Version: 1.2.0.0

stix.core.stix_package Module

Overview

The stix.core.stix_package module implements STIXPackage.

STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.

Documentation Resources

Classes

class stix.core.stix_package.STIXPackage(id_=None, idref=None, timestamp=None, stix_header=None, courses_of_action=None, exploit_targets=None, indicators=None, observables=None, incidents=None, threat_actors=None, ttps=None, campaigns=None, related_packages=None, reports=None)

Bases: stix.base.Entity

A STIX Package object.

Parameters:
  • id_ (optional) – An identifier. If None, a value will be generated via stix.utils.create_id(). If set, this will unset the idref property.
  • idrefDEPRECATED An identifier reference. If set this will unset the id_ property.
  • timestampDEPRECATED A timestamp value. Can be an instance of datetime.datetime or str.
  • header – A Report Header object.
  • campaigns – A collection of Campaign objects.
  • course_of_action – A collection of CourseOfAction objects.
  • exploit_targets – A collection of ExploitTarget objects.
  • incidents – A collection of Incident objects.
  • indicators – A collection of Indicator objects.
  • threat_actors – A collection of ThreatActor objects.
  • ttps – A collection of TTP objects.
  • related_packagesDEPRECATED. A collection of RelatedPackage objects.
  • reports – A collection of Report objects.
add(entity)

Adds entity to a top-level collection. For example, if entity is an Indicator object, the entity will be added to the indicators top-level collection.

add_campaign(campaign)

Adds a Campaign object to the campaigns collection.

add_course_of_action(course_of_action)

Adds an CourseOfAction object to the courses_of_action collection.

add_exploit_target(exploit_target)

Adds an ExploitTarget object to the exploit_targets collection.

add_incident(incident)

Adds an Incident object to the incidents collection.

add_indicator(indicator)

Adds an Indicator object to the indicators collection.

add_observable(observable)

Adds an Observable object to the observables collection.

If observable is not an Observable instance, an effort will be made to convert it to one.

Adds a RelatedPackage object to the related_packages collection.

add_report(report)

Adds a Report object to the reports collection.

add_threat_actor(threat_actor)

Adds an ThreatActor object to the threat_actors collection.

add_ttp(ttp)

Adds an TTP object to the ttps collection.

campaigns

The top-level Campaign collection. This behaves like a MutableSequence type.

courses_of_action

The top-level CourseOfAction collection. This behaves like a MutableSequence type.

exploit_targets

The top-level ExploitTarget collection. This behaves like a MutableSequence type.

find(id_)

Searches the children of a Entity implementation for an object with an id_ property that matches id_.

classmethod from_xml(xml_file, encoding=None)

Parses the xml_file file-like object and returns a STIXPackage instance.

Parameters:
  • xml_file – A file, file-like object, etree._Element, or etree._ElementTree instance.
  • encoding – The character encoding of the xml_file input. If None, an attempt will be made to determine the input character encoding. Default is None.
Returns:

An instance of – class:STIXPackage.
id_

A globally unique identifier for this Report. By default, one will be generated automatically.

idref

A reference to another Report identifier. Setting this will unset any previous id values.

incidents

The top-level Incident collection. This behaves like a MutableSequence type.

indicators

The top-level Indicator collection. This behaves like a MutableSequence type.

observables

The top-level Observable collection. This behaves like a MutableSequence type.

related_packages

DEPRECATED. A collection of RelatedPackage objects.

reports

A collection of Report objects. This behaves like a MutableSequence object.

stix_header

The STIXHeader section of the STIX Package.

threat_actors

The top-level ThreatActor collection. This behaves like a MutableSequence type.

timestamp

Specifies a timestamp for the definition of this specifc Report object.

to_xml(include_namespaces=True, include_schemalocs=False, ns_dict=None, schemaloc_dict=None, pretty=True, auto_namespace=True, encoding='utf-8')

Serializes a Entity instance to an XML string.

The default character encoding is utf-8 and can be set via the encoding parameter. If encoding is None, a unicode string is returned.

Parameters:
  • auto_namespace – Automatically discover and export XML namespaces for a STIX Entity instance.
  • include_namespaces – Export namespace definitions in the output XML. Default is True.
  • include_schemalocs – Export xsi:schemaLocation attribute in the output document. This will attempt to associate namespaces declared in the STIX document with schema locations. If a namespace cannot be resolved to a schemaLocation, a Python warning will be raised. Schemalocations will only be exported if include_namespaces is also True.
  • ns_dict – Dictionary of XML definitions (namespace is key, alias is value) to include in the exported document. This must be passed in if auto_namespace is False.
  • schemaloc_dict – Dictionary of XML namespace: schema location mappings to include in the exported document. These will only be included if auto_namespace is False.
  • pretty – Pretty-print the XML.
  • encoding – The output character encoding. Default is utf-8. If encoding is set to None, a unicode string is returned.
Returns:

An XML string for this Entity instance. Default character encoding is utf-8.
ttps

The top-level TTP collection. This behaves like a MutableSequence type.

version

The schematic version of this component.

Note

This property refers to the version of the schema component type and should not be used for the purpose of content versioning.

Default Value: ‘1.2’

class stix.core.stix_package.RelatedPackages(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList