tessl/pypi-stix2
Produce and consume STIX 2 JSON content for cyber threat intelligence
stix-observables.mddocs/
STIX Cyber Observable Objects (SCOs)
STIX Cyber Observable Objects represent observable cyber artifacts such as files, network addresses, processes, registry keys, and other technical indicators that can be observed in cyber operations. These objects capture the technical details of cyber activities and form the foundation for technical threat intelligence.
Capabilities
File System Objects
Objects representing files, directories, and file system artifacts.
class File:
"""
File objects represent properties of files.
Optional Properties:
- hashes (dict): Cryptographic hashes of the file
- size (int): Size of the file in bytes
- name (str): Name of the file
- name_enc (str): Character encoding of the name
- magic_number_hex (str): Magic number in hexadecimal
- mime_type (str): MIME type of the file
- ctime (timestamp): Creation time
- mtime (timestamp): Modification time
- atime (timestamp): Access time
- parent_directory_ref (str): Reference to parent directory
- contains_refs (list): References to contained objects
- content_ref (str): Reference to file content artifact
- extensions (dict): File extensions
"""
class Directory:
"""
Directory objects represent properties of file system directories.
Required Properties:
- path (str): Path of the directory
Optional Properties:
- path_enc (str): Character encoding of the path
- ctime (timestamp): Creation time
- mtime (timestamp): Modification time
- atime (timestamp): Access time
- contains_refs (list): References to contained objects
"""
class Artifact:
"""
Artifact objects represent collections of bytes or payloads.
Optional Properties:
- mime_type (str): MIME type of the artifact
- payload_bin (str): Base64-encoded payload
- url (str): URL to download the payload
- hashes (dict): Cryptographic hashes
- encryption_algorithm (str): Encryption algorithm used
- decryption_key (str): Key for decryption
"""Usage examples:
from stix2 import File, Directory, Artifact
# Create file object
file_obj = File(
hashes={
"MD5": "d41d8cd98f00b204e9800998ecf8427e",
"SHA-1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"SHA-256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
size=0,
name="empty.txt",
mime_type="text/plain"
)
# Create directory object
directory = Directory(
path="/home/user/documents",
ctime="2021-04-23T10:30:00.000Z",
mtime="2021-04-23T11:15:00.000Z"
)
# Create artifact object
artifact = Artifact(
mime_type="application/pdf",
hashes={
"SHA-256": "b5b2bc5a6e4c7e5a8c6b9a0f3e2d1c8b7a6f5e4d3c2b1a0f9e8d7c6b5a4e3d2c1"
},
url="https://example.com/document.pdf"
)Network Objects
Objects representing network addresses, traffic, and communications.
class IPv4Address:
"""
IPv4 address objects represent IPv4 addresses.
Required Properties:
- value (str): IPv4 address value
Optional Properties:
- resolves_to_refs (list): References to resolved MAC addresses
- belongs_to_refs (list): References to AS objects
"""
class IPv6Address:
"""
IPv6 address objects represent IPv6 addresses.
Required Properties:
- value (str): IPv6 address value
Optional Properties:
- resolves_to_refs (list): References to resolved MAC addresses
- belongs_to_refs (list): References to AS objects
"""
class DomainName:
"""
Domain name objects represent domain names.
Required Properties:
- value (str): Domain name value
Optional Properties:
- resolves_to_refs (list): References to resolved IP addresses
"""
class URL:
"""
URL objects represent Uniform Resource Locators.
Required Properties:
- value (str): URL value
"""
class MACAddress:
"""
MAC address objects represent Media Access Control addresses.
Required Properties:
- value (str): MAC address value
"""
class NetworkTraffic:
"""
Network traffic objects represent network connections and traffic.
Required Properties:
- protocols (list): Network protocols used
Optional Properties:
- start (timestamp): Start time of traffic
- end (timestamp): End time of traffic
- is_active (bool): Whether traffic is active
- src_ref (str): Reference to source address
- dst_ref (str): Reference to destination address
- src_port (int): Source port number
- dst_port (int): Destination port number
- src_byte_count (int): Source byte count
- dst_byte_count (int): Destination byte count
- src_packets (int): Source packet count
- dst_packets (int): Destination packet count
- ipfix (dict): IPFIX data
- src_payload_ref (str): Reference to source payload
- dst_payload_ref (str): Reference to destination payload
- encapsulates_refs (list): References to encapsulated traffic
- encapsulated_by_ref (str): Reference to encapsulating traffic
- extensions (dict): Network traffic extensions
"""
class AutonomousSystem:
"""
Autonomous System objects represent autonomous systems.
Required Properties:
- number (int): AS number
Optional Properties:
- name (str): AS name
- rir (str): Regional Internet Registry
"""Usage examples:
from stix2 import IPv4Address, DomainName, NetworkTraffic, URL
# Create IP address
ip_addr = IPv4Address(value="192.168.1.1")
# Create domain name that resolves to IP
domain = DomainName(
value="example.com",
resolves_to_refs=[ip_addr.id]
)
# Create network traffic
traffic = NetworkTraffic(
protocols=["tcp", "http"],
src_ref=ip_addr.id,
src_port=54321,
dst_port=80,
start="2021-04-23T10:30:00.000Z"
)
# Create URL
url = URL(value="https://example.com/malicious-page")Email Objects
Objects representing email addresses and email messages.
class EmailAddress:
"""
Email address objects represent email addresses.
Required Properties:
- value (str): Email address value
Optional Properties:
- display_name (str): Display name associated with address
- belongs_to_ref (str): Reference to user account
"""
class EmailMessage:
"""
Email message objects represent email messages.
Optional Properties:
- is_multipart (bool): Whether message has multiple parts
- date (timestamp): Date header value
- content_type (str): Content-Type header value
- from_ref (str): Reference to sender email address
- sender_ref (str): Reference to Sender header address
- to_refs (list): References to To header addresses
- cc_refs (list): References to CC header addresses
- bcc_refs (list): References to BCC header addresses
- message_id (str): Message-ID header value
- subject (str): Subject header value
- received_lines (list): Received header lines
- additional_header_fields (dict): Additional header fields
- body (str): Email body content
- body_multipart (list): Multipart body components
- raw_email_ref (str): Reference to raw email artifact
"""
class EmailMIMEComponent:
"""
Email MIME component objects represent MIME parts of email messages.
Optional Properties:
- body (str): Body content of MIME part
- body_raw_ref (str): Reference to raw body artifact
- content_type (str): Content-Type of MIME part
- content_disposition (str): Content-Disposition header
"""Usage examples:
from stix2 import EmailAddress, EmailMessage
# Create email address
sender = EmailAddress(
value="attacker@malicious.com",
display_name="Legitimate Company"
)
recipient = EmailAddress(value="victim@company.com")
# Create email message
email = EmailMessage(
from_ref=sender.id,
to_refs=[recipient.id],
subject="Urgent: Account Verification Required",
date="2021-04-23T10:30:00.000Z",
body="Click the link below to verify your account...",
additional_header_fields={
"X-Mailer": "Malicious Mailer 1.0"
}
)Process and Software Objects
Objects representing running processes and installed software.
class Process:
"""
Process objects represent running processes.
Optional Properties:
- is_hidden (bool): Whether process is hidden
- pid (int): Process identifier
- name (str): Process name
- created_time (timestamp): Process creation time
- cwd (str): Current working directory
- command_line (str): Command line used to launch
- environment_variables (dict): Environment variables
- opened_connection_refs (list): References to network connections
- creator_user_ref (str): Reference to creator user account
- image_ref (str): Reference to process image file
- parent_ref (str): Reference to parent process
- child_refs (list): References to child processes
- extensions (dict): Process extensions
"""
class Software:
"""
Software objects represent software applications.
Required Properties:
- name (str): Software name
Optional Properties:
- cpe (str): Common Platform Enumeration identifier
- swid (str): Software Identification tag
- languages (list): Programming languages used
- vendor (str): Software vendor
- version (str): Software version
"""
class UserAccount:
"""
User account objects represent user accounts.
Required Properties:
- user_id (str): User identifier
Optional Properties:
- credential (str): Account credential
- account_login (str): Account login name
- account_type (str): Type of account
- display_name (str): Display name
- is_service_account (bool): Whether it's a service account
- is_privileged (bool): Whether account is privileged
- can_escalate_privs (bool): Whether can escalate privileges
- is_disabled (bool): Whether account is disabled
- account_created (timestamp): Account creation time
- account_expires (timestamp): Account expiration time
- credential_last_changed (timestamp): Last credential change
- account_first_login (timestamp): First login time
- account_last_login (timestamp): Last login time
- extensions (dict): User account extensions
"""Usage examples:
from stix2 import Process, Software, UserAccount
# Create process
process = Process(
pid=1234,
name="malware.exe",
command_line="malware.exe -hidden -connect 192.168.1.100",
created_time="2021-04-23T10:30:00.000Z",
is_hidden=True
)
# Create software
software = Software(
name="Microsoft Office",
vendor="Microsoft Corporation",
version="2019",
cpe="cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
)
# Create user account
user_account = UserAccount(
user_id="john.doe",
account_login="jdoe",
display_name="John Doe",
is_privileged=False,
account_type="windows-local"
)Windows-Specific Objects
Objects specific to Windows operating systems.
class WindowsRegistryKey:
"""
Windows registry key objects represent Windows registry keys.
Required Properties:
- key (str): Registry key name
Optional Properties:
- values (list): Registry key values
- modified_time (timestamp): Last modification time
- creator_user_ref (str): Reference to creator user
- number_of_subkeys (int): Number of subkeys
"""
class WindowsRegistryValueType:
"""
Windows registry value type objects represent registry value types.
Required Properties:
- name (str): Value name
- data (str): Value data
Optional Properties:
- data_type (str): Data type (REG_SZ, REG_DWORD, etc.)
"""
class Mutex:
"""
Mutex objects represent mutual exclusion objects.
Required Properties:
- name (str): Mutex name
"""X.509 Certificates
Objects representing X.509 digital certificates.
class X509Certificate:
"""
X.509 certificate objects represent X.509 digital certificates.
Optional Properties:
- is_self_signed (bool): Whether certificate is self-signed
- hashes (dict): Cryptographic hashes of certificate
- version (str): Certificate version
- serial_number (str): Certificate serial number
- signature_algorithm (str): Signature algorithm
- issuer (str): Certificate issuer
- validity_not_before (timestamp): Validity start time
- validity_not_after (timestamp): Validity end time
- subject (str): Certificate subject
- subject_public_key_algorithm (str): Subject public key algorithm
- subject_public_key_modulus (str): Subject public key modulus
- subject_public_key_exponent (int): Subject public key exponent
- x509_v3_extensions (dict): X.509 v3 extensions
"""
class X509V3ExtensionsType:
"""
X.509 v3 extensions type for certificates.
Optional Properties:
- basic_constraints (str): Basic constraints extension
- name_constraints (str): Name constraints extension
- policy_constraints (str): Policy constraints extension
- key_usage (str): Key usage extension
- extended_key_usage (str): Extended key usage extension
- subject_key_identifier (str): Subject key identifier
- authority_key_identifier (str): Authority key identifier
- subject_alternative_name (str): Subject alternative name
- issuer_alternative_name (str): Issuer alternative name
- subject_directory_attributes (str): Subject directory attributes
- crl_distribution_points (str): CRL distribution points
- inhibit_any_policy (int): Inhibit any policy
- private_key_usage_period_not_before (timestamp): Private key usage start
- private_key_usage_period_not_after (timestamp): Private key usage end
- certificate_policies (str): Certificate policies
- policy_mappings (str): Policy mappings
"""Extensions
STIX Cyber Observable Objects support extensions for additional properties:
from stix2 import File, NTFSExt, WindowsPEBinaryExt
# File with NTFS extension
file_with_ntfs = File(
name="system.exe",
hashes={"MD5": "abc123"},
extensions={
"ntfs-ext": NTFSExt(
alternate_data_streams=[
{
"name": "Zone.Identifier",
"size": 26
}
]
)
}
)
# File with Windows PE extension
pe_file = File(
name="malware.exe",
hashes={"SHA-256": "def456"},
extensions={
"windows-pebinary-ext": WindowsPEBinaryExt(
pe_type="exe",
machine_hex="014c",
number_of_sections=3
)
}
)Custom Observable Objects
Create custom observable objects for specific needs:
from stix2 import CustomObservable
from stix2.properties import StringProperty, IntegerProperty
# Define custom observable
@CustomObservable('x-custom-log-entry', [
('log_level', StringProperty(required=True)),
('message', StringProperty(required=True)),
('source_ip', StringProperty()),
('event_count', IntegerProperty()),
])
class CustomLogEntry:
pass
# Create instance
log_entry = CustomLogEntry(
log_level="ERROR",
message="Authentication failed",
source_ip="192.168.1.100",
event_count=5
)Install with Tessl CLI
npx tessl i tessl/pypi-stix2