Version: 1.2.0.0

stix.incident Module

Overview

The stix.incident module implements Incident.

Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation.

Documentation Resources

Classes

class stix.incident.Incident(id_=None, idref=None, timestamp=None, title=None, description=None, short_description=None)

Bases: stix.base.BaseCoreComponent

Implementation of the STIX Incident.

Parameters:
  • id_ (optional) – An identifier. If None, a value will be generated via stix.utils.create_id(). If set, this will unset the idref property.
  • idref (optional) – An identifier reference. If set this will unset the id_ property.
  • timestamp (optional) – A timestamp value. Can be an instance of datetime.datetime or str.
  • description – A description of the purpose or intent of this object.
  • short_description – A short description of the intent or purpose of this object.
  • title – The title of this object.
add_affected_asset(v)

Adds a AffectedAsset object to the affected_assets collection.

add_category(category)

Adds a VocabString object to the categories collection.

If category is a string, an attempt will be made to convert it into an instance of IncidentCategory.

add_coa_requested(value)

Adds a COARequested object to the coas_requested collection.

add_coa_taken(value)

Adds a COATaken object to the coas_taken collection.

add_coordinator(value)

Adds a InformationSource object to the coordinators collection.

add_description(description)

Adds a description to the descriptions collection.

This is the same as calling “foo.descriptions.add(bar)”.

add_discovery_method(value)

Adds a VocabString object to the discovery_methods collection.

If value is a string, an attempt will be made to convert it to an instance of DiscoveryMethod.

add_external_id(value)

Adds a ExternalID object to the external_ids collection.

add_intended_effect(value)

Adds a Statement object to the intended_effects collection.

If value is a string, an attempt will be made to convert it into an instance of Statement.

Adds an Related Indicator to the related_indicators list property of this Incident.

The indicator parameter must be an instance of RelatedIndicator or Indicator.

If the indicator parameter is None, no item wil be added to the related_indicators list property.

Calling this method is the same as calling append() on the related_indicators property.

See also

The RelatedIndicators documentation.

Note

If the indicator parameter is not an instance of RelatedIndicator an attempt will be made to convert it to one.

Parameters:indicator – An instance of Indicator or RelatedIndicator.
Raises:ValueError – If the indicator parameter cannot be converted into an instance of RelatedIndicator

Adds a Related Observable to the related_observables list property of this Incident.

The observable parameter must be an instance of RelatedObservable or Observable.

If the observable parameter is None, no item will be added to the related_observables list property.

Calling this method is the same as calling append() on the related_observables property.

See also

The RelatedObservables documentation.

Note

If the observable parameter is not an instance of RelatedObservable an attempt will be made to convert it to one.

Parameters:observable – An instance of Observable or RelatedObservable.
Raises:ValueError – If the value parameter cannot be converted into an instance of RelatedObservable
add_responder(value)

Adds a InformationSource object to the responders collection.

add_short_description(description)

Adds a description to the short_descriptions collection.

This is the same as calling “foo.short_descriptions.add(bar)”.

add_victim(victim)

Adds a IdentityType value to the victims collection.

affected_assets

A collection of AffectedAsset objects. This behaves like a MutableSequence type.

categories

A collection of VocabString objects. This behaves like a MutableSequence type.

coa_requested

A collection of COARequested objects which characterize courses of action requested for response to this incident.

This behaves like a MutableSequence type.

coa_taken

A collection of COATaken objects which characterize courses of action taken during the incident.

This behaves like a MutableSequence type.

confidence

A Confidence field.

coordinators

A class of InformationSource objects. This behaves like a MutableSequence type.

description

A single description about the contents or purpose of this object.

Default Value: None

Note

If this object has more than one description set, this will return the description with the lowest ordinality value.

Returns:An instance of – class:.StructuredText
descriptions

A StructuredTextList object, containing descriptions about the purpose or intent of this object.

This is typically used for the purpose of providing multiple descriptions with different classificaton markings.

Iterating over this object will yield its contents sorted by their ordinality value.

Default Value: Empty StructuredTextList object.

Note

IF this is set to a value that is not an instance of StructuredText, an effort will ne made to convert it. If this is set to an iterable, any values contained that are not an instance of StructuredText will be be converted.

Returns:An instance of StructuredTextList
discovery_methods

A VocabString collection. This behaves like a MutableSequence type.

find(id_)

Searches the children of a Entity implementation for an object with an id_ property that matches id_.

id_

The id_ property serves as an identifier. This is automatically set during __init__().

Default Value: None

Note

Both the id_ and idref properties cannot be set at the same time. Setting one will unset the other!

Returns:A string id.
idref

The idref property must be set to the id_ value of another object instance of the same type. An idref does not need to resolve to a local object instance.

Default Value: None.

Note

Both the id_ and idref properties cannot be set at the same time. Setting one will unset the other!

Returns:The value of the idref property
impact_assessment

A class ImpactAssessment field.

information_source

Contains information about the source of this object.

Default Value: None

Returns:An instance of InformationSource
Raises:ValueError – If set to a value that is not None and not an instance of InformationSource
intended_effects

The impact of this intended effects of this Incident. This is a collection of Statement objects and behaves like a MutableSequence type.

If set to a string, an attempt will be made to convert it into a Statement object with its value set to an instance of IntendedEffect.

related_indicators

A collection of RelatedIndicator objects characterizing indicators related to this incident.

reporter

A InformationSource field.

responders

A class of InformationSource objects which contain information about incident responders.

This behaves like a MutableSequence type.

security_compromise

A VocabString field. If set to a string, an attempt will be made to convert it into an instance of SecurityCompromise.

short_description

A single short description about the contents or purpose of this object.

Default Value: None

Note

If this object has more than one short description set, this will return the description with the lowest ordinality value.

Returns:An instance of – class:.StructuredText
short_descriptions

A StructuredTextList object, containing short descriptions about the purpose or intent of this object.

This is typically used for the purpose of providing multiple short descriptions with different classificaton markings.

Iterating over this object will yield its contents sorted by their ordinality value.

Default Value: Empty StructuredTextList object.

Note

IF this is set to a value that is not an instance of StructuredText, an effort will ne made to convert it. If this is set to an iterable, any values contained that are not an instance of StructuredText will be be converted.

Returns:An instance of – class:.StructuredTextList
status

A VocabString property. If set to a string, an attempt will be made to convert it to an instance of IncidentStatus.

time

Time section of the Incident. This is a time.Time field.

timestamp

The timestam property declares the time of creation and is automatically set in __init__().

This property can accept datetime.datetime or str values. If an str value is supplied, a best-effort attempt is made to parse it into an instance of datetime.datetime.

Default Value: A datetime.dateime instance with a value of the date/time when __init__() was called.

Note

If an idref is set during __init__(), the value of timestamp will not automatically generated and instead default to the timestamp parameter, which has a default value of None.

Returns:An instance of datetime.datetime.
version

The schematic version of this component. This property will always return None unless it is set to a value different than self.__class__._version.

Note

This property refers to the version of the schema component type and should not be used for the purpose of content versioning.

Default Value: None

Returns:The value of the version property if set to a value different than self.__class__._version
victims

A collection of victim Identity objects. This behaves like a MutableSequence type.

class stix.incident.AttributedThreatActors(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.LeveragedTTPs(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedIndicators(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedObservables(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList

class stix.incident.RelatedIncidents(scope=None, *args)

Bases: stix.common.related.GenericRelationshipList