class DateTimeWithPrecision(stix.Entity): _binding = common_binding _binding_class = _binding.DateTimeWithPrecisionType _namespace = 'http://stix.mitre.org/common-1' value = fields.DateTimeField("valueOf_", key_name="value") precision = fields.TypedField("precision", preset_hook=validate_precision) def __init__(self, value=None, precision='second'): super(DateTimeWithPrecision, self).__init__() self.value = value self.precision = precision def to_dict(self): if self.precision == 'second': return utils.dates.serialize_value(self.value) return super(DateTimeWithPrecision, self).to_dict() @classmethod def from_dict(cls, cls_dict): if not cls_dict: return None elif not isinstance(cls_dict, dict): obj = cls() obj.value = cls_dict else: obj = super(DateTimeWithPrecision, cls).from_dict(cls_dict) return obj
class Confidence(stix.Entity): _namespace = 'http://stix.mitre.org/common-1' _binding = common_binding _binding_class = common_binding.ConfidenceType value = VocabField("Value") descriptions = fields.TypedField("Description", StructuredTextList) timestamp = fields.DateTimeField("timestamp") timestamp_precision = fields.TypedField("timestamp_precision", preset_hook=validate_precision) source = fields.TypedField("Source", type_="stix.common.InformationSource") def __init__(self, value=None, timestamp=None, description=None, source=None): super(Confidence, self).__init__() self.timestamp = timestamp or utils.dates.now() self.timestamp_precision = "second" self.value = value self.description = StructuredTextList(description) self.source = source # TODO: support confidence_assertion_chain # self.confidence_assertion_chain = None @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.descriptions), None) @description.setter def description(self, value): from stix.common.structured_text import StructuredTextList if value is None: self.descriptions = StructuredTextList() else: self.descriptions = StructuredTextList(value) def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description)
class Sighting(stix.Entity): _namespace = "http://stix.mitre.org/Indicator-2" _binding = indicator_binding _binding_class = _binding.SightingType timestamp = fields.DateTimeField("timestamp") timestamp_precision = fields.TypedField("timestamp_precision", preset_hook=validate_precision) descriptions = fields.TypedField("Description", StructuredTextList) source = fields.TypedField("Source", InformationSource) reference = fields.TypedField("Reference") confidence = fields.TypedField("Confidence", Confidence) related_observables = fields.TypedField( "Related_Observables", type_="stix.indicator.sightings.RelatedObservables") def __init__(self, timestamp=None, timestamp_precision=None, description=None): super(Sighting, self).__init__() self.timestamp = timestamp or utils.dates.now() self.timestamp_precision = timestamp_precision self.descriptions = description self.source = None self.reference = None self.confidence = None @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.descriptions or []), None) @description.setter def description(self, value): self.descriptions = StructuredTextList(value) def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description)
class JournalEntry(stix.Entity): _namespace = "http://stix.mitre.org/Incident-1" _binding = incident_binding _binding_class = incident_binding.JournalEntryType value = fields.TypedField("valueOf_", key_name="value") author = fields.TypedField("author") time = fields.DateTimeField("time") time_precision = fields.TypedField("time_precision", preset_hook=validate_precision) def __init__(self, value=None): super(JournalEntry, self).__init__() self.value = value self.time_precision = 'second'
class CampaignRef(stix.Entity): _namespace = "http://stix.mitre.org/common-1" _binding = common_binding _binding_class = common_binding.CampaignReferenceType idref = fields.TypedField("idref") timestamp = fields.DateTimeField("timestamp") names = fields.TypedField("Names", Names) def __init__(self, idref=None, timestamp=None): super(CampaignRef, self).__init__() self.idref = idref self.timestamp = timestamp def add_name(self, name): self.names.append(name)
class DateTimeWithPrecision(entities.Entity): _binding = common_binding _binding_class = common_binding.DateTimeWithPrecisionType _namespace = 'http://cybox.mitre.org/common-2' value = fields.DateTimeField("valueOf_", key_name="value") precision = fields.TypedField("precision", preset_hook=validate_datetime_precision) def __init__(self, value=None, precision='second'): super(DateTimeWithPrecision, self).__init__() self.value = value self.precision = precision def to_dict(self): if self.precision == 'second': return dates.serialize_datetime(self.value) return super(DateTimeWithPrecision, self).to_dict()
class ISAMarkings(dm.MarkingStructure): _binding = isa_markings _binding_class = _binding.ISAMarkingsType _namespace = 'http://www.us-cert.gov/sites/default/files/STIX_Namespace/ISAMarkingsType.v2.xsd' _XSI_TYPE = 'isam-v2:ISAMarkingsType' isam_version = fields.TypedField("isam_version") identifier = fields.TypedField("Identifier", key_name="identifier") create_date_time = fields.DateTimeField("CreateDateTime", key_name="create_date_time") responsible_entity = fields.TypedField("ResponsibleEntity", type_="stix_edh.common.NMTokens", key_name="responsible_entity") auth_ref = fields.TypedField("AuthRef", key_name="auth_ref") def __init__(self): super(ISAMarkings, self).__init__() self.isam_version = '2.0'
class RelatedPackageRef(GenericRelationship): _namespace = "http://stix.mitre.org/common-1" _binding = common_binding _binding_class = common_binding.RelatedPackageRefType idref = fields.IdrefField("idref") timestamp = fields.DateTimeField("timestamp") def __init__(self, idref=None, timestamp=None, confidence=None, information_source=None, relationship=None): super(RelatedPackageRef, self).__init__( confidence=confidence, information_source=information_source, relationship=relationship ) self.idref = idref self.timestamp = timestamp
class Action(entities.Entity): _binding = core_binding _binding_class = core_binding.ActionType _namespace = 'http://cybox.mitre.org/cybox-2' id_ = fields.TypedField("id") idref = fields.TypedField("idref") ordinal_position = fields.TypedField("ordinal_position") action_status = fields.TypedField("action_status") context = fields.TypedField("context") timestamp = fields.DateTimeField("timestamp") type_ = VocabField("Type", ActionType) name = VocabField("Name", ActionName) description = fields.TypedField("Description", StructuredText) action_aliases = fields.TypedField("Action_Aliases", ActionAliases) action_arguments = fields.TypedField("Action_Arguments", ActionArguments) discovery_method = fields.TypedField("Discovery_Method", MeasureSource) associated_objects = fields.TypedField("Associated_Objects", AssociatedObjects) relationships = fields.TypedField("Relationships", ActionRelationships) frequency = fields.TypedField("Frequency", Frequency)
class BaseCoreComponent(Entity): _ALL_VERSIONS = () _ID_PREFIX = None title = fields.TypedField("Title") id_ = fields.IdField("id") idref = fields.IdrefField("idref") descriptions = fields.TypedField( "Description", type_="stix.common.StructuredTextList", ) short_descriptions = fields.TypedField( "Short_Description", type_="stix.common.StructuredTextList") version = fields.TypedField("version", preset_hook=_validate_version) timestamp = fields.DateTimeField("timestamp") handling = fields.TypedField("Handling", type_="stix.data_marking.Marking") def __init__(self, id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None): from stix.common import StructuredTextList super(BaseCoreComponent, self).__init__() self.id_ = id_ or idgen.create_id(self._ID_PREFIX) self.idref = idref self.title = title self.descriptions = StructuredTextList(description) self.short_descriptions = StructuredTextList(short_description) if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None @property def description(self): """A single description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.descriptions), None) @description.setter def description(self, value): self.descriptions = value def add_description(self, description): """Adds a description to the ``descriptions`` collection. This is the same as calling "foo.descriptions.add(bar)". """ self.descriptions.add(description) @property def short_description(self): """A single short description about the contents or purpose of this object. Default Value: ``None`` Note: If this object has more than one short description set, this will return the description with the lowest ordinality value. Returns: An instance of :class:`.StructuredText` """ return next(iter(self.short_descriptions), None) @short_description.setter def short_description(self, value): self.short_descriptions = value def add_short_description(self, description): """Adds a description to the ``short_descriptions`` collection. This is the same as calling "foo.short_descriptions.add(bar)". """ self.short_descriptions.add(description)
class STIXPackage(stix.Entity): """A STIX Package object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref: **DEPRECATED** An identifier reference. If set this will unset the ``id_`` property. timestamp: **DEPRECATED** A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. course_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_packages: **DEPRECATED**. A collection of :class:`.RelatedPackage` objects. reports: A collection of :class:`.Report` objects. """ _binding = stix_core_binding _binding_class = _binding.STIXType _namespace = 'http://stix.mitre.org/stix-1' _version = "1.2" _ALL_VERSIONS = ("1.0", "1.0.1", "1.1", "1.1.1", "1.2") id_ = fields.IdField("id") idref = fields.IdrefField("idref", preset_hook=deprecated.field) version = fields.TypedField("version") timestamp = fields.DateTimeField("timestamp", preset_hook=deprecated.field) stix_header = fields.TypedField("STIX_Header", STIXHeader) campaigns = fields.TypedField("Campaigns", Campaigns) courses_of_action = fields.TypedField("Courses_Of_Action", CoursesOfAction) exploit_targets = fields.TypedField("Exploit_Targets", ExploitTargets) observables = fields.TypedField("Observables", Observables) indicators = fields.TypedField("Indicators", Indicators) incidents = fields.TypedField("Incidents", Incidents) threat_actors = fields.TypedField("Threat_Actors", ThreatActors) ttps = fields.TypedField("TTPs", TTPs) related_packages = fields.TypedField("Related_Packages", RelatedPackages) reports = fields.TypedField("Reports", Reports) def __init__(self, id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None): super(STIXPackage, self).__init__() self.id_ = id_ or idgen.create_id("Package") self.idref = idref self.version = STIXPackage._version self.stix_header = stix_header self.campaigns = campaigns or Campaigns() self.courses_of_action = courses_of_action or CoursesOfAction() self.exploit_targets = exploit_targets or ExploitTargets() self.observables = observables or Observables() self.indicators = indicators or Indicators() self.incidents = incidents or Incidents() self.threat_actors = threat_actors or ThreatActors() self.ttps = ttps or TTPs() self.related_packages = related_packages self.reports = reports or Reports() self.timestamp = timestamp def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ if self.indicators is None: self.indicators = Indicators() self.indicators.append(indicator) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ if self.campaigns is None: self.campaigns = Campaigns() self.campaigns.append(campaign) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ if self.incidents is None: self.incidents = Incidents() self.incidents.append(incident) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ if self.threat_actors is None: self.threat_actors = ThreatActors() self.threat_actors.append(threat_actor) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ if self.courses_of_action is None: self.courses_of_action = CoursesOfAction() self.courses_of_action.append(course_of_action) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ if self.exploit_targets is None: self.exploit_targets = ExploitTargets() self.exploit_targets.append(exploit_target) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ if self.ttps is None: self.ttps = TTPs() self.ttps.ttp.append(ttp) def add_report(self, report): """Adds a :class:`.Report` object to the :attr:`reports` collection. """ if self.reports is None: self.reports = Reports() self.reports.append(report) def add_related_package(self, related_package): """Adds a :class:`.RelatedPackage` object to the :attr:`related_packages` collection. """ if self.related_packages is None: self.related_packages = RelatedPackages() self.related_packages.append(related_package) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Report: self.add_report, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error) @classmethod def from_xml(cls, xml_file, encoding=None): """Parses the `xml_file` file-like object and returns a :class:`STIXPackage` instance. Args: xml_file: A file, file-like object, etree._Element, or etree._ElementTree instance. encoding: The character encoding of the `xml_file` input. If ``None``, an attempt will be made to determine the input character encoding. Default is ``None``. Returns: An instance of :class:`STIXPackage`. """ entity_parser = parser.EntityParser() return entity_parser.parse_xml(xml_file, encoding=encoding)
class Report(stix.Entity): """A STIX Report Object. Args: id_ (optional): An identifier. If ``None``, a value will be generated via ``mixbox.idgen.create_id()``. If set, this will unset the ``idref`` property. idref (optional): An identifier reference. If set this will unset the ``id_`` property. timestamp (optional): A timestamp value. Can be an instance of ``datetime.datetime`` or ``str``. header: A Report :class:`.Header` object. campaigns: A collection of :class:`.Campaign` objects. courses_of_action: A collection of :class:`.CourseOfAction` objects. exploit_targets: A collection of :class:`.ExploitTarget` objects. incidents: A collection of :class:`.Incident` objects. indicators: A collection of :class:`.Indicator` objects. threat_actors: A collection of :class:`.ThreatActor` objects. ttps: A collection of :class:`.TTP` objects. related_reports: A collection of :class:`.RelatedReport` objects. """ _binding = report_binding _binding_class = _binding.ReportType _namespace = 'http://stix.mitre.org/Report-1' _version = "1.0" id_ = fields.IdField("id") idref = fields.IdrefField("idref") timestamp = fields.DateTimeField("timestamp") version = fields.TypedField("version") header = fields.TypedField("Header", Header) campaigns = fields.TypedField("Campaigns", type_="stix.report.Campaigns") courses_of_action = fields.TypedField("Courses_Of_Action", type_="stix.report.CoursesOfAction") exploit_targets = fields.TypedField("Exploit_Targets", type_="stix.report.ExploitTargets") observables = fields.TypedField("Observables", Observables) indicators = fields.TypedField("Indicators", type_="stix.report.Indicators") incidents = fields.TypedField("Incidents", type_="stix.report.Incidents") threat_actors = fields.TypedField("Threat_Actors", type_="stix.report.ThreatActors") ttps = fields.TypedField("TTPs", type_="stix.report.TTPs") related_reports = fields.TypedField("Related_Reports", type_="stix.report.RelatedReports") def __init__(self, id_=None, idref=None, timestamp=None, header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_reports=None): super(Report, self).__init__() self.id_ = id_ or idgen.create_id("Report") self.idref = idref self.version = self._version self.header = header self.campaigns = campaigns self.courses_of_action = courses_of_action self.exploit_targets = exploit_targets self.observables = observables self.indicators = indicators self.incidents = incidents self.threat_actors = threat_actors self.ttps = ttps self.related_reports = related_reports if timestamp: self.timestamp = timestamp else: self.timestamp = utils.dates.now() if not idref else None def add_indicator(self, indicator): """Adds an :class:`.Indicator` object to the :attr:`indicators` collection. """ if self.indicators is None: self.indicators = Indicators() self.indicators.append(indicator) def add_campaign(self, campaign): """Adds a :class:`Campaign` object to the :attr:`campaigns` collection. """ if self.campaigns is None: self.campaigns = Campaigns() self.campaigns.append(campaign) def add_observable(self, observable): """Adds an ``Observable`` object to the :attr:`observables` collection. If `observable` is not an ``Observable`` instance, an effort will be made to convert it to one. """ if not self.observables: self.observables = Observables(observables=observable) else: self.observables.add(observable) def add_incident(self, incident): """Adds an :class:`.Incident` object to the :attr:`incidents` collection. """ if self.incidents is None: self.incidents = Incidents() self.incidents.append(incident) def add_threat_actor(self, threat_actor): """Adds an :class:`.ThreatActor` object to the :attr:`threat_actors` collection. """ if self.threat_actors is None: self.threat_actors = ThreatActors() self.threat_actors.append(threat_actor) def add_course_of_action(self, course_of_action): """Adds an :class:`.CourseOfAction` object to the :attr:`courses_of_action` collection. """ if self.courses_of_action is None: self.courses_of_action = CoursesOfAction() self.courses_of_action.append(course_of_action) def add_exploit_target(self, exploit_target): """Adds an :class:`.ExploitTarget` object to the :attr:`exploit_targets` collection. """ if self.exploit_targets is None: self.exploit_targets = ExploitTargets() self.exploit_targets.append(exploit_target) def add_ttp(self, ttp): """Adds an :class:`.TTP` object to the :attr:`ttps` collection. """ if self.ttps is None: self.ttps = TTPs() self.ttps.append(ttp) def add_related_report(self, related_report): """Adds an :class:`.RelatedReport` object to the :attr:`related_reports` collection. """ if self.related_reports is None: self.related_reports = RelatedReports() self.related_reports.append(related_report) def add(self, entity): """Adds `entity` to a top-level collection. For example, if `entity` is an Indicator object, the `entity` will be added to the ``indicators`` top-level collection. """ if utils.is_cybox(entity): self.add_observable(entity) return tlo_adds = { Campaign: self.add_campaign, CourseOfAction: self.add_course_of_action, ExploitTarget: self.add_exploit_target, Incident: self.add_incident, Indicator: self.add_indicator, ThreatActor: self.add_threat_actor, TTP: self.add_ttp, Observable: self.add_observable, } try: add = tlo_adds[entity.__class__] add(entity) except KeyError: error = "Cannot add type '{0}' to a top-level collection" error = error.format(type(entity)) raise TypeError(error)