Version: 1.2.0.4.dev0

stix.incident Module

Overview

The stix.incident module implements Incident.

Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation.

Documentation Resources

Classes

class stix.incident.Incident(id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None)

Bases: stix.base.BaseCoreComponent

Implementation of the STIX Incident.

Parameters:
  • id (optional) – An identifier. If None, a value will be generated via mixbox.idgen.create_id(). If set, this will unset the idref property.
  • idref (optional) – An identifier reference. If set this will unset the id_ property.
  • timestamp (optional) – A timestamp value. Can be an instance of datetime.datetime or str.
  • description – A description of the purpose or intent of this object.
  • short_description – A short description of the intent or purpose of this object.
  • title – The title of this object.
add_affected_asset(v)

Adds a AffectedAsset object to the affected_assets collection.

add_category(category)

Adds a VocabString object to the categories collection.

If category is a string, an attempt will be made to convert it into an instance of IncidentCategory.

add_coa_requested(value)

Adds a COARequested object to the coas_requested collection.

add_coa_taken(value)

Adds a COATaken object to the coas_taken collection.

add_coordinator(value)

Adds a InformationSource object to the coordinators collection.

add_description(description)

Adds a description to the descriptions collection.

This is the same as calling “foo.descriptions.add(bar)”.

add_discovery_method(value)

Adds a VocabString object to the discovery_methods collection.

If value is a string, an attempt will be made to convert it to an instance of DiscoveryMethod.

add_external_id(value)

Adds a ExternalID object to the external_ids collection.

add_intended_effect(value)

Adds a Statement object to the intended_effects collection.

If value is a string, an attempt will be made to convert it into an instance of Statement.

Adds an Related Indicator to the related_indicators list property of this Incident.

The indicator parameter must be an instance of RelatedIndicator or Indicator.

If the indicator parameter is None, no item will be added to the related_indicators list property.

Calling this method is the same as calling append() on the related_indicators property.

See also

The RelatedIndicators documentation.

Note

If the indicator parameter is not an instance of RelatedIndicator an attempt will be made to convert it to one.

Parameters:indicator – An instance of Indicator or RelatedIndicator.
Raises:ValueError – If the indicator parameter cannot be converted into an instance of RelatedIndicator

Adds a Related Observable to the related_observables list property of this Incident.

The observable parameter must be an instance of RelatedObservable or Observable.

If the observable parameter is None, no item will be added to the related_observables list property.

Calling this method is the same as calling append() on the related_observables property.

See also

The RelatedObservables documentation.

Note

If the observable parameter is not an instance of RelatedObservable an attempt will be made to convert it to one.

Parameters:observable – An instance of Observable or RelatedObservable.
Raises:ValueError – If the value parameter cannot be converted into an instance of RelatedObservable
add_responder(value)

Adds a InformationSource object to the responders collection.

add_short_description(description)

Adds a description to the short_descriptions collection.

This is the same as calling “foo.short_descriptions.add(bar)”.

add_victim(victim)

Adds a IdentityType value to the victims collection.

description

A single description about the contents or purpose of this object.

Default Value: None

Note

If this object has more than one description set, this will return the description with the lowest ordinality value.

Returns:class:.StructuredText
Return type:An instance of
find(id_)

Searches the children of a Entity implementation for an object with an id_ property that matches id_.

short_description

A single short description about the contents or purpose of this object.

Default Value: None

Note

If this object has more than one short description set, this will return the description with the lowest ordinality value.

Returns:class:.StructuredText
Return type:An instance of
to_dict()

Convert to a dict

Subclasses can override this function.

Returns:Python dict with keys set from this Entity.
to_json()

Export an object as a JSON String.

to_obj(ns_info=None)

Convert to a GenerateDS binding object.

Subclasses can override this function.

Returns:An instance of this Entity’s _binding_class with properties set from this Entity.
class stix.incident.AttributedThreatActors(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.LeveragedTTPs(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedIndicators(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedObservables(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedIncidents(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList