From 5c92db9861a9266a447b1a5199a7256dede22536 Mon Sep 17 00:00:00 2001 From: Michael Chisholm Date: Wed, 26 Jun 2019 17:06:26 -0400 Subject: [PATCH] Add stix2.1 malware-analysis SDO --- stix2/v21/__init__.py | 5 +++-- stix2/v21/sdo.py | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/stix2/v21/__init__.py b/stix2/v21/__init__.py index 4a8fe29..f0131d1 100644 --- a/stix2/v21/__init__.py +++ b/stix2/v21/__init__.py @@ -21,8 +21,8 @@ from .observables import ( ) from .sdo import ( AttackPattern, Campaign, CourseOfAction, CustomObject, Identity, Indicator, - IntrusionSet, Location, Malware, Note, ObservedData, Opinion, Report, - ThreatActor, Tool, Vulnerability, + IntrusionSet, Location, Malware, MalwareAnalysis, Note, ObservedData, + Opinion, Report, ThreatActor, Tool, Vulnerability, ) from .sro import Relationship, Sighting @@ -37,6 +37,7 @@ OBJ_MAP = { 'language-content': LanguageContent, 'location': Location, 'malware': Malware, + 'malware-analysis': MalwareAnalysis, 'note': Note, 'marking-definition': MarkingDefinition, 'observed-data': ObservedData, diff --git a/stix2/v21/sdo.py b/stix2/v21/sdo.py index ffdc5e1..526c982 100644 --- a/stix2/v21/sdo.py +++ b/stix2/v21/sdo.py @@ -304,6 +304,49 @@ class Malware(STIXDomainObject): ]) +class MalwareAnalysis(STIXDomainObject): + # TODO: Add link + """For more detailed information on this object's properties, see + `the STIX 2.1 specification `__. + """ + + _type = 'malware-analysis' + _properties = OrderedDict([ + ('type', TypeProperty(_type)), + ('spec_version', StringProperty(fixed='2.1')), + ('id', IDProperty(_type, spec_version='2.1')), + ('created', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('created_by_ref', ReferenceProperty(type='identity', spec_version='2.1')), + ('revoked', BooleanProperty(default=lambda: False)), + ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), + ('external_references', ListProperty(ExternalReference)), + ('object_marking_refs', ListProperty(ReferenceProperty(type='marking-definition', spec_version='2.1'))), + ('granular_markings', ListProperty(GranularMarking)), + ('product', StringProperty(required=True)), + ('version', StringProperty()), + ('host_vm_ref', ReferenceProperty(type='software', spec_version='2.1')), + ('operating_system_ref', ReferenceProperty(type='software', spec_version='2.1')), + ('installed_software_refs', ListProperty(ReferenceProperty(type='software', spec_version='2.1'))), + ('configuration_version', StringProperty()), + ('module', StringProperty()), + ('analysis_engine_version', StringProperty()), + ('analysis_definition_version', StringProperty()), + ('submitted', TimestampProperty()), + ('analysis_started', TimestampProperty()), + ('analysis_ended', TimestampProperty()), + ('av_result', StringProperty()), + ('analysis_sco_refs', ListProperty(ReferenceProperty(spec_version='2.1'))), + ]) + + def _check_object_constraints(self): + super(MalwareAnalysis, self)._check_object_constraints() + + self._check_at_least_one_property(["av_result", "analysis_sco_refs"]) + + class Note(STIXDomainObject): # TODO: Add link """For more detailed information on this object's properties, see