tessl/pypi-stix2
Produce and consume STIX 2 JSON content for cyber threat intelligence
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-stix2@3.0.0index.mddocs/
STIX2
Python APIs for serializing and de-serializing STIX 2 JSON content, along with higher-level APIs for common tasks including data markings, versioning, and resolving STIX IDs across multiple data sources. STIX (Structured Threat Information Expression) is a standardized language for cyber threat intelligence enabling organizations to share, store, and analyze cyber threat information in a consistent manner.
Package Information
- Package Name: stix2
- Language: Python
- Installation:
pip install stix2 - Requirements: Python 3.6+
- Documentation: https://stix2.readthedocs.io/
Core Imports
import stix2Common imports for specific functionality:
from stix2 import parse, Indicator, Malware, AttackPattern
from stix2 import FileSystemStore, MemoryStore
from stix2 import add_markings, get_markingsBasic Usage
Creating STIX Objects
from stix2 import Indicator, Malware, AttackPattern
# Create an indicator
indicator = Indicator(
name="File hash for malware variant",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']"
)
# Create a malware object
malware = Malware(
name="Poison Ivy",
malware_types=["remote-access-trojan"]
)
# Create an attack pattern
attack_pattern = AttackPattern(
name="Spear Phishing",
external_references=[
{
"source_name": "mitre-attack",
"external_id": "T1566.001"
}
]
)Parsing and Serializing STIX Content
from stix2 import parse
# Parse STIX JSON into Python objects
stix_json = '''
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--01234567-89ab-cdef-0123-456789abcdef",
"created": "2018-04-23T18:07:56.000Z",
"modified": "2018-04-23T18:07:56.000Z",
"name": "File hash for malware variant",
"indicator_types": ["malicious-activity"],
"pattern_type": "stix",
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']"
}
'''
indicator = parse(stix_json)
print(indicator.name) # "File hash for malware variant"
# Serialize STIX object to JSON
json_output = indicator.serialize(pretty=True)Data Storage and Retrieval
from stix2 import MemoryStore, FileSystemStore, Indicator
# Create in-memory data store
memory_store = MemoryStore()
# Add objects to store
indicator = Indicator(
name="Example Indicator",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern="[file:hashes.md5 = 'abc123']"
)
memory_store.add(indicator)
# Query objects
results = memory_store.query([stix2.Filter('type', '=', 'indicator')])
# File system store
fs_store = FileSystemStore("/path/to/stix/data")
fs_store.add(indicator)Architecture
The STIX2 library is organized around several key concepts:
- STIX Domain Objects (SDOs): Core cyber threat intelligence objects like Indicator, Malware, AttackPattern, ThreatActor
- STIX Relationship Objects (SROs): Relationship and Sighting objects that connect SDOs
- STIX Cyber Observable Objects (SCOs): Observable cyber artifacts like File, IPv4Address, DomainName
- Data Stores: Pluggable backends for storing and retrieving STIX objects (Memory, FileSystem, TAXII)
- Environment: Configurable context for object creation and parsing
- Markings: Data marking and classification system for access control
Capabilities
STIX Object Creation and Parsing
Core functionality for creating STIX objects from scratch and parsing existing STIX JSON content into Python objects. Supports all STIX 2.0 and 2.1 specification objects including validation and automatic property generation.
def parse(data, allow_custom=False, version=None):
"""Parse STIX JSON data into Python objects."""
def parse_observable(data, _valid_refs=None, allow_custom=False, version=None):
"""Parse STIX Cyber Observable Objects."""STIX Domain Objects (SDOs)
STIX Domain Objects represent higher-level cyber threat intelligence concepts including threat actors, attack patterns, malware, indicators, campaigns, and other strategic threat intelligence.
class AttackPattern: ...
class Campaign: ...
class CourseOfAction: ...
class Identity: ...
class Indicator: ...
class IntrusionSet: ...
class Malware: ...
class ObservedData: ...
class Report: ...
class ThreatActor: ...
class Tool: ...
class Vulnerability: ...STIX Cyber Observable Objects (SCOs)
STIX Cyber Observable Objects represent observable cyber artifacts such as files, network addresses, processes, registry keys, and other technical indicators that can be observed in cyber operations.
class File: ...
class IPv4Address: ...
class IPv6Address: ...
class DomainName: ...
class URL: ...
class EmailAddress: ...
class NetworkTraffic: ...
class Process: ...
class Software: ...
class UserAccount: ...Data Storage and Retrieval
Flexible data store backends for persisting and querying STIX objects including in-memory storage, file system storage, and TAXII server integration with comprehensive filtering and search capabilities.
class MemoryStore: ...
class FileSystemStore: ...
class TAXIICollectionStore: ...
class CompositeDataSource: ...
class Filter: ...Object Relationships and Links
STIX Relationship Objects and utilities for creating and managing connections between STIX objects, including relationships, sightings, and reference resolution across multiple data sources.
class Relationship: ...
class Sighting: ...Data Markings and Access Control
Comprehensive data marking system for applying access control, handling restrictions, and managing classification levels on STIX objects using both object-level and granular markings.
def add_markings(obj, marking, selectors=None): ...
def clear_markings(obj, selectors=None, marking_ref=True, lang=True): ...
def get_markings(obj, selectors=None, inherited=False, descendants=False, marking_ref=True, lang=True): ...
def is_marked(obj, marking=None, selectors=None, inherited=False, descendants=False): ...
def remove_markings(obj, marking, selectors=None): ...
def set_markings(obj, marking, selectors=None, marking_ref=True, lang=True): ...Object Versioning and Evolution
Version management system for creating new versions of STIX objects, tracking changes over time, and handling object revocation with proper timestamp and identifier management.
def new_version(stix_obj, **kwargs): ...
def revoke(stix_obj): ...Pattern Matching and Expressions
Comprehensive pattern expression system for STIX indicator patterns including observation expressions, boolean logic, comparison operations, and temporal qualifiers for complex threat detection rules.
class ObservationExpression: ...
class AndBooleanExpression: ...
class OrBooleanExpression: ...
class EqualityComparisonExpression: ...
class ObjectPath: ...Utilities and Type Checking
Utility functions for working with STIX objects including type checking, timestamp handling, object deduplication, confidence scale conversions, and specification version detection.
def is_sdo(value, stix_version="2.1"): ...
def is_sco(value, stix_version="2.1"): ...
def is_sro(value, stix_version="2.1"): ...
def get_timestamp(): ...
def deduplicate(stix_obj_list): ...
def none_low_med_high_to_value(scale_value): ...
def value_to_none_low_medium_high(confidence_value): ...STIX Equivalence and Similarity
Semantic equivalence and similarity algorithms for STIX objects, graphs, and patterns implementing the STIX Semantic Equivalence Committee Note specifications for intelligent content comparison.
def object_equivalence(obj1, obj2, threshold=70, **kwargs): ...
def object_similarity(obj1, obj2, **kwargs): ...
def graph_equivalence(ds1, ds2, threshold=70, **kwargs): ...
def graph_similarity(ds1, ds2, **kwargs): ...
def equivalent_patterns(pattern1, pattern2, stix_version="2.1"): ...