2/test/v21/test_custom.py
index 3646f11..146abcd 100644
--- a/stix2/test/v21/test_custom.py
+++ b/stix2/test/v21/test_custom.py
@@ -397,6 +397,18 @@ def test_custom_marking_invalid_type_name():
pass # pragma: no cover
assert "Invalid type name '7x-new-marking':" in str(excinfo.value)
+
+def test_register_duplicate_marking():
+ with pytest.raises(DuplicateRegistrationError) as excinfo:
+ @stix2.v21.CustomMarking(
+ 'x-new-obj', [
+ ('property1', stix2.properties.StringProperty(required=True)),
+ ],
+ )
+ class NewObj2():
+ pass
+ assert "cannot be registered again" in str(excinfo.value)
+
# Custom Objects
@@ -1326,15 +1338,3 @@ def test_register_duplicate_observable_extension():
class NewExtension2():
pass
assert "cannot be registered again" in str(excinfo.value)
-
-
-def test_register_duplicate_marking():
- with pytest.raises(DuplicateRegistrationError) as excinfo:
- @stix2.v21.CustomMarking(
- 'x-new-obj', [
- ('property1', stix2.properties.StringProperty(required=True)),
- ],
- )
- class NewObj2():
- pass
- assert "cannot be registered again" in str(excinfo.value)
diff --git a/stix2/test/v21/test_datastore_taxii.py b/stix2/test/v21/test_datastore_taxii.py
index 28a7368..92ae6dc 100644
--- a/stix2/test/v21/test_datastore_taxii.py
+++ b/stix2/test/v21/test_datastore_taxii.py
@@ -28,7 +28,7 @@ class MockTAXIICollectionEndpoint(Collection):
def add_objects(self, bundle):
self._verify_can_write()
if isinstance(bundle, six.string_types):
- bundle = json.loads(bundle, encoding='utf-8')
+ bundle = json.loads(bundle)
for object in bundle.get("objects", []):
self.objects.append(object)
self.manifests.append(
diff --git a/stix2/test/v21/test_indicator.py b/stix2/test/v21/test_indicator.py
index 76fe86b..8452f70 100644
--- a/stix2/test/v21/test_indicator.py
+++ b/stix2/test/v21/test_indicator.py
@@ -98,8 +98,8 @@ def test_indicator_required_properties():
stix2.v21.Indicator()
assert excinfo.value.cls == stix2.v21.Indicator
- assert excinfo.value.properties == ["pattern", "pattern_type", "valid_from"]
- assert str(excinfo.value) == "No values for required properties for Indicator: (pattern, pattern_type, valid_from)."
+ assert excinfo.value.properties == ["pattern", "pattern_type"]
+ assert str(excinfo.value) == "No values for required properties for Indicator: (pattern, pattern_type)."
def test_indicator_required_property_pattern():
@@ -107,7 +107,7 @@ def test_indicator_required_property_pattern():
stix2.v21.Indicator(indicator_types=['malicious-activity'])
assert excinfo.value.cls == stix2.v21.Indicator
- assert excinfo.value.properties == ["pattern", "pattern_type", "valid_from"]
+ assert excinfo.value.properties == ["pattern", "pattern_type"]
def test_indicator_created_ref_invalid_format():
diff --git a/stix2/test/v21/test_parsing.py b/stix2/test/v21/test_parsing.py
index 1d930e6..53b53b2 100644
--- a/stix2/test/v21/test_parsing.py
+++ b/stix2/test/v21/test_parsing.py
@@ -1,3 +1,5 @@
+from collections import OrderedDict
+
import pytest
import stix2
@@ -64,7 +66,7 @@ def test_parse_observable_with_version():
@pytest.mark.xfail(reason="The default version is not 2.1", condition=stix2.DEFAULT_VERSION != "2.1")
def test_parse_observable_with_no_version():
- observable = {"type": "file", "name": "foo.exe"}
+ observable = {"type": "file", "name": "foo.exe", "spec_version": "2.1"}
obs_obj = parsing.parse_observable(observable)
v = 'v21'
@@ -72,18 +74,26 @@ def test_parse_observable_with_no_version():
def test_register_marking_with_version():
- parsing._register_marking(stix2.v21.TLP_WHITE.__class__, version='2.1')
+ class NewMarking1:
+ _type = 'x-new-marking1'
+ _properties = OrderedDict()
+
+ parsing._register_marking(NewMarking1, version='2.1')
v = 'v21'
- assert stix2.v21.TLP_WHITE.definition._type in parsing.STIX2_OBJ_MAPS[v]['markings']
- assert v in str(stix2.v21.TLP_WHITE.__class__)
+ assert NewMarking1._type in parsing.STIX2_OBJ_MAPS[v]['markings']
+ assert v in str(parsing.STIX2_OBJ_MAPS[v]['markings'][NewMarking1._type])
@pytest.mark.xfail(reason="The default version is not 2.1", condition=stix2.DEFAULT_VERSION != "2.1")
def test_register_marking_with_no_version():
- # Uses default version (2.0 in this case)
- parsing._register_marking(stix2.v21.TLP_WHITE.__class__)
+ # Uses default version (2.1 in this case)
+ class NewMarking2:
+ _type = 'x-new-marking2'
+ _properties = OrderedDict()
+
+ parsing._register_marking(NewMarking2)
v = 'v21'
- assert stix2.v21.TLP_WHITE.definition._type in parsing.STIX2_OBJ_MAPS[v]['markings']
- assert v in str(stix2.v21.TLP_WHITE.__class__)
+ assert NewMarking2._type in parsing.STIX2_OBJ_MAPS[v]['markings']
+ assert v in str(parsing.STIX2_OBJ_MAPS[v]['markings'][NewMarking2._type])
diff --git a/stix2/test/v21/test_properties.py b/stix2/test/v21/test_properties.py
index 84e87c4..36ff858 100644
--- a/stix2/test/v21/test_properties.py
+++ b/stix2/test/v21/test_properties.py
@@ -5,73 +5,15 @@ from stix2.exceptions import (
AtLeastOnePropertyError, CustomContentError, DictionaryKeyError,
)
from stix2.properties import (
- BinaryProperty, BooleanProperty, DictionaryProperty,
- EmbeddedObjectProperty, EnumProperty, ExtensionsProperty, FloatProperty,
- HashesProperty, HexProperty, IDProperty, IntegerProperty, ListProperty,
- Property, ReferenceProperty, StringProperty, TimestampProperty,
- TypeProperty,
+ DictionaryProperty, EmbeddedObjectProperty, ExtensionsProperty,
+ HashesProperty, IDProperty, ListProperty, ReferenceProperty,
+ StringProperty, TypeProperty,
)
from stix2.v21.common import MarkingProperty
from . import constants
-def test_property():
- p = Property()
-
- assert p.required is False
- assert p.clean('foo') == 'foo'
- assert p.clean(3) == 3
-
-
-def test_basic_clean():
- class Prop(Property):
-
- def clean(self, value):
- if value == 42:
- return value
- else:
- raise ValueError("Must be 42")
-
- p = Prop()
-
- assert p.clean(42) == 42
- with pytest.raises(ValueError):
- p.clean(41)
-
-
-def test_property_default():
- class Prop(Property):
-
- def default(self):
- return 77
-
- p = Prop()
-
- assert p.default() == 77
-
-
-def test_fixed_property():
- p = Property(fixed="2.0")
-
- assert p.clean("2.0")
- with pytest.raises(ValueError):
- assert p.clean("x") is False
- with pytest.raises(ValueError):
- assert p.clean(2.0) is False
-
- assert p.default() == "2.0"
- assert p.clean(p.default())
-
-
-def test_list_property():
- p = ListProperty(StringProperty)
-
- assert p.clean(['abc', 'xyz'])
- with pytest.raises(ValueError):
- p.clean([])
-
-
def test_dictionary_property():
p = DictionaryProperty(StringProperty)
@@ -161,123 +103,6 @@ def test_id_property_default():
assert ID_PROP.clean(default) == default
-@pytest.mark.parametrize(
- "value", [
- 2,
- -1,
- 3.14,
- False,
- ],
-)
-def test_integer_property_valid(value):
- int_prop = IntegerProperty()
- assert int_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- -1,
- -100,
- -50 * 6,
- ],
-)
-def test_integer_property_invalid_min_with_constraints(value):
- int_prop = IntegerProperty(min=0, max=180)
- with pytest.raises(ValueError) as excinfo:
- int_prop.clean(value)
- assert "minimum value is" in str(excinfo.value)
-
-
-@pytest.mark.parametrize(
- "value", [
- 181,
- 200,
- 50 * 6,
- ],
-)
-def test_integer_property_invalid_max_with_constraints(value):
- int_prop = IntegerProperty(min=0, max=180)
- with pytest.raises(ValueError) as excinfo:
- int_prop.clean(value)
- assert "maximum value is" in str(excinfo.value)
-
-
-@pytest.mark.parametrize(
- "value", [
- "something",
- StringProperty(),
- ],
-)
-def test_integer_property_invalid(value):
- int_prop = IntegerProperty()
- with pytest.raises(ValueError):
- int_prop.clean(value)
-
-
-@pytest.mark.parametrize(
- "value", [
- 2,
- -1,
- 3.14,
- False,
- ],
-)
-def test_float_property_valid(value):
- int_prop = FloatProperty()
- assert int_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- "something",
- StringProperty(),
- ],
-)
-def test_float_property_invalid(value):
- int_prop = FloatProperty()
- with pytest.raises(ValueError):
- int_prop.clean(value)
-
-
-@pytest.mark.parametrize(
- "value", [
- True,
- False,
- 'True',
- 'False',
- 'true',
- 'false',
- 'TRUE',
- 'FALSE',
- 'T',
- 'F',
- 't',
- 'f',
- 1,
- 0,
- ],
-)
-def test_boolean_property_valid(value):
- bool_prop = BooleanProperty()
-
- assert bool_prop.clean(value) is not None
-
-
-@pytest.mark.parametrize(
- "value", [
- 'abc',
- ['false'],
- {'true': 'true'},
- 2,
- -1,
- ],
-)
-def test_boolean_property_invalid(value):
- bool_prop = BooleanProperty()
- with pytest.raises(ValueError):
- bool_prop.clean(value)
-
-
def test_reference_property():
ref_prop = ReferenceProperty(valid_types="my-type", spec_version="2.1")
@@ -300,40 +125,6 @@ def test_reference_property_specific_type():
"my-type--8a8e8758-f92c-4058-ba38-f061cd42a0cf"
-@pytest.mark.parametrize(
- "value", [
- '2017-01-01T12:34:56Z',
- ],
-)
-def test_timestamp_property_valid(value):
- ts_prop = TimestampProperty()
- assert ts_prop.clean(value) == constants.FAKE_TIME
-
-
-def test_timestamp_property_invalid():
- ts_prop = TimestampProperty()
- with pytest.raises(TypeError):
- ts_prop.clean(1)
- with pytest.raises(ValueError):
- ts_prop.clean("someday sometime")
-
-
-def test_binary_property():
- bin_prop = BinaryProperty()
-
- assert bin_prop.clean("TG9yZW0gSXBzdW0=")
- with pytest.raises(ValueError):
- bin_prop.clean("foobar")
-
-
-def test_hex_property():
- hex_prop = HexProperty()
-
- assert hex_prop.clean("4c6f72656d20497073756d")
- with pytest.raises(ValueError):
- hex_prop.clean("foobar")
-
-
@pytest.mark.parametrize(
"d", [
{'description': 'something'},
@@ -452,29 +243,6 @@ def test_embedded_property():
emb_prop.clean("string")
-@pytest.mark.parametrize(
- "value", [
- ['a', 'b', 'c'],
- ('a', 'b', 'c'),
- 'b',
- ],
-)
-def test_enum_property_valid(value):
- enum_prop = EnumProperty(value)
- assert enum_prop.clean('b')
-
-
-def test_enum_property_clean():
- enum_prop = EnumProperty(['1'])
- assert enum_prop.clean(1) == '1'
-
-
-def test_enum_property_invalid():
- enum_prop = EnumProperty(['a', 'b', 'c'])
- with pytest.raises(ValueError):
- enum_prop.clean('z')
-
-
def test_extension_property_valid():
ext_prop = ExtensionsProperty(spec_version='2.1', enclosing_type='file')
assert ext_prop({
diff --git a/stix2/v20/common.py b/stix2/v20/common.py
index a92f81d..f2a371e 100644
--- a/stix2/v20/common.py
+++ b/stix2/v20/common.py
@@ -40,7 +40,7 @@ class ExternalReference(_STIXBase20):
('source_name', StringProperty(required=True)),
('description', StringProperty()),
('url', StringProperty()),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
('external_id', StringProperty()),
])
diff --git a/stix2/v20/observables.py b/stix2/v20/observables.py
index 3491c47..79d4e79 100644
--- a/stix2/v20/observables.py
+++ b/stix2/v20/observables.py
@@ -30,7 +30,7 @@ class Artifact(_Observable):
('mime_type', StringProperty()),
('payload_bin', BinaryProperty()),
('url', StringProperty()),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
('extensions', ExtensionsProperty(spec_version="2.0", enclosing_type=_type)),
])
@@ -173,7 +173,7 @@ class AlternateDataStream(_STIXBase20):
_properties = OrderedDict([
('name', StringProperty(required=True)),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
('size', IntegerProperty()),
])
@@ -256,7 +256,7 @@ class WindowsPEOptionalHeaderType(_STIXBase20):
('size_of_heap_commit', IntegerProperty()),
('loader_flags_hex', HexProperty()),
('number_of_rva_and_sizes', IntegerProperty()),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
])
def _check_object_constraints(self):
@@ -273,7 +273,7 @@ class WindowsPESection(_STIXBase20):
('name', StringProperty(required=True)),
('size', IntegerProperty()),
('entropy', FloatProperty()),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
])
@@ -293,7 +293,7 @@ class WindowsPEBinaryExt(_Extension):
('number_of_symbols', IntegerProperty()),
('size_of_optional_header', IntegerProperty()),
('characteristics_hex', HexProperty()),
- ('file_header_hashes', HashesProperty()),
+ ('file_header_hashes', HashesProperty(spec_version='2.0')),
('optional_header', EmbeddedObjectProperty(type=WindowsPEOptionalHeaderType)),
('sections', ListProperty(EmbeddedObjectProperty(type=WindowsPESection))),
])
@@ -307,7 +307,7 @@ class File(_Observable):
_type = 'file'
_properties = OrderedDict([
('type', TypeProperty(_type, spec_version='2.0')),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
('size', IntegerProperty()),
('name', StringProperty()),
('name_enc', StringProperty()),
@@ -759,7 +759,7 @@ class X509Certificate(_Observable):
_properties = OrderedDict([
('type', TypeProperty(_type, spec_version='2.0')),
('is_self_signed', BooleanProperty()),
- ('hashes', HashesProperty()),
+ ('hashes', HashesProperty(spec_version='2.0')),
('version', StringProperty()),
('serial_number', StringProperty()),
('signature_algorithm', StringProperty()),
diff --git a/stix2/v21/sdo.py b/stix2/v21/sdo.py
index 6961423..decbf07 100644
--- a/stix2/v21/sdo.py
+++ b/stix2/v21/sdo.py
@@ -187,7 +187,7 @@ class Indicator(_DomainObject):
('pattern', PatternProperty(required=True)),
('pattern_type', StringProperty(required=True)),
('pattern_version', StringProperty()),
- ('valid_from', TimestampProperty(default=lambda: NOW, required=True)),
+ ('valid_from', TimestampProperty(default=lambda: NOW)),
('valid_until', TimestampProperty()),
('kill_chain_phases', ListProperty(KillChainPhase)),
('revoked', BooleanProperty(default=lambda: False)),
@@ -204,7 +204,7 @@ class Indicator(_DomainObject):
if kwargs.get('pattern') and kwargs.get('pattern_type') == 'stix' and not kwargs.get('pattern_version'):
kwargs['pattern_version'] = '2.1'
- super(_DomainObject, self).__init__(*args, **kwargs)
+ super(Indicator, self).__init__(*args, **kwargs)
def _check_object_constraints(self):
super(Indicator, self)._check_object_constraints()
diff --git a/stix2/versioning.py b/stix2/versioning.py
index 8db8f7a..90d1ac9 100644
--- a/stix2/versioning.py
+++ b/stix2/versioning.py
@@ -1,3 +1,5 @@
+"""STIX2 core versioning methods."""
+
import copy
import datetime as dt
import itertools
diff --git a/stix2/workbench.py b/stix2/workbench.py
index 57474a9..3724bdb 100644
--- a/stix2/workbench.py
+++ b/stix2/workbench.py
@@ -25,11 +25,17 @@ import stix2
from . import AttackPattern as _AttackPattern
from . import Campaign as _Campaign
from . import CourseOfAction as _CourseOfAction
+from . import Grouping as _Grouping
from . import Identity as _Identity
from . import Indicator as _Indicator
+from . import Infrastructure as _Infrastructure
from . import IntrusionSet as _IntrusionSet
+from . import Location as _Location
from . import Malware as _Malware
+from . import MalwareAnalysis as _MalwareAnalysis
+from . import Note as _Note
from . import ObservedData as _ObservedData
+from . import Opinion as _Opinion
from . import Report as _Report
from . import ThreatActor as _ThreatActor
from . import Tool as _Tool
@@ -40,7 +46,7 @@ from . import ( # noqa: F401
Directory, DomainName, EmailAddress, EmailMessage,
EmailMIMEComponent, Environment, ExternalReference, File,
FileSystemSource, Filter, GranularMarking, HTTPRequestExt,
- ICMPExt, IPv4Address, IPv6Address, KillChainPhase, MACAddress,
+ ICMPExt, IPv4Address, IPv6Address, KillChainPhase, LanguageContent, MACAddress,
MarkingDefinition, MemoryStore, Mutex, NetworkTraffic, NTFSExt,
parse_observable, PDFExt, Process, RasterImageExt, Relationship,
Sighting, SocketExt, Software, StatementMarking,
@@ -84,12 +90,13 @@ add_data_sources = _environ.source.add_data_sources
STIX_OBJS = [
- _AttackPattern, _Campaign, _CourseOfAction, _Identity,
- _Indicator, _IntrusionSet, _Malware, _ObservedData, _Report,
+ _AttackPattern, _Campaign, _CourseOfAction, _Identity, _Grouping,
+ _Indicator, _Infrastructure, _IntrusionSet, _Location, _Malware,
+ _MalwareAnalysis, _Note, _ObservedData, _Opinion, _Report,
_ThreatActor, _Tool, _Vulnerability,
]
-STIX_OBJ_DOCS = """
+STIX_OBJ_DOCS = """s
.. method:: created_by(*args, **kwargs)
@@ -202,6 +209,19 @@ def courses_of_action(filters=None):
return query(filter_list)
+def groupings(filters=None):
+ """Retrieve all Grouping objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'grouping'))
+ return query(filter_list)
+
+
def identities(filters=None):
"""Retrieve all Identity objects.
@@ -228,6 +248,19 @@ def indicators(filters=None):
return query(filter_list)
+def infrastructures(filters=None):
+ """Retrieve all Infrastructure objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'infrastructure'))
+ return query(filter_list)
+
+
def intrusion_sets(filters=None):
"""Retrieve all Intrusion Set objects.
@@ -241,6 +274,19 @@ def intrusion_sets(filters=None):
return query(filter_list)
+def locations(filters=None):
+ """Retrieve all Location objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'location'))
+ return query(filter_list)
+
+
def malware(filters=None):
"""Retrieve all Malware objects.
@@ -254,6 +300,32 @@ def malware(filters=None):
return query(filter_list)
+def malware_analyses(filters=None):
+ """Retrieve all Malware Analysis objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'malware-analysis'))
+ return query(filter_list)
+
+
+def notes(filters=None):
+ """Retrieve all Note objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'note'))
+ return query(filter_list)
+
+
def observed_data(filters=None):
"""Retrieve all Observed Data objects.
@@ -267,6 +339,19 @@ def observed_data(filters=None):
return query(filter_list)
+def opinions(filters=None):
+ """Retrieve all Opinion objects.
+
+ Args:
+ filters (list, optional): A list of additional filters to apply to
+ the query.
+
+ """
+ filter_list = FilterSet(filters)
+ filter_list.add(Filter('type', '=', 'opinion'))
+ return query(filter_list)
+
+
def reports(filters=None):
"""Retrieve all Report objects.