Merge branch 'master' of github.com:oasis-open/cti-python-stix2

2019-02-06 08:55:41 +01:00 · 2019-02-06 08:55:41 +01:00 · 469d17bcee
parent 407f346eb8 370a7c6f06
commit 469d17bcee
99 changed files with 493 additions and 418 deletions
--- a/stix2/datastore/init.py
+++ b/stix2/datastore/init.py
@ -420,7 +420,7 @@ class CompositeDataSource(DataSource):
    """Controller for all the attached DataSources.

    A user can have a single CompositeDataSource as an interface
-    the a set of DataSources. When an API call is made to the
+    to a set of DataSources. When an API call is made to the
    CompositeDataSource, it is delegated to each of the (real)
    DataSources that are attached to it.

--- a/stix2/test/v20/constants.py
+++ b/stix2/test/v20/constants.py
@ -50,7 +50,7 @@ CAMPAIGN_KWARGS = dict(
 CAMPAIGN_MORE_KWARGS = dict(
    type='campaign',
    id=CAMPAIGN_ID,
-    created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    created_by_ref=IDENTITY_ID,
    created="2016-04-06T20:03:00.000Z",
    modified="2016-04-06T20:03:00.000Z",
    name="Green Group Attacks Against Finance",
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
@ -2,7 +2,7 @@
    "id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0",
    "objects": [
        {
-            "created": "2017-05-31T21:30:19.73501Z",
+            "created": "2017-05-31T21:30:19.735Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs",
            "external_references": [
@ -29,7 +29,7 @@
                    "phase_name": "credential-access"
                }
            ],
-            "modified": "2017-05-31T21:30:19.73501Z",
+            "modified": "2017-05-31T21:30:19.735Z",
            "name": "Credential Dumping",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
@ -2,7 +2,7 @@
    "id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5",
    "objects": [
        {
-            "created": "2017-05-31T21:30:26.496201Z",
+            "created": "2017-05-31T21:30:26.496Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls",
            "external_references": [
@ -24,7 +24,7 @@
                    "phase_name": "defense-evasion"
                }
            ],
-            "modified": "2017-05-31T21:30:26.496201Z",
+            "modified": "2017-05-31T21:30:26.496Z",
            "name": "Rootkit",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
@ -2,7 +2,7 @@
    "id": "bundle--1a854c96-639e-4771-befb-e7b960a65974",
    "objects": [
        {
-            "created": "2017-05-31T21:30:29.45894Z",
+            "created": "2017-05-31T21:30:29.458Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "exfiltration"
                }
            ],
-            "modified": "2017-05-31T21:30:29.45894Z",
+            "modified": "2017-05-31T21:30:29.458Z",
            "name": "Automated Exfiltration",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
@ -2,7 +2,7 @@
    "id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a",
    "objects": [
        {
-            "created": "2017-05-31T21:30:45.139269Z",
+            "created": "2017-05-31T21:30:45.139Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "discovery"
                }
            ],
-            "modified": "2017-05-31T21:30:45.139269Z",
+            "modified": "2017-05-31T21:30:45.139Z",
            "name": "Local Network Connections Discovery",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
@ -2,7 +2,7 @@
    "id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d",
    "objects": [
        {
-            "created": "2017-05-31T21:30:41.022897Z",
+            "created": "2017-05-31T21:30:41.022Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "collection"
                }
            ],
-            "modified": "2017-05-31T21:30:41.022897Z",
+            "modified": "2017-05-31T21:30:41.022Z",
            "name": "Data from Network Shared Drive",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
+++ b/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
@ -2,7 +2,7 @@
    "id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444",
    "objects": [
        {
-            "created": "2017-05-31T21:30:32.662702Z",
+            "created": "2017-05-31T21:30:32.662Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "defense-evasion"
                }
            ],
-            "modified": "2017-05-31T21:30:32.662702Z",
+            "modified": "2017-05-31T21:30:32.662Z",
            "name": "Obfuscated Files or Information",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
+++ b/stix2/test/v20/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
@ -2,11 +2,11 @@
    "id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd",
    "objects": [
        {
-            "created": "2017-05-31T21:30:26.495974Z",
+            "created": "2017-05-31T21:30:26.495Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
            "id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f",
-            "modified": "2017-05-31T21:30:26.495974Z",
+            "modified": "2017-05-31T21:30:26.495Z",
            "name": "Rootkit Mitigation",
            "type": "course-of-action"
        }
--- a/stix2/test/v20/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
+++ b/stix2/test/v20/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
@ -1,9 +1,9 @@
 {
-    "created": "2017-05-31T21:30:41.022744Z",
+    "created": "2017-05-31T21:30:41.022Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
    "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
-    "modified": "2017-05-31T21:30:41.022744Z",
+    "modified": "2017-05-31T21:30:41.022Z",
    "name": "Data from Network Shared Drive Mitigation",
    "type": "course-of-action"
 }
--- a/stix2/test/v20/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
+++ b/stix2/test/v20/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
@ -2,10 +2,10 @@
    "id": "bundle--81884287-2548-47fc-a997-39489ddd5462",
    "objects": [
        {
-            "created": "2017-06-01T00:00:00Z",
+            "created": "2017-06-01T00:00:00.000Z",
            "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "identity_class": "organization",
-            "modified": "2017-06-01T00:00:00Z",
+            "modified": "2017-06-01T00:00:00.000Z",
            "name": "The MITRE Corporation",
            "type": "identity"
        }
--- a/stix2/test/v20/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
+++ b/stix2/test/v20/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
@ -10,7 +10,7 @@
                "PinkPanther",
                "Black Vine"
            ],
-            "created": "2017-05-31T21:31:49.412497Z",
+            "created": "2017-05-31T21:31:49.412Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
            "external_references": [
@ -41,7 +41,7 @@
                }
            ],
            "id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064",
-            "modified": "2017-05-31T21:31:49.412497Z",
+            "modified": "2017-05-31T21:31:49.412Z",
            "name": "Deep Panda",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
+++ b/stix2/test/v20/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
@ -5,7 +5,7 @@
            "aliases": [
                "DragonOK"
            ],
-            "created": "2017-05-31T21:31:53.197755Z",
+            "created": "2017-05-31T21:31:53.197Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
            "external_references": [
@ -31,7 +31,7 @@
                }
            ],
            "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a",
-            "modified": "2017-05-31T21:31:53.197755Z",
+            "modified": "2017-05-31T21:31:53.197Z",
            "name": "DragonOK",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
+++ b/stix2/test/v20/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
@ -2,7 +2,7 @@
    "id": "bundle--f64de948-7067-4534-8018-85f03d470625",
    "objects": [
        {
-            "created": "2017-05-31T21:32:58.226477Z",
+            "created": "2017-05-31T21:32:58.226Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:58.226477Z",
+            "modified": "2017-05-31T21:32:58.226Z",
            "name": "Rover",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
+++ b/stix2/test/v20/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
@ -2,7 +2,7 @@
    "id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0",
    "objects": [
        {
-            "created": "2017-05-31T21:33:26.565056Z",
+            "created": "2017-05-31T21:33:26.565Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "malware"
            ],
-            "modified": "2017-05-31T21:33:26.565056Z",
+            "modified": "2017-05-31T21:33:26.565Z",
            "name": "RTM",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
+++ b/stix2/test/v20/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
@ -2,7 +2,7 @@
    "id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974",
    "objects": [
        {
-            "created": "2017-05-31T21:32:48.482655Z",
+            "created": "2017-05-31T21:32:48.482Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:48.482655Z",
+            "modified": "2017-05-31T21:32:48.482Z",
            "name": "Sakula",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
+++ b/stix2/test/v20/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
@ -2,7 +2,7 @@
    "id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f",
    "objects": [
        {
-            "created": "2017-05-31T21:32:15.263882Z",
+            "created": "2017-05-31T21:32:15.263Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:15.263882Z",
+            "modified": "2017-05-31T21:32:15.263Z",
            "name": "PoisonIvy",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
@ -2,10 +2,10 @@
    "id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.182784Z",
+            "created": "2017-05-31T21:33:27.182Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883",
-            "modified": "2017-05-31T21:33:27.182784Z",
+            "modified": "2017-05-31T21:33:27.182Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
@ -2,10 +2,10 @@
    "id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.082801Z",
+            "created": "2017-05-31T21:33:27.082Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227",
-            "modified": "2017-05-31T21:33:27.082801Z",
+            "modified": "2017-05-31T21:33:27.082Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
@ -2,10 +2,10 @@
    "id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.018782Z",
+            "created": "2017-05-31T21:33:27.018Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--1e91cd45-a725-4965-abe3-700694374432",
-            "modified": "2017-05-31T21:33:27.018782Z",
+            "modified": "2017-05-31T21:33:27.018Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
@ -2,10 +2,10 @@
    "id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.100701Z",
+            "created": "2017-05-31T21:33:27.100Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e",
-            "modified": "2017-05-31T21:33:27.100701Z",
+            "modified": "2017-05-31T21:33:27.100Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
@ -2,10 +2,10 @@
    "id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.143973Z",
+            "created": "2017-05-31T21:33:27.143Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1",
-            "modified": "2017-05-31T21:33:27.143973Z",
+            "modified": "2017-05-31T21:33:27.143Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
@ -2,10 +2,10 @@
    "id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.021562Z",
+            "created": "2017-05-31T21:33:27.021Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719",
-            "modified": "2017-05-31T21:33:27.021562Z",
+            "modified": "2017-05-31T21:33:27.021Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
@ -2,10 +2,10 @@
    "id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.044387Z",
+            "created": "2017-05-31T21:33:27.044Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1",
-            "modified": "2017-05-31T21:33:27.044387Z",
+            "modified": "2017-05-31T21:33:27.044Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
+++ b/stix2/test/v20/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
@ -2,10 +2,10 @@
    "id": "bundle--ff845dca-7036-416f-aae0-95030994c49f",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.051532Z",
+            "created": "2017-05-31T21:33:27.051Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d",
-            "modified": "2017-05-31T21:33:27.051532Z",
+            "modified": "2017-05-31T21:33:27.051Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v20/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json
+++ b/stix2/test/v20/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json
@ -2,7 +2,7 @@
    "id": "bundle--d8826afc-1561-4362-a4e3-05a4c2c3ac3c",
    "objects": [
        {
-            "created": "2017-05-31T21:32:31.601148Z",
+            "created": "2017-05-31T21:32:31.601Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
            "external_references": [
@ -26,7 +26,7 @@
            "labels": [
                "tool"
            ],
-            "modified": "2017-05-31T21:32:31.601148Z",
+            "modified": "2017-05-31T21:32:31.601Z",
            "name": "Net",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json
+++ b/stix2/test/v20/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json
@ -2,7 +2,7 @@
    "id": "bundle--7dbde18f-6f14-4bf0-8389-505c89d6d5a6",
    "objects": [
        {
-            "created": "2017-05-31T21:32:12.684914Z",
+            "created": "2017-05-31T21:32:12.684Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "tool"
            ],
-            "modified": "2017-05-31T21:32:12.684914Z",
+            "modified": "2017-05-31T21:32:12.684Z",
            "name": "Windows Credential Editor",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v20/test_attack_pattern.py
+++ b/stix2/test/v20/test_attack_pattern.py
@ -25,7 +25,7 @@ EXPECTED = """{

 def test_attack_pattern_example():
    ap = stix2.v20.AttackPattern(
-        id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+        id=ATTACK_PATTERN_ID,
        created="2016-05-12T08:17:27.000Z",
        modified="2016-05-12T08:17:27.000Z",
        name="Spear Phishing",
@ -44,7 +44,7 @@ def test_attack_pattern_example():
        EXPECTED,
        {
            "type": "attack-pattern",
-            "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            "id": ATTACK_PATTERN_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "description": "...",
@ -74,11 +74,43 @@ def test_parse_attack_pattern(data):
 def test_attack_pattern_invalid_labels():
    with pytest.raises(stix2.exceptions.InvalidValueError):
        stix2.v20.AttackPattern(
-            id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            id=ATTACK_PATTERN_ID,
            created="2016-05-12T08:17:27Z",
            modified="2016-05-12T08:17:27Z",
            name="Spear Phishing",
            labels=1,
        )

+
+def test_overly_precise_timestamps():
+    ap = stix2.v20.AttackPattern(
+        id=ATTACK_PATTERN_ID,
+        created="2016-05-12T08:17:27.0000342Z",
+        modified="2016-05-12T08:17:27.000287Z",
+        name="Spear Phishing",
+        external_references=[{
+            "source_name": "capec",
+            "external_id": "CAPEC-163",
+        }],
+        description="...",
+    )
+
+    assert str(ap) == EXPECTED
+
+
+def test_less_precise_timestamps():
+    ap = stix2.v20.AttackPattern(
+        id=ATTACK_PATTERN_ID,
+        created="2016-05-12T08:17:27.00Z",
+        modified="2016-05-12T08:17:27.0Z",
+        name="Spear Phishing",
+        external_references=[{
+            "source_name": "capec",
+            "external_id": "CAPEC-163",
+        }],
+        description="...",
+    )
+
+    assert str(ap) == EXPECTED
+
 # TODO: Add other examples
--- a/stix2/test/v20/test_bundle.py
+++ b/stix2/test/v20/test_bundle.py
@ -4,6 +4,8 @@ import pytest

 import stix2

+from .constants import IDENTITY_ID
+
 EXPECTED_BUNDLE = """{
    "type": "bundle",
    "id": "bundle--00000000-0000-4000-8000-000000000007",
@ -185,7 +187,7 @@ def test_parse_unknown_type():
        "id": "other--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
        "created": "2016-04-06T20:03:00Z",
        "modified": "2016-04-06T20:03:00Z",
-        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        "created_by_ref": IDENTITY_ID,
        "description": "Campaign by Green Group against a series of targets in the financial services sector.",
        "name": "Green Group Attacks Against Finance",
    }
--- a/stix2/test/v20/test_campaign.py
+++ b/stix2/test/v20/test_campaign.py
@ -5,12 +5,12 @@ import pytz

 import stix2

-from .constants import CAMPAIGN_ID
+from .constants import CAMPAIGN_ID, CAMPAIGN_MORE_KWARGS, IDENTITY_ID

 EXPECTED = """{
    "type": "campaign",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -19,14 +19,7 @@ EXPECTED = """{


 def test_campaign_example():
-    campaign = stix2.v20.Campaign(
-        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-        created="2016-04-06T20:03:00Z",
-        modified="2016-04-06T20:03:00Z",
-        name="Green Group Attacks Against Finance",
-        description="Campaign by Green Group against a series of targets in the financial services sector.",
-    )
+    campaign = stix2.v20.Campaign(**CAMPAIGN_MORE_KWARGS)

    assert str(campaign) == EXPECTED

@ -36,10 +29,10 @@ def test_campaign_example():
        EXPECTED,
        {
            "type": "campaign",
-            "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "id": CAMPAIGN_ID,
            "created": "2016-04-06T20:03:00Z",
            "modified": "2016-04-06T20:03:00Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "Campaign by Green Group against a series of targets in the financial services sector.",
            "name": "Green Group Attacks Against Finance",
        },
@ -52,7 +45,7 @@ def test_parse_campaign(data):
    assert cmpn.id == CAMPAIGN_ID
    assert cmpn.created == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
    assert cmpn.modified == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
-    assert cmpn.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert cmpn.created_by_ref == IDENTITY_ID
    assert cmpn.description == "Campaign by Green Group against a series of targets in the financial services sector."
    assert cmpn.name == "Green Group Attacks Against Finance"

--- a/stix2/test/v20/test_core.py
+++ b/stix2/test/v20/test_core.py
@ -3,6 +3,8 @@ import pytest
 import stix2
 from stix2 import core, exceptions

+from .constants import IDENTITY_ID
+
 BUNDLE = {
    "type": "bundle",
    "spec_version": "2.0",
@ -96,7 +98,7 @@ def test_register_marking_with_no_version():
 def test_register_observable_with_version():
    observed_data = stix2.v20.ObservedData(
        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -134,7 +136,7 @@ def test_register_observable_with_version():
 def test_register_observable_extension_with_version():
    observed_data = stix2.v20.ObservedData(
        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v20/test_course_of_action.py
+++ b/stix2/test/v20/test_course_of_action.py
@ -5,12 +5,12 @@ import pytz

 import stix2

-from .constants import COURSE_OF_ACTION_ID
+from .constants import COURSE_OF_ACTION_ID, IDENTITY_ID

 EXPECTED = """{
    "type": "course-of-action",
    "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -20,8 +20,8 @@ EXPECTED = """{

 def test_course_of_action_example():
    coa = stix2.v20.CourseOfAction(
-        id="course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=COURSE_OF_ACTION_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -36,9 +36,9 @@ def test_course_of_action_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ...",
-            "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "id": COURSE_OF_ACTION_ID,
            "modified": "2016-04-06T20:03:48.000Z",
            "name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
            "type": "course-of-action",
@ -52,7 +52,7 @@ def test_parse_course_of_action(data):
    assert coa.id == COURSE_OF_ACTION_ID
    assert coa.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert coa.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert coa.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert coa.created_by_ref == IDENTITY_ID
    assert coa.description == "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ..."
    assert coa.name == "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter"

--- a/stix2/test/v20/test_custom.py
+++ b/stix2/test/v20/test_custom.py
@ -2,7 +2,7 @@ import pytest

 import stix2

-from .constants import FAKE_TIME, MARKING_DEFINITION_ID
+from .constants import FAKE_TIME, IDENTITY_ID, MARKING_DEFINITION_ID

 IDENTITY_CUSTOM_PROP = stix2.v20.Identity(
    name="John Smith",
@ -15,7 +15,7 @@ IDENTITY_CUSTOM_PROP = stix2.v20.Identity(
 def test_identity_custom_property():
    with pytest.raises(ValueError) as excinfo:
        stix2.v20.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -26,7 +26,7 @@ def test_identity_custom_property():

    with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
        stix2.v20.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -39,7 +39,7 @@ def test_identity_custom_property():
    assert "Unexpected properties for Identity" in str(excinfo.value)

    identity = stix2.v20.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11Z",
        modified="2015-12-21T19:59:11Z",
        name="John Smith",
@ -54,7 +54,7 @@ def test_identity_custom_property():
 def test_identity_custom_property_invalid():
    with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
        stix2.v20.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -68,7 +68,7 @@ def test_identity_custom_property_invalid():

 def test_identity_custom_property_allowed():
    identity = stix2.v20.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11Z",
        modified="2015-12-21T19:59:11Z",
        name="John Smith",
@ -127,7 +127,7 @@ def test_custom_properties_object_in_bundled_object():
 def test_custom_property_dict_in_bundled_object():
    custom_identity = {
        'type': 'identity',
-        'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
+        'id': IDENTITY_ID,
        'created': '2015-12-21T19:59:11Z',
        'name': 'John Smith',
        'identity_class': 'individual',
@ -144,7 +144,7 @@ def test_custom_property_dict_in_bundled_object():
 def test_custom_properties_dict_in_bundled_object():
    custom_identity = {
        'type': 'identity',
-        'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
+        'id': IDENTITY_ID,
        'created': '2015-12-21T19:59:11Z',
        'name': 'John Smith',
        'identity_class': 'individual',
--- a/stix2/test/v20/test_datastore_memory.py
+++ b/stix2/test/v20/test_datastore_memory.py
@ -275,13 +275,13 @@ def test_memory_store_object_creator_of_present(mem_store):
    camp = Campaign(
        name="Scipio Africanus",
        objective="Defeat the Carthaginians",
-        created_by_ref="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
+        created_by_ref=IDENTITY_ID,
        x_empire="Roman",
        allow_custom=True,
    )

    iden = Identity(
-        id="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
+        id=IDENTITY_ID,
        name="Foo Corp.",
        identity_class="corporation",
    )
--- a/stix2/test/v20/test_identity.py
+++ b/stix2/test/v20/test_identity.py
@ -19,7 +19,7 @@ EXPECTED = """{

 def test_identity_example():
    identity = stix2.v20.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="John Smith",
@ -34,7 +34,7 @@ def test_identity_example():
        EXPECTED,
        {
            "created": "2015-12-21T19:59:11.000Z",
-            "id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            "id": IDENTITY_ID,
            "identity_class": "individual",
            "modified": "2015-12-21T19:59:11.000Z",
            "name": "John Smith",
--- a/stix2/test/v20/test_indicator.py
+++ b/stix2/test/v20/test_indicator.py
@ -153,7 +153,7 @@ def test_created_modified_time_are_identical_by_default():
        EXPECTED_INDICATOR,
        {
            "type": "indicator",
-            "id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
+            "id": INDICATOR_ID,
            "created": "2017-01-01T00:00:01Z",
            "modified": "2017-01-01T00:00:01Z",
            "labels": [
--- a/stix2/test/v20/test_intrusion_set.py
+++ b/stix2/test/v20/test_intrusion_set.py
@ -5,12 +5,12 @@ import pytz

 import stix2

-from .constants import INTRUSION_SET_ID
+from .constants import IDENTITY_ID, INTRUSION_SET_ID

 EXPECTED = """{
    "type": "intrusion-set",
    "id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Bobcat Breakin",
@ -28,8 +28,8 @@ EXPECTED = """{

 def test_intrusion_set_example():
    intrusion_set = stix2.v20.IntrusionSet(
-        id="intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=INTRUSION_SET_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="Bobcat Breakin",
@ -49,14 +49,14 @@ def test_intrusion_set_example():
                "Zookeeper",
            ],
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "Incidents usually feature a shared TTP of a bobcat being released...",
            "goals": [
                "acquisition-theft",
                "harassment",
                "damage",
            ],
-            "id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
+            "id": INTRUSION_SET_ID,
            "modified": "2016-04-06T20:03:48.000Z",
            "name": "Bobcat Breakin",
            "type": "intrusion-set",
--- a/stix2/test/v20/test_malware.py
+++ b/stix2/test/v20/test_malware.py
@ -108,7 +108,7 @@ def test_invalid_kwarg_to_malware():
        EXPECTED_MALWARE,
        {
            "type": "malware",
-            "id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
+            "id": MALWARE_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "labels": ["ransomware"],
--- a/stix2/test/v20/test_markings.py
+++ b/stix2/test/v20/test_markings.py
@ -6,7 +6,7 @@ import pytz
 import stix2
 from stix2.v20 import TLP_WHITE

-from .constants import MARKING_DEFINITION_ID
+from .constants import CAMPAIGN_ID, IDENTITY_ID, MARKING_DEFINITION_ID

 EXPECTED_TLP_MARKING_DEFINITION = """{
    "type": "marking-definition",
@ -31,7 +31,7 @@ EXPECTED_STATEMENT_MARKING_DEFINITION = """{
 EXPECTED_CAMPAIGN_WITH_OBJECT_MARKING = """{
    "type": "campaign",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -54,7 +54,7 @@ EXPECTED_GRANULAR_MARKING = """{
 EXPECTED_CAMPAIGN_WITH_GRANULAR_MARKINGS = """{
    "type": "campaign",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -76,7 +76,7 @@ def test_marking_def_example_with_tlp():

 def test_marking_def_example_with_statement_positional_argument():
    marking_definition = stix2.v20.MarkingDefinition(
-        id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        id=MARKING_DEFINITION_ID,
        created="2017-01-20T00:00:00.000Z",
        definition_type="statement",
        definition=stix2.v20.StatementMarking(statement="Copyright 2016, Example Corp"),
@ -88,7 +88,7 @@ def test_marking_def_example_with_statement_positional_argument():
 def test_marking_def_example_with_kwargs_statement():
    kwargs = dict(statement="Copyright 2016, Example Corp")
    marking_definition = stix2.v20.MarkingDefinition(
-        id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        id=MARKING_DEFINITION_ID,
        created="2017-01-20T00:00:00.000Z",
        definition_type="statement",
        definition=stix2.v20.StatementMarking(**kwargs),
@ -100,7 +100,7 @@ def test_marking_def_example_with_kwargs_statement():
 def test_marking_def_invalid_type():
    with pytest.raises(ValueError):
        stix2.v20.MarkingDefinition(
-            id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            id=MARKING_DEFINITION_ID,
            created="2017-01-20T00:00:00.000Z",
            definition_type="my-definition-type",
            definition=stix2.v20.StatementMarking("Copyright 2016, Example Corp"),
@ -109,10 +109,11 @@ def test_marking_def_invalid_type():

 def test_campaign_with_markings_example():
    campaign = stix2.v20.Campaign(
-        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-        created="2016-04-06T20:03:00Z",
-        modified="2016-04-06T20:03:00Z",
+        type='campaign',
+        id=CAMPAIGN_ID,
+        created_by_ref=IDENTITY_ID,
+        created="2016-04-06T20:03:00.000Z",
+        modified="2016-04-06T20:03:00.000Z",
        name="Green Group Attacks Against Finance",
        description="Campaign by Green Group against a series of targets in the financial services sector.",
        object_marking_refs=TLP_WHITE,
@ -122,7 +123,7 @@ def test_campaign_with_markings_example():

 def test_granular_example():
    granular_marking = stix2.v20.GranularMarking(
-        marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        marking_ref=MARKING_DEFINITION_ID,
        selectors=["abc", "abc.[23]", "abc.def", "abc.[2].efg"],
    )

@ -132,7 +133,7 @@ def test_granular_example():
 def test_granular_example_with_bad_selector():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v20.GranularMarking(
-            marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            marking_ref=MARKING_DEFINITION_ID,
            selectors=["abc[0]"],   # missing "."
        )

@ -144,15 +145,16 @@ def test_granular_example_with_bad_selector():

 def test_campaign_with_granular_markings_example():
    campaign = stix2.v20.Campaign(
-        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-        created="2016-04-06T20:03:00Z",
-        modified="2016-04-06T20:03:00Z",
+        type='campaign',
+        id=CAMPAIGN_ID,
+        created_by_ref=IDENTITY_ID,
+        created="2016-04-06T20:03:00.000Z",
+        modified="2016-04-06T20:03:00.000Z",
        name="Green Group Attacks Against Finance",
        description="Campaign by Green Group against a series of targets in the financial services sector.",
        granular_markings=[
            stix2.v20.GranularMarking(
-                marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+                marking_ref=MARKING_DEFINITION_ID,
                selectors=["description"],
            ),
        ],
@ -164,7 +166,7 @@ def test_campaign_with_granular_markings_example():
    "data", [
        EXPECTED_TLP_MARKING_DEFINITION,
        {
-            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            "id": MARKING_DEFINITION_ID,
            "type": "marking-definition",
            "created": "2017-01-20T00:00:00Z",
            "definition": {
@ -258,8 +260,8 @@ def test_marking_wrong_type_construction():

 def test_campaign_add_markings():
    campaign = stix2.v20.Campaign(
-        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=CAMPAIGN_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:00Z",
        modified="2016-04-06T20:03:00Z",
        name="Green Group Attacks Against Finance",
--- a/stix2/test/v20/test_observed_data.py
+++ b/stix2/test/v20/test_observed_data.py
@ -6,7 +6,7 @@ import pytz

 import stix2

-from .constants import OBSERVED_DATA_ID
+from .constants import IDENTITY_ID, OBSERVED_DATA_ID

 OBJECTS_REGEX = re.compile('\"objects\": {(?:.*?)(?:(?:[^{]*?)|(?:{[^{]*?}))*}', re.DOTALL)

@ -14,7 +14,7 @@ OBJECTS_REGEX = re.compile('\"objects\": {(?:.*?)(?:(?:[^{]*?)|(?:{[^{]*?}))*}',
 EXPECTED = """{
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "first_observed": "2015-12-21T19:00:00Z",
@ -31,8 +31,8 @@ EXPECTED = """{

 def test_observed_data_example():
    observed_data = stix2.v20.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -52,7 +52,7 @@ def test_observed_data_example():
 EXPECTED_WITH_REF = """{
    "type": "observed-data",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "first_observed": "2015-12-21T19:00:00Z",
@ -76,8 +76,8 @@ EXPECTED_WITH_REF = """{

 def test_observed_data_example_with_refs():
    observed_data = stix2.v20.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -102,8 +102,8 @@ def test_observed_data_example_with_refs():
 def test_observed_data_example_with_bad_refs():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v20.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -130,8 +130,8 @@ def test_observed_data_example_with_bad_refs():
 def test_observed_data_example_with_non_dictionary():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v20.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -148,8 +148,8 @@ def test_observed_data_example_with_non_dictionary():
 def test_observed_data_example_with_empty_dictionary():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v20.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -168,9 +168,9 @@ def test_observed_data_example_with_empty_dictionary():
        EXPECTED,
        {
            "type": "observed-data",
-            "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
+            "id": OBSERVED_DATA_ID,
            "created": "2016-04-06T19:58:16.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "first_observed": "2015-12-21T19:00:00Z",
            "last_observed": "2015-12-21T19:00:00Z",
            "modified": "2016-04-06T19:58:16.000Z",
@ -193,7 +193,7 @@ def test_parse_observed_data(data):
    assert odata.modified == dt.datetime(2016, 4, 6, 19, 58, 16, tzinfo=pytz.utc)
    assert odata.first_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
    assert odata.last_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
-    assert odata.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert odata.created_by_ref == IDENTITY_ID
    assert odata.objects["0"].type == "file"


@ -533,7 +533,7 @@ def test_parse_basic_tcp_traffic_with_error(data):

 EXPECTED_PROCESS_OD = """{
    "created": "2016-04-06T19:58:16.000Z",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "first_observed": "2015-12-21T19:00:00Z",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "last_observed": "2015-12-21T19:00:00Z",
@ -563,8 +563,8 @@ EXPECTED_PROCESS_OD = """{

 def test_observed_data_with_process_example():
    observed_data = stix2.v20.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v20/test_pickle.py
+++ b/stix2/test/v20/test_pickle.py
@ -2,13 +2,15 @@ import pickle

 import stix2

+from .constants import IDENTITY_ID
+

 def test_pickling():
    """
    Ensure a pickle/unpickle cycle works okay.
    """
    identity = stix2.v20.Identity(
-        id="identity--d66cb89d-5228-4983-958c-fa84ef75c88c",
+        id=IDENTITY_ID,
        name="alice",
        description="this is a pickle test",
        identity_class="some_class",
--- a/stix2/test/v20/test_relationship.py
+++ b/stix2/test/v20/test_relationship.py
@ -142,12 +142,12 @@ def test_create_relationship_with_positional_args(indicator, malware):
        EXPECTED_RELATIONSHIP,
        {
            "created": "2016-04-06T20:06:37Z",
-            "id": "relationship--df7c87eb-75d2-4948-af81-9d49d246f301",
+            "id": RELATIONSHIP_ID,
            "modified": "2016-04-06T20:06:37Z",
-            "relationship_type": "indicates",
-            "source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
-            "target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
            "type": "relationship",
+            "relationship_type": "indicates",
+            "source_ref": INDICATOR_ID,
+            "target_ref": MALWARE_ID,
        },
    ],
 )
@ -159,5 +159,5 @@ def test_parse_relationship(data):
    assert rel.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert rel.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert rel.relationship_type == "indicates"
-    assert rel.source_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
-    assert rel.target_ref == "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e"
+    assert rel.source_ref == INDICATOR_ID
+    assert rel.target_ref == MALWARE_ID
--- a/stix2/test/v20/test_report.py
+++ b/stix2/test/v20/test_report.py
@ -5,21 +5,24 @@ import pytz

 import stix2

-from .constants import INDICATOR_KWARGS, REPORT_ID
+from .constants import (
+    CAMPAIGN_ID, IDENTITY_ID, INDICATOR_ID, INDICATOR_KWARGS, RELATIONSHIP_ID,
+    REPORT_ID,
+)

 EXPECTED = """{
    "type": "report",
    "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-    "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2015-12-21T19:59:11.000Z",
    "modified": "2015-12-21T19:59:11.000Z",
    "name": "The Black Vine Cyberespionage Group",
    "description": "A simple report with an indicator and campaign",
    "published": "2016-01-20T17:00:00Z",
    "object_refs": [
-        "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-        "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-        "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
+        "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
+        "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+        "relationship--df7c87eb-75d2-4948-af81-9d49d246f301"
    ],
    "labels": [
        "campaign"
@ -29,8 +32,8 @@ EXPECTED = """{

 def test_report_example():
    report = stix2.v20.Report(
-        id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-        created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+        id=REPORT_ID,
+        created_by_ref=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="The Black Vine Cyberespionage Group",
@ -38,9 +41,9 @@ def test_report_example():
        published="2016-01-20T17:00:00Z",
        labels=["campaign"],
        object_refs=[
-            "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-            "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-            "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+            INDICATOR_ID,
+            CAMPAIGN_ID,
+            RELATIONSHIP_ID,
        ],
    )

@ -49,8 +52,8 @@ def test_report_example():

 def test_report_example_objects_in_object_refs():
    report = stix2.v20.Report(
-        id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-        created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+        id=REPORT_ID,
+        created_by_ref=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="The Black Vine Cyberespionage Group",
@ -58,9 +61,9 @@ def test_report_example_objects_in_object_refs():
        published="2016-01-20T17:00:00Z",
        labels=["campaign"],
        object_refs=[
-            stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
-            "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-            "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+            stix2.v20.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
+            CAMPAIGN_ID,
+            RELATIONSHIP_ID,
        ],
    )

@ -70,8 +73,8 @@ def test_report_example_objects_in_object_refs():
 def test_report_example_objects_in_object_refs_with_bad_id():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v20.Report(
-            id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-            created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+            id=REPORT_ID,
+            created_by_ref=IDENTITY_ID,
            created="2015-12-21T19:59:11.000Z",
            modified="2015-12-21T19:59:11.000Z",
            name="The Black Vine Cyberespionage Group",
@ -79,9 +82,9 @@ def test_report_example_objects_in_object_refs_with_bad_id():
            published="2016-01-20T17:00:00Z",
            labels=["campaign"],
            object_refs=[
-                stix2.v20.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
+                stix2.v20.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
                "campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c",   # the "bad" id, missing a "-"
-                "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+                RELATIONSHIP_ID,
            ],
        )

@ -96,18 +99,18 @@ def test_report_example_objects_in_object_refs_with_bad_id():
        EXPECTED,
        {
            "created": "2015-12-21T19:59:11.000Z",
-            "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+            "created_by_ref": IDENTITY_ID,
            "description": "A simple report with an indicator and campaign",
-            "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
+            "id": REPORT_ID,
            "labels": [
                "campaign",
            ],
            "modified": "2015-12-21T19:59:11.000Z",
            "name": "The Black Vine Cyberespionage Group",
            "object_refs": [
-                "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-                "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-                "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+                INDICATOR_ID,
+                CAMPAIGN_ID,
+                RELATIONSHIP_ID,
            ],
            "published": "2016-01-20T17:00:00Z",
            "type": "report",
@ -121,11 +124,11 @@ def test_parse_report(data):
    assert rept.id == REPORT_ID
    assert rept.created == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
    assert rept.modified == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
-    assert rept.created_by_ref == "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
+    assert rept.created_by_ref == IDENTITY_ID
    assert rept.object_refs == [
-        "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-        "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-        "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+        INDICATOR_ID,
+        CAMPAIGN_ID,
+        RELATIONSHIP_ID,
    ]
    assert rept.description == "A simple report with an indicator and campaign"
    assert rept.labels == ["campaign"]
--- a/stix2/test/v20/test_sighting.py
+++ b/stix2/test/v20/test_sighting.py
@ -5,7 +5,7 @@ import pytz

 import stix2

-from .constants import INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS
+from .constants import IDENTITY_ID, INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS

 EXPECTED_SIGHTING = """{
    "type": "sighting",
@ -14,7 +14,7 @@ EXPECTED_SIGHTING = """{
    "modified": "2016-04-06T20:06:37.000Z",
    "sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
    "where_sighted_refs": [
-        "identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"
+        "identity--311b2d2d-f010-4473-83ec-1edf84858f4c"
    ]
 }"""

@ -39,7 +39,7 @@ def test_sighting_all_required_properties():
        created=now,
        modified=now,
        sighting_of_ref=INDICATOR_ID,
-        where_sighted_refs=["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"],
+        where_sighted_refs=[IDENTITY_ID],
    )
    assert str(s) == EXPECTED_SIGHTING

@ -94,12 +94,12 @@ def test_create_sighting_from_objects_rather_than_ids(malware):  # noqa: F811
        EXPECTED_SIGHTING,
        {
            "created": "2016-04-06T20:06:37Z",
-            "id": "sighting--bfbc19db-ec35-4e45-beed-f8bde2a772fb",
+            "id": SIGHTING_ID,
            "modified": "2016-04-06T20:06:37Z",
            "sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
            "type": "sighting",
            "where_sighted_refs": [
-                "identity--8cc7afd6-5455-4d2b-a736-e614ee631d99",
+                IDENTITY_ID,
            ],
        },
    ],
@ -111,5 +111,5 @@ def test_parse_sighting(data):
    assert sighting.id == SIGHTING_ID
    assert sighting.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert sighting.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
-    assert sighting.sighting_of_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
-    assert sighting.where_sighted_refs == ["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"]
+    assert sighting.sighting_of_ref == INDICATOR_ID
+    assert sighting.where_sighted_refs == [IDENTITY_ID]
--- a/stix2/test/v20/test_threat_actor.py
+++ b/stix2/test/v20/test_threat_actor.py
@ -5,12 +5,12 @@ import pytz

 import stix2

-from .constants import THREAT_ACTOR_ID
+from .constants import IDENTITY_ID, THREAT_ACTOR_ID

 EXPECTED = """{
    "type": "threat-actor",
    "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Evil Org",
@ -23,13 +23,13 @@ EXPECTED = """{

 def test_threat_actor_example():
    threat_actor = stix2.v20.ThreatActor(
-        id="threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=THREAT_ACTOR_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
-        name="Evil Org",
        description="The Evil Org threat actor group",
        labels=["crime-syndicate"],
+        name="Evil Org",
    )

    assert str(threat_actor) == EXPECTED
@ -40,13 +40,11 @@ def test_threat_actor_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "The Evil Org threat actor group",
-            "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-            "labels": [
-                "crime-syndicate",
-            ],
+            "id": THREAT_ACTOR_ID,
            "modified": "2016-04-06T20:03:48.000Z",
+            "labels": ["crime-syndicate"],
            "name": "Evil Org",
            "type": "threat-actor",
        },
@ -59,7 +57,7 @@ def test_parse_threat_actor(data):
    assert actor.id == THREAT_ACTOR_ID
    assert actor.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert actor.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert actor.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert actor.created_by_ref == IDENTITY_ID
    assert actor.description == "The Evil Org threat actor group"
    assert actor.name == "Evil Org"
    assert actor.labels == ["crime-syndicate"]
--- a/stix2/test/v20/test_tool.py
+++ b/stix2/test/v20/test_tool.py
@ -5,12 +5,12 @@ import pytz

 import stix2

-from .constants import TOOL_ID
+from .constants import IDENTITY_ID, TOOL_ID

 EXPECTED = """{
    "type": "tool",
    "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "VNC",
@ -22,7 +22,7 @@ EXPECTED = """{
 EXPECTED_WITH_REVOKED = """{
    "type": "tool",
    "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "VNC",
@ -35,12 +35,12 @@ EXPECTED_WITH_REVOKED = """{

 def test_tool_example():
    tool = stix2.v20.Tool(
-        id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=TOOL_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
-        name="VNC",
        labels=["remote-access"],
+        name="VNC",
    )

    assert str(tool) == EXPECTED
@ -51,12 +51,10 @@ def test_tool_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-            "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-            "labels": [
-                "remote-access",
-            ],
+            "created_by_ref": IDENTITY_ID,
+            "id": TOOL_ID,
            "modified": "2016-04-06T20:03:48Z",
+            "labels": ["remote-access"],
            "name": "VNC",
            "type": "tool",
        },
@ -69,7 +67,7 @@ def test_parse_tool(data):
    assert tool.id == TOOL_ID
    assert tool.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert tool.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert tool.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert tool.created_by_ref == IDENTITY_ID
    assert tool.labels == ["remote-access"]
    assert tool.name == "VNC"

@ -82,12 +80,12 @@ def test_tool_no_workbench_wrappers():

 def test_tool_serialize_with_defaults():
    tool = stix2.v20.Tool(
-        id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=TOOL_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
-        name="VNC",
        labels=["remote-access"],
+        name="VNC",
    )

    assert tool.serialize(pretty=True, include_optional_defaults=True) == EXPECTED_WITH_REVOKED
--- a/stix2/test/v20/test_utils.py
+++ b/stix2/test/v20/test_utils.py
@ -8,6 +8,8 @@ import pytz

 import stix2.utils

+from .constants import IDENTITY_ID
+
 amsterdam = pytz.timezone('Europe/Amsterdam')
 eastern = pytz.timezone('US/Eastern')

@ -123,7 +125,7 @@ def test_deduplicate(stix_objs1):
        (
            stix2.v20.ObservedData(
                id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-                created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+                created_by_ref=IDENTITY_ID,
                created="2016-04-06T19:58:16.000Z",
                modified="2016-04-06T19:58:16.000Z",
                first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v20/test_vulnerability.py
+++ b/stix2/test/v20/test_vulnerability.py
@ -24,7 +24,7 @@ EXPECTED = """{

 def test_vulnerability_example():
    vulnerability = stix2.v20.Vulnerability(
-        id="vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+        id=VULNERABILITY_ID,
        created="2016-05-12T08:17:27.000Z",
        modified="2016-05-12T08:17:27.000Z",
        name="CVE-2016-1234",
@ -50,7 +50,7 @@ def test_vulnerability_example():
                    "source_name": "cve",
                },
            ],
-            "id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            "id": VULNERABILITY_ID,
            "modified": "2016-05-12T08:17:27Z",
            "name": "CVE-2016-1234",
            "type": "vulnerability",
--- a/stix2/test/v21/constants.py
+++ b/stix2/test/v21/constants.py
@ -53,7 +53,7 @@ CAMPAIGN_MORE_KWARGS = dict(
    type='campaign',
    spec_version='2.1',
    id=CAMPAIGN_ID,
-    created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    created_by_ref=IDENTITY_ID,
    created="2016-04-06T20:03:00.000Z",
    modified="2016-04-06T20:03:00.000Z",
    name="Green Group Attacks Against Finance",
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json
@ -2,7 +2,7 @@
    "id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0",
    "objects": [
        {
-            "created": "2017-05-31T21:30:19.73501Z",
+            "created": "2017-05-31T21:30:19.735Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs",
            "external_references": [
@ -29,7 +29,7 @@
                    "phase_name": "credential-access"
                }
            ],
-            "modified": "2017-05-31T21:30:19.73501Z",
+            "modified": "2017-05-31T21:30:19.735Z",
            "name": "Credential Dumping",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json
@ -2,7 +2,7 @@
    "id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5",
    "objects": [
        {
-            "created": "2017-05-31T21:30:26.496201Z",
+            "created": "2017-05-31T21:30:26.496Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls",
            "external_references": [
@ -24,7 +24,7 @@
                    "phase_name": "defense-evasion"
                }
            ],
-            "modified": "2017-05-31T21:30:26.496201Z",
+            "modified": "2017-05-31T21:30:26.496Z",
            "name": "Rootkit",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json
@ -2,7 +2,7 @@
    "id": "bundle--1a854c96-639e-4771-befb-e7b960a65974",
    "objects": [
        {
-            "created": "2017-05-31T21:30:29.45894Z",
+            "created": "2017-05-31T21:30:29.458Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "exfiltration"
                }
            ],
-            "modified": "2017-05-31T21:30:29.45894Z",
+            "modified": "2017-05-31T21:30:29.458Z",
            "name": "Automated Exfiltration",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json
@ -2,7 +2,7 @@
    "id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a",
    "objects": [
        {
-            "created": "2017-05-31T21:30:45.139269Z",
+            "created": "2017-05-31T21:30:45.139Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "discovery"
                }
            ],
-            "modified": "2017-05-31T21:30:45.139269Z",
+            "modified": "2017-05-31T21:30:45.139Z",
            "name": "Local Network Connections Discovery",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json
@ -2,7 +2,7 @@
    "id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d",
    "objects": [
        {
-            "created": "2017-05-31T21:30:41.022897Z",
+            "created": "2017-05-31T21:30:41.022Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "collection"
                }
            ],
-            "modified": "2017-05-31T21:30:41.022897Z",
+            "modified": "2017-05-31T21:30:41.022Z",
            "name": "Data from Network Shared Drive",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
+++ b/stix2/test/v21/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json
@ -2,7 +2,7 @@
    "id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444",
    "objects": [
        {
-            "created": "2017-05-31T21:30:32.662702Z",
+            "created": "2017-05-31T21:30:32.662Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering",
            "external_references": [
@ -19,7 +19,7 @@
                    "phase_name": "defense-evasion"
                }
            ],
-            "modified": "2017-05-31T21:30:32.662702Z",
+            "modified": "2017-05-31T21:30:32.662Z",
            "name": "Obfuscated Files or Information",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
+++ b/stix2/test/v21/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json
@ -2,11 +2,11 @@
    "id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd",
    "objects": [
        {
-            "created": "2017-05-31T21:30:26.495974Z",
+            "created": "2017-05-31T21:30:26.495Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
            "id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f",
-            "modified": "2017-05-31T21:30:26.495974Z",
+            "modified": "2017-05-31T21:30:26.495Z",
            "name": "Rootkit Mitigation",
            "spec_version": "2.1",
            "type": "course-of-action"
--- a/stix2/test/v21/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
+++ b/stix2/test/v21/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json
@ -1,9 +1,9 @@
 {
-    "created": "2017-05-31T21:30:41.022744Z",
+    "created": "2017-05-31T21:30:41.022Z",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
    "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
-    "modified": "2017-05-31T21:30:41.022744Z",
+    "modified": "2017-05-31T21:30:41.022Z",
    "name": "Data from Network Shared Drive Mitigation",
    "spec_version": "2.1",
    "type": "course-of-action"
--- a/stix2/test/v21/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
+++ b/stix2/test/v21/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json
@ -2,10 +2,10 @@
    "id": "bundle--81884287-2548-47fc-a997-39489ddd5462",
    "objects": [
        {
-            "created": "2017-06-01T00:00:00Z",
+            "created": "2017-06-01T00:00:00.000Z",
            "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "identity_class": "organization",
-            "modified": "2017-06-01T00:00:00Z",
+            "modified": "2017-06-01T00:00:00.000Z",
            "name": "The MITRE Corporation",
            "spec_version": "2.1",
            "type": "identity"
--- a/stix2/test/v21/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
+++ b/stix2/test/v21/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json
@ -10,7 +10,7 @@
                "PinkPanther",
                "Black Vine"
            ],
-            "created": "2017-05-31T21:31:49.412497Z",
+            "created": "2017-05-31T21:31:49.412Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
            "external_references": [
@ -41,7 +41,7 @@
                }
            ],
            "id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064",
-            "modified": "2017-05-31T21:31:49.412497Z",
+            "modified": "2017-05-31T21:31:49.412Z",
            "name": "Deep Panda",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
+++ b/stix2/test/v21/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json
@ -5,7 +5,7 @@
            "aliases": [
                "DragonOK"
            ],
-            "created": "2017-05-31T21:31:53.197755Z",
+            "created": "2017-05-31T21:31:53.197Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
            "external_references": [
@ -31,7 +31,7 @@
                }
            ],
            "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a",
-            "modified": "2017-05-31T21:31:53.197755Z",
+            "modified": "2017-05-31T21:31:53.197Z",
            "name": "DragonOK",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
+++ b/stix2/test/v21/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json
@ -2,7 +2,7 @@
    "id": "bundle--f64de948-7067-4534-8018-85f03d470625",
    "objects": [
        {
-            "created": "2017-05-31T21:32:58.226477Z",
+            "created": "2017-05-31T21:32:58.226Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]",
            "external_references": [
@ -21,7 +21,7 @@
            "malware_types": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:58.226477Z",
+            "modified": "2017-05-31T21:32:58.226Z",
            "name": "Rover",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
+++ b/stix2/test/v21/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json
@ -2,7 +2,7 @@
    "id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0",
    "objects": [
        {
-            "created": "2017-05-31T21:33:26.565056Z",
+            "created": "2017-05-31T21:33:26.565Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
            "external_references": [
@ -21,7 +21,7 @@
            "malware_types": [
                "malware"
            ],
-            "modified": "2017-05-31T21:33:26.565056Z",
+            "modified": "2017-05-31T21:33:26.565Z",
            "name": "RTM",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
+++ b/stix2/test/v21/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json
@ -2,7 +2,7 @@
    "id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974",
    "objects": [
        {
-            "created": "2017-05-31T21:32:48.482655Z",
+            "created": "2017-05-31T21:32:48.482Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER",
            "external_references": [
@ -21,7 +21,7 @@
            "malware_types": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:48.482655Z",
+            "modified": "2017-05-31T21:32:48.482Z",
            "name": "Sakula",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
+++ b/stix2/test/v21/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json
@ -2,7 +2,7 @@
    "id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f",
    "objects": [
        {
-            "created": "2017-05-31T21:32:15.263882Z",
+            "created": "2017-05-31T21:32:15.263Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy",
            "external_references": [
@ -21,7 +21,7 @@
            "labels": [
                "malware"
            ],
-            "modified": "2017-05-31T21:32:15.263882Z",
+            "modified": "2017-05-31T21:32:15.263Z",
            "name": "PoisonIvy",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json
@ -2,10 +2,10 @@
    "id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.182784Z",
+            "created": "2017-05-31T21:33:27.182Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883",
-            "modified": "2017-05-31T21:33:27.182784Z",
+            "modified": "2017-05-31T21:33:27.182Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json
@ -2,10 +2,10 @@
    "id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.082801Z",
+            "created": "2017-05-31T21:33:27.082Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227",
-            "modified": "2017-05-31T21:33:27.082801Z",
+            "modified": "2017-05-31T21:33:27.082Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json
@ -2,10 +2,10 @@
    "id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.018782Z",
+            "created": "2017-05-31T21:33:27.018Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--1e91cd45-a725-4965-abe3-700694374432",
-            "modified": "2017-05-31T21:33:27.018782Z",
+            "modified": "2017-05-31T21:33:27.018Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json
@ -2,10 +2,10 @@
    "id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.100701Z",
+            "created": "2017-05-31T21:33:27.100Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e",
-            "modified": "2017-05-31T21:33:27.100701Z",
+            "modified": "2017-05-31T21:33:27.100Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json
@ -2,10 +2,10 @@
    "id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.143973Z",
+            "created": "2017-05-31T21:33:27.143Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1",
-            "modified": "2017-05-31T21:33:27.143973Z",
+            "modified": "2017-05-31T21:33:27.143Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json
@ -2,10 +2,10 @@
    "id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.021562Z",
+            "created": "2017-05-31T21:33:27.021Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719",
-            "modified": "2017-05-31T21:33:27.021562Z",
+            "modified": "2017-05-31T21:33:27.021Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json
@ -2,10 +2,10 @@
    "id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.044387Z",
+            "created": "2017-05-31T21:33:27.044Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1",
-            "modified": "2017-05-31T21:33:27.044387Z",
+            "modified": "2017-05-31T21:33:27.044Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
+++ b/stix2/test/v21/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json
@ -2,10 +2,10 @@
    "id": "bundle--ff845dca-7036-416f-aae0-95030994c49f",
    "objects": [
        {
-            "created": "2017-05-31T21:33:27.051532Z",
+            "created": "2017-05-31T21:33:27.051Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d",
-            "modified": "2017-05-31T21:33:27.051532Z",
+            "modified": "2017-05-31T21:33:27.051Z",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
--- a/stix2/test/v21/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json
+++ b/stix2/test/v21/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json
@ -2,7 +2,7 @@
    "id": "bundle--d8826afc-1561-4362-a4e3-05a4c2c3ac3c",
    "objects": [
        {
-            "created": "2017-05-31T21:32:31.601148Z",
+            "created": "2017-05-31T21:32:31.601Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
            "external_references": [
@ -26,7 +26,7 @@
            "tool_types": [
                "tool"
            ],
-            "modified": "2017-05-31T21:32:31.601148Z",
+            "modified": "2017-05-31T21:32:31.601Z",
            "name": "Net",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json
+++ b/stix2/test/v21/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json
@ -2,7 +2,7 @@
    "id": "bundle--7dbde18f-6f14-4bf0-8389-505c89d6d5a6",
    "objects": [
        {
-            "created": "2017-05-31T21:32:12.684914Z",
+            "created": "2017-05-31T21:32:12.684Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
            "external_references": [
@ -21,7 +21,7 @@
            "tool_types": [
                "tool"
            ],
-            "modified": "2017-05-31T21:32:12.684914Z",
+            "modified": "2017-05-31T21:32:12.684Z",
            "name": "Windows Credential Editor",
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
--- a/stix2/test/v21/test_attack_pattern.py
+++ b/stix2/test/v21/test_attack_pattern.py
@ -26,7 +26,7 @@ EXPECTED = """{

 def test_attack_pattern_example():
    ap = stix2.v21.AttackPattern(
-        id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+        id=ATTACK_PATTERN_ID,
        created="2016-05-12T08:17:27.000Z",
        modified="2016-05-12T08:17:27.000Z",
        name="Spear Phishing",
@ -46,7 +46,7 @@ def test_attack_pattern_example():
        {
            "type": "attack-pattern",
            "spec_version": "2.1",
-            "id": "attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            "id": ATTACK_PATTERN_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "description": "...",
@ -77,11 +77,44 @@ def test_parse_attack_pattern(data):
 def test_attack_pattern_invalid_labels():
    with pytest.raises(stix2.exceptions.InvalidValueError):
        stix2.v21.AttackPattern(
-            id="attack-pattern--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            id=ATTACK_PATTERN_ID,
            created="2016-05-12T08:17:27Z",
            modified="2016-05-12T08:17:27Z",
            name="Spear Phishing",
            labels=1,
        )

+
+def test_overly_precise_timestamps():
+    ap = stix2.v21.AttackPattern(
+        id=ATTACK_PATTERN_ID,
+        created="2016-05-12T08:17:27.0000342Z",
+        modified="2016-05-12T08:17:27.000287Z",
+        name="Spear Phishing",
+        external_references=[{
+            "source_name": "capec",
+            "external_id": "CAPEC-163",
+        }],
+        description="...",
+    )
+
+    assert str(ap) == EXPECTED
+
+
+def test_less_precise_timestamps():
+    ap = stix2.v21.AttackPattern(
+        id=ATTACK_PATTERN_ID,
+        created="2016-05-12T08:17:27.00Z",
+        modified="2016-05-12T08:17:27.0Z",
+        name="Spear Phishing",
+        external_references=[{
+            "source_name": "capec",
+            "external_id": "CAPEC-163",
+        }],
+        description="...",
+    )
+
+    assert str(ap) == EXPECTED
+
+
 # TODO: Add other examples
--- a/stix2/test/v21/test_bundle.py
+++ b/stix2/test/v21/test_bundle.py
@ -4,6 +4,8 @@ import pytest

 import stix2

+from .constants import IDENTITY_ID
+
 EXPECTED_BUNDLE = """{
    "type": "bundle",
    "id": "bundle--00000000-0000-4000-8000-000000000007",
@ -190,7 +192,7 @@ def test_parse_unknown_type():
        "id": "other--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
        "created": "2016-04-06T20:03:00Z",
        "modified": "2016-04-06T20:03:00Z",
-        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        "created_by_ref": IDENTITY_ID,
        "description": "Campaign by Green Group against a series of targets in the financial services sector.",
        "name": "Green Group Attacks Against Finance",
    }
--- a/stix2/test/v21/test_campaign.py
+++ b/stix2/test/v21/test_campaign.py
@ -5,13 +5,13 @@ import pytz

 import stix2

-from .constants import CAMPAIGN_ID
+from .constants import CAMPAIGN_ID, CAMPAIGN_MORE_KWARGS, IDENTITY_ID

 EXPECTED = """{
    "type": "campaign",
    "spec_version": "2.1",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -21,12 +21,7 @@ EXPECTED = """{

 def test_campaign_example():
    campaign = stix2.v21.Campaign(
-        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-        created="2016-04-06T20:03:00Z",
-        modified="2016-04-06T20:03:00Z",
-        name="Green Group Attacks Against Finance",
-        description="Campaign by Green Group against a series of targets in the financial services sector.",
+        **CAMPAIGN_MORE_KWARGS
    )

    assert str(campaign) == EXPECTED
@ -38,10 +33,10 @@ def test_campaign_example():
        {
            "type": "campaign",
            "spec_version": "2.1",
-            "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "id": CAMPAIGN_ID,
            "created": "2016-04-06T20:03:00Z",
            "modified": "2016-04-06T20:03:00Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "Campaign by Green Group against a series of targets in the financial services sector.",
            "name": "Green Group Attacks Against Finance",
        },
@ -55,7 +50,7 @@ def test_parse_campaign(data):
    assert cmpn.id == CAMPAIGN_ID
    assert cmpn.created == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
    assert cmpn.modified == dt.datetime(2016, 4, 6, 20, 3, 0, tzinfo=pytz.utc)
-    assert cmpn.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert cmpn.created_by_ref == IDENTITY_ID
    assert cmpn.description == "Campaign by Green Group against a series of targets in the financial services sector."
    assert cmpn.name == "Green Group Attacks Against Finance"

--- a/stix2/test/v21/test_core.py
+++ b/stix2/test/v21/test_core.py
@ -3,6 +3,8 @@ import pytest
 import stix2
 from stix2 import core, exceptions

+from .constants import IDENTITY_ID, OBSERVED_DATA_ID
+
 BUNDLE = {
    "type": "bundle",
    "id": "bundle--00000000-0000-4000-8000-000000000007",
@ -98,8 +100,8 @@ def test_register_marking_with_no_version():

 def test_register_observable_with_default_version():
    observed_data = stix2.v21.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -136,8 +138,8 @@ def test_register_observable_with_default_version():

 def test_register_observable_extension_with_default_version():
    observed_data = stix2.v21.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v21/test_course_of_action.py
+++ b/stix2/test/v21/test_course_of_action.py
@ -5,13 +5,13 @@ import pytz

 import stix2

-from .constants import COURSE_OF_ACTION_ID
+from .constants import COURSE_OF_ACTION_ID, IDENTITY_ID

 EXPECTED = """{
    "type": "course-of-action",
    "spec_version": "2.1",
    "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -21,8 +21,8 @@ EXPECTED = """{

 def test_course_of_action_example():
    coa = stix2.v21.CourseOfAction(
-        id="course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=COURSE_OF_ACTION_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
@ -37,9 +37,9 @@ def test_course_of_action_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ...",
-            "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "id": COURSE_OF_ACTION_ID,
            "modified": "2016-04-06T20:03:48.000Z",
            "name": "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter",
            "spec_version": "2.1",
@ -55,7 +55,7 @@ def test_parse_course_of_action(data):
    assert coa.id == COURSE_OF_ACTION_ID
    assert coa.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert coa.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert coa.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert coa.created_by_ref == IDENTITY_ID
    assert coa.description == "This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter ..."
    assert coa.name == "Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter"

--- a/stix2/test/v21/test_custom.py
+++ b/stix2/test/v21/test_custom.py
@ -3,7 +3,7 @@ import pytest
 import stix2
 import stix2.base

-from .constants import FAKE_TIME, MARKING_DEFINITION_ID
+from .constants import FAKE_TIME, IDENTITY_ID, MARKING_DEFINITION_ID

 IDENTITY_CUSTOM_PROP = stix2.v21.Identity(
    name="John Smith",
@ -16,7 +16,7 @@ IDENTITY_CUSTOM_PROP = stix2.v21.Identity(
 def test_identity_custom_property():
    with pytest.raises(ValueError) as excinfo:
        stix2.v21.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -27,7 +27,7 @@ def test_identity_custom_property():

    with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
        stix2.v21.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -40,7 +40,7 @@ def test_identity_custom_property():
    assert "Unexpected properties for Identity" in str(excinfo.value)

    identity = stix2.v21.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11Z",
        modified="2015-12-21T19:59:11Z",
        name="John Smith",
@ -55,7 +55,7 @@ def test_identity_custom_property():
 def test_identity_custom_property_invalid():
    with pytest.raises(stix2.exceptions.ExtraPropertiesError) as excinfo:
        stix2.v21.Identity(
-            id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            id=IDENTITY_ID,
            created="2015-12-21T19:59:11Z",
            modified="2015-12-21T19:59:11Z",
            name="John Smith",
@ -69,7 +69,7 @@ def test_identity_custom_property_invalid():

 def test_identity_custom_property_allowed():
    identity = stix2.v21.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11Z",
        modified="2015-12-21T19:59:11Z",
        name="John Smith",
@ -130,7 +130,7 @@ def test_custom_property_dict_in_bundled_object():
    custom_identity = {
        'type': 'identity',
        'spec_version': '2.1',
-        'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
+        'id': IDENTITY_ID,
        'created': '2015-12-21T19:59:11Z',
        'name': 'John Smith',
        'identity_class': 'individual',
@ -148,7 +148,7 @@ def test_custom_properties_dict_in_bundled_object():
    custom_identity = {
        'type': 'identity',
        'spec_version': '2.1',
-        'id': 'identity--311b2d2d-f010-4473-83ec-1edf84858f4c',
+        'id': IDENTITY_ID,
        'created': '2015-12-21T19:59:11Z',
        'name': 'John Smith',
        'identity_class': 'individual',
--- a/stix2/test/v21/test_datastore_filters.py
+++ b/stix2/test/v21/test_datastore_filters.py
@ -4,6 +4,8 @@ from stix2 import parse
 from stix2.datastore.filters import Filter, apply_common_filters
 from stix2.utils import STIXdatetime, parse_into_datetime

+from .constants import OBSERVED_DATA_ID
+
 stix_objs = [
    {
        "created": "2017-01-27T13:49:53.997Z",
@ -72,7 +74,7 @@ stix_objs = [
    {
        "type": "observed-data",
        "spec_version": "2.1",
-        "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
+        "id": OBSERVED_DATA_ID,
        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "created": "2016-04-06T19:58:16.000Z",
        "modified": "2016-04-06T19:58:16.000Z",
@ -444,7 +446,7 @@ def test_filters7(stix_objs2, real_stix_objs2):
    obsvd_data_obj = {
        "type": "observed-data",
        "spec_version": "2.1",
-        "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
+        "id": OBSERVED_DATA_ID,
        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "created": "2016-04-06T19:58:16.000Z",
        "modified": "2016-04-06T19:58:16.000Z",
--- a/stix2/test/v21/test_datastore_memory.py
+++ b/stix2/test/v21/test_datastore_memory.py
@ -282,13 +282,13 @@ def test_memory_store_object_creator_of_present(mem_store):
    camp = Campaign(
        name="Scipio Africanus",
        objective="Defeat the Carthaginians",
-        created_by_ref="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
+        created_by_ref=IDENTITY_ID,
        x_empire="Roman",
        allow_custom=True,
    )

    iden = Identity(
-        id="identity--e4196283-7420-4277-a7a3-d57f61ef1389",
+        id=IDENTITY_ID,
        name="Foo Corp.",
        identity_class="corporation",
    )
--- a/stix2/test/v21/test_identity.py
+++ b/stix2/test/v21/test_identity.py
@ -20,7 +20,7 @@ EXPECTED = """{

 def test_identity_example():
    identity = stix2.v21.Identity(
-        id="identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+        id=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="John Smith",
@ -35,7 +35,7 @@ def test_identity_example():
        EXPECTED,
        {
            "created": "2015-12-21T19:59:11.000Z",
-            "id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
+            "id": IDENTITY_ID,
            "identity_class": "individual",
            "modified": "2015-12-21T19:59:11.000Z",
            "name": "John Smith",
--- a/stix2/test/v21/test_indicator.py
+++ b/stix2/test/v21/test_indicator.py
@ -157,7 +157,7 @@ def test_created_modified_time_are_identical_by_default():
        EXPECTED_INDICATOR,
        {
            "type": "indicator",
-            "id": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
+            "id": INDICATOR_ID,
            "created": "2017-01-01T00:00:01Z",
            "modified": "2017-01-01T00:00:01Z",
            "indicator_types": [
--- a/stix2/test/v21/test_intrusion_set.py
+++ b/stix2/test/v21/test_intrusion_set.py
@ -5,13 +5,13 @@ import pytz

 import stix2

-from .constants import INTRUSION_SET_ID
+from .constants import IDENTITY_ID, INTRUSION_SET_ID

 EXPECTED = """{
    "type": "intrusion-set",
    "spec_version": "2.1",
    "id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Bobcat Breakin",
@ -29,8 +29,8 @@ EXPECTED = """{

 def test_intrusion_set_example():
    intrusion_set = stix2.v21.IntrusionSet(
-        id="intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=INTRUSION_SET_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="Bobcat Breakin",
@ -50,14 +50,14 @@ def test_intrusion_set_example():
                "Zookeeper",
            ],
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "Incidents usually feature a shared TTP of a bobcat being released...",
            "goals": [
                "acquisition-theft",
                "harassment",
                "damage",
            ],
-            "id": "intrusion-set--4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
+            "id": INTRUSION_SET_ID,
            "modified": "2016-04-06T20:03:48.000Z",
            "name": "Bobcat Breakin",
            "spec_version": "2.1",
--- a/stix2/test/v21/test_location.py
+++ b/stix2/test/v21/test_location.py
@ -69,7 +69,7 @@ def test_location_with_some_required_properties():
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "region": "north-america",
@ -94,7 +94,7 @@ def test_parse_location(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": 90.01,
@ -103,7 +103,7 @@ def test_parse_location(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": -90.1,
@ -123,7 +123,7 @@ def test_location_bad_latitude(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": 80,
@ -132,7 +132,7 @@ def test_location_bad_latitude(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": 80,
@ -152,7 +152,7 @@ def test_location_bad_longitude(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "longitude": 175.7,
@ -161,7 +161,7 @@ def test_location_bad_longitude(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": 80,
@ -181,7 +181,7 @@ def test_location_properties_missing_when_precision_is_present(data):
        {
            "type": "location",
            "spec_version": "2.1",
-            "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+            "id": LOCATION_ID,
            "created": "2016-04-06T20:03:00.000Z",
            "modified": "2016-04-06T20:03:00.000Z",
            "latitude": 18.468842,
@ -203,7 +203,7 @@ def test_location_negative_precision(data):
            {
                "type": "location",
                "spec_version": "2.1",
-                "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+                "id": LOCATION_ID,
                "created": "2016-04-06T20:03:00.000Z",
                "modified": "2016-04-06T20:03:00.000Z",
                "latitude": 18.468842,
@ -215,7 +215,7 @@ def test_location_negative_precision(data):
            {
                "type": "location",
                "spec_version": "2.1",
-                "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+                "id": LOCATION_ID,
                "created": "2016-04-06T20:03:00.000Z",
                "modified": "2016-04-06T20:03:00.000Z",
                "longitude": 160.7,
@ -238,7 +238,7 @@ def test_location_latitude_dependency_missing(data, msg):
            {
                "type": "location",
                "spec_version": "2.1",
-                "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+                "id": LOCATION_ID,
                "created": "2016-04-06T20:03:00.000Z",
                "modified": "2016-04-06T20:03:00.000Z",
                "latitude": 18.468842,
@ -249,7 +249,7 @@ def test_location_latitude_dependency_missing(data, msg):
            {
                "type": "location",
                "spec_version": "2.1",
-                "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
+                "id": LOCATION_ID,
                "created": "2016-04-06T20:03:00.000Z",
                "modified": "2016-04-06T20:03:00.000Z",
                "longitude": 160.7,
--- a/stix2/test/v21/test_malware.py
+++ b/stix2/test/v21/test_malware.py
@ -110,7 +110,7 @@ def test_invalid_kwarg_to_malware():
        {
            "type": "malware",
            "spec_version": "2.1",
-            "id": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
+            "id": MALWARE_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "malware_types": ["ransomware"],
--- a/stix2/test/v21/test_markings.py
+++ b/stix2/test/v21/test_markings.py
@ -6,7 +6,7 @@ import pytz
 import stix2
 from stix2.v21 import TLP_WHITE

-from .constants import MARKING_DEFINITION_ID
+from .constants import IDENTITY_ID, MARKING_DEFINITION_ID

 EXPECTED_TLP_MARKING_DEFINITION = """{
    "type": "marking-definition",
@ -34,7 +34,7 @@ EXPECTED_CAMPAIGN_WITH_OBJECT_MARKING = """{
    "type": "campaign",
    "spec_version": "2.1",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -58,7 +58,7 @@ EXPECTED_CAMPAIGN_WITH_GRANULAR_MARKINGS = """{
    "type": "campaign",
    "spec_version": "2.1",
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:00.000Z",
    "modified": "2016-04-06T20:03:00.000Z",
    "name": "Green Group Attacks Against Finance",
@ -80,7 +80,7 @@ def test_marking_def_example_with_tlp():

 def test_marking_def_example_with_statement_positional_argument():
    marking_definition = stix2.v21.MarkingDefinition(
-        id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        id=MARKING_DEFINITION_ID,
        created="2017-01-20T00:00:00.000Z",
        definition_type="statement",
        definition=stix2.StatementMarking(statement="Copyright 2016, Example Corp"),
@ -92,7 +92,7 @@ def test_marking_def_example_with_statement_positional_argument():
 def test_marking_def_example_with_kwargs_statement():
    kwargs = dict(statement="Copyright 2016, Example Corp")
    marking_definition = stix2.v21.MarkingDefinition(
-        id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        id=MARKING_DEFINITION_ID,
        created="2017-01-20T00:00:00.000Z",
        definition_type="statement",
        definition=stix2.StatementMarking(**kwargs),
@ -104,7 +104,7 @@ def test_marking_def_example_with_kwargs_statement():
 def test_marking_def_invalid_type():
    with pytest.raises(ValueError):
        stix2.v21.MarkingDefinition(
-            id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            id=MARKING_DEFINITION_ID,
            created="2017-01-20T00:00:00.000Z",
            definition_type="my-definition-type",
            definition=stix2.StatementMarking("Copyright 2016, Example Corp"),
@ -114,7 +114,7 @@ def test_marking_def_invalid_type():
 def test_campaign_with_markings_example():
    campaign = stix2.v21.Campaign(
        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:00Z",
        modified="2016-04-06T20:03:00Z",
        name="Green Group Attacks Against Finance",
@ -126,7 +126,7 @@ def test_campaign_with_markings_example():

 def test_granular_example():
    granular_marking = stix2.v21.GranularMarking(
-        marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+        marking_ref=MARKING_DEFINITION_ID,
        selectors=["abc", "abc.[23]", "abc.def", "abc.[2].efg"],
    )

@ -136,7 +136,7 @@ def test_granular_example():
 def test_granular_example_with_bad_selector():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v21.GranularMarking(
-            marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            marking_ref=MARKING_DEFINITION_ID,
            selectors=["abc[0]"],   # missing "."
        )

@ -149,14 +149,14 @@ def test_granular_example_with_bad_selector():
 def test_campaign_with_granular_markings_example():
    campaign = stix2.v21.Campaign(
        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:00Z",
        modified="2016-04-06T20:03:00Z",
        name="Green Group Attacks Against Finance",
        description="Campaign by Green Group against a series of targets in the financial services sector.",
        granular_markings=[
            stix2.v21.GranularMarking(
-                marking_ref="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+                marking_ref=MARKING_DEFINITION_ID,
                selectors=["description"],
            ),
        ],
@ -168,7 +168,7 @@ def test_campaign_with_granular_markings_example():
    "data", [
        EXPECTED_TLP_MARKING_DEFINITION,
        {
-            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
+            "id": MARKING_DEFINITION_ID,
            "spec_version": "2.1",
            "type": "marking-definition",
            "created": "2017-01-20T00:00:00Z",
@ -265,7 +265,7 @@ def test_marking_wrong_type_construction():
 def test_campaign_add_markings():
    campaign = stix2.v21.Campaign(
        id="campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:00Z",
        modified="2016-04-06T20:03:00Z",
        name="Green Group Attacks Against Finance",
--- a/stix2/test/v21/test_note.py
+++ b/stix2/test/v21/test_note.py
@ -84,7 +84,7 @@ def test_note_with_required_properties():
        {
            "type": "note",
            "spec_version": "2.1",
-            "id": "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            "id": NOTE_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "abstract": "Tracking Team Note#1",
@ -93,7 +93,7 @@ def test_note_with_required_properties():
                "John Doe",
            ],
            "object_refs": [
-                "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+                CAMPAIGN_ID,
            ],
            "external_references": [
                {
--- a/stix2/test/v21/test_observed_data.py
+++ b/stix2/test/v21/test_observed_data.py
@ -6,7 +6,7 @@ import pytz

 import stix2

-from .constants import OBSERVED_DATA_ID
+from .constants import IDENTITY_ID, OBSERVED_DATA_ID

 OBJECTS_REGEX = re.compile('\"objects\": {(?:.*?)(?:(?:[^{]*?)|(?:{[^{]*?}))*}', re.DOTALL)

@ -15,7 +15,7 @@ EXPECTED = """{
    "type": "observed-data",
    "spec_version": "2.1",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "first_observed": "2015-12-21T19:00:00Z",
@ -32,8 +32,8 @@ EXPECTED = """{

 def test_observed_data_example():
    observed_data = stix2.v21.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -54,7 +54,7 @@ EXPECTED_WITH_REF = """{
    "type": "observed-data",
    "spec_version": "2.1",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T19:58:16.000Z",
    "modified": "2016-04-06T19:58:16.000Z",
    "first_observed": "2015-12-21T19:00:00Z",
@ -78,8 +78,8 @@ EXPECTED_WITH_REF = """{

 def test_observed_data_example_with_refs():
    observed_data = stix2.v21.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
@ -104,8 +104,8 @@ def test_observed_data_example_with_refs():
 def test_observed_data_example_with_bad_refs():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v21.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -132,8 +132,8 @@ def test_observed_data_example_with_bad_refs():
 def test_observed_data_example_with_non_dictionary():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v21.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -150,8 +150,8 @@ def test_observed_data_example_with_non_dictionary():
 def test_observed_data_example_with_empty_dictionary():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v21.ObservedData(
-            id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-            created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            id=OBSERVED_DATA_ID,
+            created_by_ref=IDENTITY_ID,
            created="2016-04-06T19:58:16.000Z",
            modified="2016-04-06T19:58:16.000Z",
            first_observed="2015-12-21T19:00:00Z",
@ -171,9 +171,9 @@ def test_observed_data_example_with_empty_dictionary():
        {
            "type": "observed-data",
            "spec_version": "2.1",
-            "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
+            "id": OBSERVED_DATA_ID,
            "created": "2016-04-06T19:58:16.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "first_observed": "2015-12-21T19:00:00Z",
            "last_observed": "2015-12-21T19:00:00Z",
            "modified": "2016-04-06T19:58:16.000Z",
@ -197,7 +197,7 @@ def test_parse_observed_data(data):
    assert odata.modified == dt.datetime(2016, 4, 6, 19, 58, 16, tzinfo=pytz.utc)
    assert odata.first_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
    assert odata.last_observed == dt.datetime(2015, 12, 21, 19, 0, 0, tzinfo=pytz.utc)
-    assert odata.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert odata.created_by_ref == IDENTITY_ID
    assert odata.objects["0"].type == "file"


@ -537,7 +537,7 @@ def test_parse_basic_tcp_traffic_with_error(data):

 EXPECTED_PROCESS_OD = """{
    "created": "2016-04-06T19:58:16.000Z",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "first_observed": "2015-12-21T19:00:00Z",
    "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
    "last_observed": "2015-12-21T19:00:00Z",
@ -565,8 +565,8 @@ EXPECTED_PROCESS_OD = """{

 def test_observed_data_with_process_example():
    observed_data = stix2.v21.ObservedData(
-        id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=OBSERVED_DATA_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T19:58:16.000Z",
        modified="2016-04-06T19:58:16.000Z",
        first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v21/test_opinion.py
+++ b/stix2/test/v21/test_opinion.py
@ -66,7 +66,7 @@ def test_opinion_with_required_properties():
        {
            "type": "opinion",
            "spec_version": "2.1",
-            "id": "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7",
+            "id": OPINION_ID,
            "created": "2016-05-12T08:17:27.000Z",
            "modified": "2016-05-12T08:17:27.000Z",
            "explanation": EXPLANATION,
--- a/stix2/test/v21/test_pickle.py
+++ b/stix2/test/v21/test_pickle.py
@ -2,13 +2,15 @@ import pickle

 import stix2

+from .constants import IDENTITY_ID
+

 def test_pickling():
    """
    Ensure a pickle/unpickle cycle works okay.
    """
    identity = stix2.v21.Identity(
-        id="identity--d66cb89d-5228-4983-958c-fa84ef75c88c",
+        id=IDENTITY_ID,
        name="alice",
        description="this is a pickle test",
        identity_class="some_class",
--- a/stix2/test/v21/test_relationship.py
+++ b/stix2/test/v21/test_relationship.py
@ -162,11 +162,11 @@ def test_create_relationship_with_positional_args(indicator, malware):
        EXPECTED_RELATIONSHIP,
        {
            "created": "2016-04-06T20:06:37Z",
-            "id": "relationship--df7c87eb-75d2-4948-af81-9d49d246f301",
+            "id": RELATIONSHIP_ID,
            "modified": "2016-04-06T20:06:37Z",
            "relationship_type": "indicates",
-            "source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
-            "target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
+            "source_ref": INDICATOR_ID,
+            "target_ref": MALWARE_ID,
            "spec_version": "2.1",
            "type": "relationship",
        },
@ -181,19 +181,19 @@ def test_parse_relationship(data):
    assert rel.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert rel.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert rel.relationship_type == "indicates"
-    assert rel.source_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
-    assert rel.target_ref == "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e"
+    assert rel.source_ref == INDICATOR_ID
+    assert rel.target_ref == MALWARE_ID


@pytest.mark.parametrize(
    "data", [
        {
            "created": "2016-04-06T20:06:37Z",
-            "id": "relationship--df7c87eb-75d2-4948-af81-9d49d246f301",
+            "id": RELATIONSHIP_ID,
            "modified": "2016-04-06T20:06:37Z",
            "relationship_type": "indicates",
-            "source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
-            "target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
+            "source_ref": INDICATOR_ID,
+            "target_ref": MALWARE_ID,
            "start_time": "2018-04-06T20:06:37Z",
            "stop_time": "2016-04-06T20:06:37Z",
            "spec_version": "2.1",
--- a/stix2/test/v21/test_report.py
+++ b/stix2/test/v21/test_report.py
@ -5,13 +5,16 @@ import pytz

 import stix2

-from .constants import INDICATOR_KWARGS, REPORT_ID
+from .constants import (
+    CAMPAIGN_ID, IDENTITY_ID, INDICATOR_ID, INDICATOR_KWARGS, RELATIONSHIP_ID,
+    REPORT_ID,
+)

 EXPECTED = """{
    "type": "report",
    "spec_version": "2.1",
    "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-    "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2015-12-21T19:59:11.000Z",
    "modified": "2015-12-21T19:59:11.000Z",
    "name": "The Black Vine Cyberespionage Group",
@ -21,17 +24,17 @@ EXPECTED = """{
    ],
    "published": "2016-01-20T17:00:00Z",
    "object_refs": [
-        "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-        "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-        "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a"
+        "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
+        "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+        "relationship--df7c87eb-75d2-4948-af81-9d49d246f301"
    ]
 }"""


 def test_report_example():
    report = stix2.v21.Report(
-        id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-        created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+        id=REPORT_ID,
+        created_by_ref=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="The Black Vine Cyberespionage Group",
@ -39,9 +42,9 @@ def test_report_example():
        published="2016-01-20T17:00:00Z",
        report_types=["campaign"],
        object_refs=[
-            "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-            "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-            "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+            INDICATOR_ID,
+            CAMPAIGN_ID,
+            RELATIONSHIP_ID,
        ],
    )

@ -50,8 +53,8 @@ def test_report_example():

 def test_report_example_objects_in_object_refs():
    report = stix2.v21.Report(
-        id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-        created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+        id=REPORT_ID,
+        created_by_ref=IDENTITY_ID,
        created="2015-12-21T19:59:11.000Z",
        modified="2015-12-21T19:59:11.000Z",
        name="The Black Vine Cyberespionage Group",
@ -59,9 +62,9 @@ def test_report_example_objects_in_object_refs():
        published="2016-01-20T17:00:00Z",
        report_types=["campaign"],
        object_refs=[
-            stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
-            "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-            "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+            stix2.v21.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
+            CAMPAIGN_ID,
+            RELATIONSHIP_ID,
        ],
    )

@ -71,8 +74,8 @@ def test_report_example_objects_in_object_refs():
 def test_report_example_objects_in_object_refs_with_bad_id():
    with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
        stix2.v21.Report(
-            id="report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
-            created_by_ref="identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+            id=REPORT_ID,
+            created_by_ref=IDENTITY_ID,
            created="2015-12-21T19:59:11.000Z",
            modified="2015-12-21T19:59:11.000Z",
            name="The Black Vine Cyberespionage Group",
@ -80,9 +83,9 @@ def test_report_example_objects_in_object_refs_with_bad_id():
            published="2016-01-20T17:00:00Z",
            report_types=["campaign"],
            object_refs=[
-                stix2.v21.Indicator(id="indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2", **INDICATOR_KWARGS),
+                stix2.v21.Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS),
                "campaign-83422c77-904c-4dc1-aff5-5c38f3a2c55c",   # the "bad" id, missing a "-"
-                "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+                RELATIONSHIP_ID,
            ],
        )

@ -97,18 +100,18 @@ def test_report_example_objects_in_object_refs_with_bad_id():
        EXPECTED,
        {
            "created": "2015-12-21T19:59:11.000Z",
-            "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
+            "created_by_ref": IDENTITY_ID,
            "description": "A simple report with an indicator and campaign",
-            "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
+            "id": REPORT_ID,
            "report_types": [
                "campaign",
            ],
            "modified": "2015-12-21T19:59:11.000Z",
            "name": "The Black Vine Cyberespionage Group",
            "object_refs": [
-                "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-                "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-                "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+                INDICATOR_ID,
+                CAMPAIGN_ID,
+                RELATIONSHIP_ID,
            ],
            "published": "2016-01-20T17:00:00Z",
            "spec_version": "2.1",
@ -124,11 +127,11 @@ def test_parse_report(data):
    assert rept.id == REPORT_ID
    assert rept.created == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
    assert rept.modified == dt.datetime(2015, 12, 21, 19, 59, 11, tzinfo=pytz.utc)
-    assert rept.created_by_ref == "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
+    assert rept.created_by_ref == IDENTITY_ID
    assert rept.object_refs == [
-        "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
-        "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
-        "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
+        INDICATOR_ID,
+        CAMPAIGN_ID,
+        RELATIONSHIP_ID,
    ]
    assert rept.description == "A simple report with an indicator and campaign"
    assert rept.report_types == ["campaign"]
--- a/stix2/test/v21/test_sighting.py
+++ b/stix2/test/v21/test_sighting.py
@ -5,7 +5,7 @@ import pytz

 import stix2

-from .constants import INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS
+from .constants import IDENTITY_ID, INDICATOR_ID, SIGHTING_ID, SIGHTING_KWARGS

 EXPECTED_SIGHTING = """{
    "type": "sighting",
@ -15,7 +15,7 @@ EXPECTED_SIGHTING = """{
    "modified": "2016-04-06T20:06:37.000Z",
    "sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
    "where_sighted_refs": [
-        "identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"
+        "identity--311b2d2d-f010-4473-83ec-1edf84858f4c"
    ]
 }"""

@ -41,7 +41,7 @@ def test_sighting_all_required_properties():
        created=now,
        modified=now,
        sighting_of_ref=INDICATOR_ID,
-        where_sighted_refs=["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"],
+        where_sighted_refs=[IDENTITY_ID],
    )
    assert str(s) == EXPECTED_SIGHTING

@ -96,13 +96,13 @@ def test_create_sighting_from_objects_rather_than_ids(malware):  # noqa: F811
        EXPECTED_SIGHTING,
        {
            "created": "2016-04-06T20:06:37Z",
-            "id": "sighting--bfbc19db-ec35-4e45-beed-f8bde2a772fb",
+            "id": SIGHTING_ID,
            "modified": "2016-04-06T20:06:37Z",
            "sighting_of_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
            "spec_version": "2.1",
            "type": "sighting",
            "where_sighted_refs": [
-                "identity--8cc7afd6-5455-4d2b-a736-e614ee631d99",
+                IDENTITY_ID,
            ],
        },
    ],
@ -115,5 +115,5 @@ def test_parse_sighting(data):
    assert sighting.id == SIGHTING_ID
    assert sighting.created == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
    assert sighting.modified == dt.datetime(2016, 4, 6, 20, 6, 37, tzinfo=pytz.utc)
-    assert sighting.sighting_of_ref == "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7"
-    assert sighting.where_sighted_refs == ["identity--8cc7afd6-5455-4d2b-a736-e614ee631d99"]
+    assert sighting.sighting_of_ref == INDICATOR_ID
+    assert sighting.where_sighted_refs == [IDENTITY_ID]
--- a/stix2/test/v21/test_threat_actor.py
+++ b/stix2/test/v21/test_threat_actor.py
@ -5,13 +5,13 @@ import pytz

 import stix2

-from .constants import THREAT_ACTOR_ID
+from .constants import IDENTITY_ID, THREAT_ACTOR_ID

 EXPECTED = """{
    "type": "threat-actor",
    "spec_version": "2.1",
    "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "Evil Org",
@ -24,8 +24,8 @@ EXPECTED = """{

 def test_threat_actor_example():
    threat_actor = stix2.v21.ThreatActor(
-        id="threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=THREAT_ACTOR_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="Evil Org",
@ -41,9 +41,9 @@ def test_threat_actor_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48.000Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+            "created_by_ref": IDENTITY_ID,
            "description": "The Evil Org threat actor group",
-            "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "id": THREAT_ACTOR_ID,
            "threat_actor_types": [
                "crime-syndicate",
            ],
@ -62,7 +62,7 @@ def test_parse_threat_actor(data):
    assert actor.id == THREAT_ACTOR_ID
    assert actor.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert actor.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert actor.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert actor.created_by_ref == IDENTITY_ID
    assert actor.description == "The Evil Org threat actor group"
    assert actor.name == "Evil Org"
    assert actor.threat_actor_types == ["crime-syndicate"]
--- a/stix2/test/v21/test_tool.py
+++ b/stix2/test/v21/test_tool.py
@ -5,13 +5,13 @@ import pytz

 import stix2

-from .constants import TOOL_ID
+from .constants import IDENTITY_ID, TOOL_ID

 EXPECTED = """{
    "type": "tool",
    "spec_version": "2.1",
    "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "VNC",
@ -24,7 +24,7 @@ EXPECTED_WITH_REVOKED = """{
    "type": "tool",
    "spec_version": "2.1",
    "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+    "created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "name": "VNC",
@ -37,8 +37,8 @@ EXPECTED_WITH_REVOKED = """{

 def test_tool_example():
    tool = stix2.v21.Tool(
-        id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=TOOL_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="VNC",
@ -53,8 +53,8 @@ def test_tool_example():
        EXPECTED,
        {
            "created": "2016-04-06T20:03:48Z",
-            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
-            "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+            "created_by_ref": IDENTITY_ID,
+            "id": TOOL_ID,
            "tool_types": [
                "remote-access",
            ],
@ -73,7 +73,7 @@ def test_parse_tool(data):
    assert tool.id == TOOL_ID
    assert tool.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
    assert tool.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
-    assert tool.created_by_ref == "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
+    assert tool.created_by_ref == IDENTITY_ID
    assert tool.tool_types == ["remote-access"]
    assert tool.name == "VNC"

@ -86,8 +86,8 @@ def test_tool_no_workbench_wrappers():

 def test_tool_serialize_with_defaults():
    tool = stix2.v21.Tool(
-        id="tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-        created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+        id=TOOL_ID,
+        created_by_ref=IDENTITY_ID,
        created="2016-04-06T20:03:48.000Z",
        modified="2016-04-06T20:03:48.000Z",
        name="VNC",
--- a/stix2/test/v21/test_utils.py
+++ b/stix2/test/v21/test_utils.py
@ -8,6 +8,8 @@ import pytz

 import stix2.utils

+from .constants import IDENTITY_ID
+
 amsterdam = pytz.timezone('Europe/Amsterdam')
 eastern = pytz.timezone('US/Eastern')

@ -123,7 +125,7 @@ def test_deduplicate(stix_objs1):
        (
            stix2.v21.ObservedData(
                id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
-                created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+                created_by_ref=IDENTITY_ID,
                created="2016-04-06T19:58:16.000Z",
                modified="2016-04-06T19:58:16.000Z",
                first_observed="2015-12-21T19:00:00Z",
--- a/stix2/test/v21/test_vulnerability.py
+++ b/stix2/test/v21/test_vulnerability.py
@ -25,7 +25,7 @@ EXPECTED = """{

 def test_vulnerability_example():
    vulnerability = stix2.v21.Vulnerability(
-        id="vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+        id=VULNERABILITY_ID,
        created="2016-05-12T08:17:27.000Z",
        modified="2016-05-12T08:17:27.000Z",
        name="CVE-2016-1234",
@ -51,7 +51,7 @@ def test_vulnerability_example():
                    "source_name": "cve",
                },
            ],
-            "id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
+            "id": VULNERABILITY_ID,
            "modified": "2016-05-12T08:17:27Z",
            "name": "CVE-2016-1234",
            "spec_version": "2.1",