stix2

package module
v0.10.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2024 License: BSD-2-Clause Imports: 10 Imported by: 2

README

Build Go Report Card GitHub tag (latest SemVer) GitHub go.mod Go version Go Reference codecov

stix2

A pure Go library for working with Structured Threat Information Expression (STIX™) version 2.x data.

Parsing STIX JSON data

The library provides a helper function to parse STIX JSON. It can handle both the bundle object and JSON objects as a JSON array. The function returns a Collection object that holds all the extracted STIX objects.

collection, err := stix2.FromJSON(jsonData)

Creating a STIX Bundle

Creating a STIX Bundle, is as easy as creating a set of STIX objects and add them to the Collection. The Bundle can be created by calling the ToBundle method on the Collection object. The Bundle can be serialized to JSON using the JSON encoder in the standard library.

c := stix2.New()
ip, err := stix2.NewIPv4Address("10.0.0.1")
c.Add(ip)
ip, err = stix2.NewIPv4Address("10.0.0.2")
c.Add(ip)
b, err := c.ToBundle()
data, err := json.Marshal(b)

Example of a malware using an infrastructure

Taken from: https://docs.oasis-open.org/cti/stix/v2.1/csprd02/stix-v2.1-csprd02.html#_Toc26789941

collection := stix2.New()
domain, err := stix2.NewDomainName("example.com")
collection.Add(domain)

mal, err := stix2.NewMalware(
	false,
	stix2.OptionName("IMDDOS"),
	stix2.OptionTypes([]string{stix2.MalwareTypeBot}),
)
collection.Add(mal)

infra, err := stix2.NewInfrastructure(
	"Example Target List Host",
	[]string{stix2.InfrastructureTypeHostingTargetLists},
)
collection.Add(infra)

ref, err := mal.AddUses(infra.ID)
collection.Add(ref)

ref, err = infra.AddConsistsOf(domain.ID)
collection.Add(ref)

b, err := collection.ToBundle()
data, err := json.MarshalIndent(b, "", "\t")

Extensions and Customization

With the release of version 2.1 of the specification custom properties has been deprecated. Instead, property-extension functionality should be used. This library supports parsing objects with old custom properties for backwards compatibility. The fields can be accessed via the GetExtendedTopLevelProperties method.

See the examples in the documentation on how to work with extensions.

Documentation

Overview

Package stix2 is a pure Go library for working with Structured Threat Information Expression (STIX™) version 2.x data.

Parsing STIX JSON data: 

collection, err := stix2.FromJSON(jsonData)

Creating a STIX Bundle, is as easy as creating a set of STIX objects and add them to the Collection. The Bundle can be created by calling the `ToBundle` method on the Collection object. The Bundle can be serialized to `JSON` using the `JSON` encoder in the standard library. 

c := stix2.New()
ip, err := stix2.NewIPv4Address("10.0.0.1")
c.Add(ip)
ip, err = stix2.NewIPv4Address("10.0.0.2")
c.Add(ip)
b, err := c.ToBundle()
data, err := json.Marshal(b)

Example of a malware using an infrastructure. Taken from: https://docs.oasis-open.org/cti/stix/v2.1/csprd02/stix-v2.1-csprd02.html#_Toc26789941 

collection := stix2.New()
domain, err := stix2.NewDomainName("example.com")
collection.Add(domain)

mal, err := stix2.NewMalware(
	false,
	stix2.OptionName("IMDDOS"),
	stix2.OptionTypes([]string{stix2.MalwareTypeBot}),
)
collection.Add(mal)

infra, err := stix2.NewInfrastructure(
	"Example Target List Host",
	[]string{stix2.InfrastructureTypeHostingTargetLists},
)
collection.Add(infra)

ref, err := mal.AddUses(infra.ID)
collection.Add(ref)

ref, err = infra.AddConsistsOf(domain.ID)
collection.Add(ref)

b, err := collection.ToBundle()
data, err := json.MarshalIndent(b, "", "\t")

Extensions and Customization

With the release of version 2.1 of the specification custom properties has been deprecated. Instead, `property-extension` functionality should be used. This library supports parsing objects with old custom properties for backwards compatibility. The fields can be accessed via the `GetExtendedTopLevelProperties` method.

See the examples on how to work with extensions.

Example 
package main

import (
	"encoding/json"
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	// Taken from: https://docs.oasis-open.org/cti/stix/v2.1/csprd02/stix-v2.1-csprd02.html#_Toc26789941
	collection := stix2.New()
	domain, err := stix2.NewDomainName("example.com")
	if err != nil {
		fmt.Println(err)
	}
	collection.Add(domain)

	mal, err := stix2.NewMalware(
		false,
		stix2.OptionName("IMDDOS"),
		stix2.OptionTypes([]string{stix2.MalwareTypeBot}),
	)
	if err != nil {
		fmt.Println(err)
	}
	collection.Add(mal)

	infra, err := stix2.NewInfrastructure(
		"Example Target List Host",
	)
	if err != nil {
		fmt.Println(err)
	}
	collection.Add(infra)

	ref, err := mal.AddUses(infra.ID)
	if err != nil {
		fmt.Println(err)
	}
	collection.Add(ref)

	ref, err = infra.AddConsistsOf(domain.ID)
	if err != nil {
		fmt.Println(err)
	}
	collection.Add(ref)

	b, err := collection.ToBundle()
	if err != nil {
		fmt.Println(err)
		return
	}
	data, err := json.MarshalIndent(b, "", "\t")
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(string(data))
}

Output:

Index

Examples

Constants

View Source 
const (
	// ExtArchive is used as key for archive extension.
	ExtArchive = "archive-ext"
	// ExtNTFS is used as key for ntfs extension.
	ExtNTFS = "ntfs-ext"
	// ExtPDF is used as key for pdf extension.
	ExtPDF = "pdf-ext"
	// ExtRasterImage is used as key for raster image extension.
	ExtRasterImage = "raster-image-ext"
	// ExtWindowsPEBinary is used as key for Windows PE binary extension.
	ExtWindowsPEBinary = "windows-pebinary-ext"
	// ExtHTTPRequest is used for HTTP request extension.
	ExtHTTPRequest = "http-request-ext"
	// ExtICMP is used for ICMP extension.
	ExtICMP = "icmp-ext"
	// ExtSocket is used for socket extension.
	ExtSocket = "socket-ext"
	// ExtTCP is used for TCP extension.
	ExtTCP = "tcp-ext"
	// ExtWindowsProcess is used for Windows process extension.
	ExtWindowsProcess = "windows-process-ext"
	// ExtWindowsService is used for Windows service extension.
	ExtWindowsService = "windows-service-ext"
	// ExtUnixAccount is used for UNIX user account extension.
	ExtUnixAccount = "unix-account-ext"
)
View Source 
const (
	// GroupingContextSuspiciousActivity is a et of STIX content related to a
	// particular suspicious activity event.
	GroupingContextSuspiciousActivity = "suspicious-activity"
	// GroupingContextMalwareAnalysis is a set of STIX content related to a
	// particular malware instance or family.
	GroupingContextMalwareAnalysis = "malware-analysis"
	// GroupingContextUnspecified is a set of STIX content contextually related
	// but without any precise characterization of the contextual relationship
	// between the objects.
	GroupingContextUnspecified = "unspecified"
)
View Source 
const (
	// IdentityClassIndividual represents a single person.
	IdentityClassIndividual = "individual"
	// IdentityClassGroup represents an informal collection of people, without
	// formal governance, such as a distributed hacker group.
	IdentityClassGroup = "group"
	// IdentityClassSystem represents a computer system, such as a SIEM.
	IdentityClassSystem = "system"
	// IdentityClassOrganization represents a formal organization of people,
	// with governance, such as a company or country.
	IdentityClassOrganization = "organization"
	// IdentityClassClass represents a class of entities, such as all
	// hospitals, all Europeans, or the Domain Administrators in a system.
	IdentityClassClass = "class"
	// IdentityClassUnknown is unknown whether the classification is an individual,
	// group, system, organization, or class.
	IdentityClassUnknown = "unknown"
)
View Source 
const (
	// IdentitySectorAgriculture represents the agriculture sector.
	IdentitySectorAgriculture = "agriculture"
	// IdentitySectorAerospace represents the aerospace sector.
	IdentitySectorAerospace = "aerospace"
	// IdentitySectorAutomotive represents the automotive sector.
	IdentitySectorAutomotive = "automotive"
	// IdentitySectorChemical represents the chemical sector.
	IdentitySectorChemical = "chemical"
	// IdentitySectorCommercial represents the commercial sector.
	IdentitySectorCommercial = "commercial"
	// IdentitySectorCommunications represents the communications sector.
	IdentitySectorCommunications = "communications"
	// IdentitySectorConstruction represents the construction sector.
	IdentitySectorConstruction = "construction"
	// IdentitySectorDefence represents the defence sector.
	IdentitySectorDefence = "defence"
	// IdentitySectorEducation represents the education sector.
	IdentitySectorEducation = "education"
	// IdentitySectorEnergy represents the energy sector.
	IdentitySectorEnergy = "energy"
	// IdentitySectorEntertainment represents the entertainment sector.
	IdentitySectorEntertainment = "entertainment"
	// IdentitySectorFinancialServices represents the financial service sector.
	IdentitySectorFinancialServices = "financial-services"
	// IdentitySectorEmergencyServices represents the emergency services.
	IdentitySectorEmergencyServices = "emergency-services"
	// IdentitySectorGovernment represents the government.
	IdentitySectorGovernment = "government"
	// IdentitySectorGovernmentNational represents the national government.
	IdentitySectorGovernmentNational = "government-national"
	// IdentitySectorGovernmentRegional represents the regional government.
	IdentitySectorGovernmentRegional = "government-regional"
	// IdentitySectorGovernmentLocal represents the local government.
	IdentitySectorGovernmentLocal = "government-local"
	// IdentitySectorGovernmentPublicServices represents the public services.
	IdentitySectorGovernmentPublicServices = "government-public-services"
	// IdentitySectorHealthcare represents the healthcare sector.
	IdentitySectorHealthcare = "healthcare"
	// IdentitySectorHospitalityLeisure represents the hospitality sector.
	IdentitySectorHospitalityLeisure = "hospitality-leisure"
	// IdentitySectorInfrastructure represents the infrastructure sector.
	IdentitySectorInfrastructure = "infrastructure"
	// IdentitySectorInfrastructureDams represents the dams infrastructure sector.
	IdentitySectorInfrastructureDams = "dams"
	// IdentitySectorInfrastructureNuclear represents the nuclear infrastructure sector.
	IdentitySectorInfrastructureNuclear = "nuclear"
	// IdentitySectorInfrastructureWater represents the water infrastructure sector.
	IdentitySectorInfrastructureWater = "water"
	// IdentitySectorInsurance represents the insurance sector.
	IdentitySectorInsurance = "insurance"
	// IdentitySectorManufacturing represents the manufacturing sector.
	IdentitySectorManufacturing = "manufacturing"
	// IdentitySectorMining represents the mining sector.
	IdentitySectorMining = "mining"
	// IdentitySectorNonProfit represents the non-profit sector.
	IdentitySectorNonProfit = "non-profit"
	// IdentitySectorPharmaceuticals represents the pharmaceuticals sector.
	IdentitySectorPharmaceuticals = "pharmaceuticals"
	// IdentitySectorRetail represents the retail sector.
	IdentitySectorRetail = "retail"
	// IdentitySectorTechnology represents the technology sector.
	IdentitySectorTechnology = "technology"
	// IdentitySectorTelecommunications represents the telecommunications sector.
	IdentitySectorTelecommunications = "telecommunications"
	//IdentitySectorTransportation represents the transportation sector.
	IdentitySectorTransportation = "transportation"
	// IdentitySectorUtilities represents the utilities sector.
	IdentitySectorUtilities = "utilities"
)
View Source 
const (
	// IndicatorTypeAnomalousActivity is unexpected, or unusual activity that
	// may not necessarily be malicious or indicate compromise. This type of
	// activity may include reconnaissance-like behavior such as port scans or
	// version identification, network behavior anomalies, and asset and/or
	// user behavioral anomalies.
	IndicatorTypeAnomalousActivity = "anomalous-activity"
	// IndicatorTypeAnonymization is a suspected anonymization tools or
	// infrastructure (proxy, TOR, VPN, etc.).
	IndicatorTypeAnonymization = "anonymization"
	// IndicatorTypeBenign is an activity that is not suspicious or malicious
	// in and of itself, but when combined with other activity may indicate
	// suspicious or malicious behavior.
	IndicatorTypeBenign = "benign"
	// IndicatorTypeCompromised is an assets that are suspected to be compromised.
	IndicatorTypeCompromised = "compromised"
	// IndicatorTypeMaliciousActivity is patterns of suspected malicious
	// objects and/or activity.
	IndicatorTypeMaliciousActivity = "malicious-activity"
	// IndicatorTypeAttribution is patterns of behavior that indicate
	// attribution to a particular Threat Actor or Campaign.
	IndicatorTypeAttribution = "attribution"
	// IndicatorTypeUnknown indicates there is not enough information available
	// to determine the type of indicator.
	IndicatorTypeUnknown = "unknown"
)
View Source 
const (
	// PatternTypeSTIX specifies the STIX pattern language.
	PatternTypeSTIX = "stix"
	// PatternTypePCRE specifies the Perl Compatible Regular Expressions
	// language.
	PatternTypePCRE = "pcre"
	// PatternTypeSigma specifies the SIGMA language.
	PatternTypeSigma = "sigma"
	// PatternTypeSnort specifies the SNORT language.
	PatternTypeSnort = "snort"
	// PatternTypeSuricata specifies the SURICATA language.
	PatternTypeSuricata = "suricata"
	// PatternTypeYara specifies the YARA language.
	PatternTypeYara = "yara"
)
View Source 
const (
	// InfrastructureTypeAmplification specifies infrastructure used for
	// conducting amplification attacks.
	InfrastructureTypeAmplification = "amplification"
	// InfrastructureTypeAnonymization specific infrastructure used for
	// anonymization, such as a proxy.
	InfrastructureTypeAnonymization = "anonymization"
	// InfrastructureTypeBotnet specifies the membership/makeup of a botnet, in
	// terms of the network addresses of the hosts that comprise the botnet.
	InfrastructureTypeBotnet = "botnet"
	// InfrastructureTypeCommandAndControl specifies infrastructure used for
	// command and control (C2). This is typically a domain name or IP address.
	InfrastructureTypeCommandAndControl = "command-and-control"
	// InfrastructureTypeExfiltration specifies infrastructure used as an
	// endpoint for data exfiltration.
	InfrastructureTypeExfiltration = "exfiltration"
	// InfrastructureTypeHostingMalware specifies infrastructure used for
	// hosting malware.
	InfrastructureTypeHostingMalware = "hosting-malware"
	// InfrastructureTypeHostingTargetLists specifies infrastructure used for
	// hosting a list of targets for DDOS attacks, phishing, and other
	// malicious activities. This is typically a domain name or IP address.
	InfrastructureTypeHostingTargetLists = "hosting-target-lists"
	// InfrastructureTypePhishing specifies infrastructure used for conducting
	// phishing attacks.
	InfrastructureTypePhishing = "phishing"
	// InfrastructureTypeReconnaissance specifies infrastructure used for
	// conducting reconnaissance activities.
	InfrastructureTypeReconnaissance = "reconnaissance"
	// InfrastructureTypeStaging specifies infrastructure used for staging.
	InfrastructureTypeStaging = "staging"
	// InfrastructureTypeWorkstation specifies an endpoint machine used for
	// work by an organization that needs protection.
	InfrastructureTypeWorkstation = "workstation"
	// InfrastructureTypeUndefined specifies an infrastructure of some
	// undefined type.
	InfrastructureTypeUndefined = "undefined"
)
View Source 
const (
	// AttackResourceLevelIndividual indicates resources limited to the average
	// individual; Threat Actor acts independently.
	AttackResourceLevelIndividual = "individual"
	// AttackResourceLevelClub indicates members interact on a social and
	// volunteer basis, often with little personal interest in the specific
	// target. An example might be a core group of unrelated activists who
	// regularly exchange tips on a particular blog. Group persists long term.
	AttackResourceLevelClub = "club"
	// AttackResourceLevelContest indicates a short-lived and perhaps anonymous
	// interaction that concludes when the participants have achieved a single
	// goal. For example, people who break into systems just for thrills or
	// prestige may hold a contest to see who can break into a specific target
	// first. It also includes announced "operations" to achieve a specific
	// goal, such as the original "OpIsrael" call for volunteers to disrupt all
	// of Israel's Internet functions for a day.
	AttackResourceLevelContest = "contest"
	// AttackResourceLevelTeam indicates a formally organized group with a
	// leader, typically motivated by a specific goal and organized around that
	// goal. Group persists long term and typically operates within a single
	// geography.
	AttackResourceLevelTeam = "team"
	// AttackResourceLevelOrganization indicates a larger and better resourced
	// than a team; typically, a company or crime syndicate. Usually operates
	// in multiple geographic areas and persists long term.
	AttackResourceLevelOrganization = "organization"
	// AttackResourceLevelGovernment indicates controls public assets and
	// functions within a jurisdiction; very well resourced and persists long
	// term.
	AttackResourceLevelGovernment = "government"
)
View Source 
const (
	// AttackMotivationAccidental indicates non-hostile actor whose
	// benevolent or harmless intent inadvertently causes harm.
	AttackMotivationAccidental = "accidental"
	// AttackMotivationCoercion indicates being forced to act on someone else's
	// behalf.
	AttackMotivationCoercion = "coercion"
	// AttackMotivationDominance indicates a desire to assert superiority over
	// someone or something else.
	AttackMotivationDominance = "dominance"
	// AttackMotivationIdeology indicates a passion to express a set of ideas,
	// beliefs, and values that may shape and drive harmful and illegal acts.
	AttackMotivationIdeology = "ideology"
	// AttackMotivationNotoriety indicates seeking prestige or to become well
	// known through some activity.
	AttackMotivationNotoriety = "notoriety"
	// AttackMotivationOrganizationalGain indicates seeking advantage over a
	// competing organization, including a military organization.
	AttackMotivationOrganizationalGain = "organizational-gain"
	// AttackMotivationPersonalGain indicates the desire to improve one’s own
	// financial status.
	AttackMotivationPersonalGain = "personal-gain"
	// AttackMotivationPersonalSatisfaction indicates a desire to satisfy a
	// strictly personal goal, including curiosity, thrill-seeking, amusement,
	// etc.
	AttackMotivationPersonalSatisfaction = "personal-satisfaction"
	// AttackMotivationRevenge indicates a desire to avenge perceived wrongs
	// through harmful actions such as sabotage, violence, theft, fraud, or
	// embarrassing certain individuals or the organization.
	AttackMotivationRevenge = "revenge"
	// AttackMotivationUnpredictable indicates acting without identifiable
	// reason or purpose and creating unpredictable events.
	AttackMotivationUnpredictable = "unpredictable"
)
View Source 
const (
	// RegionAfrica is a region identifier for Africa.
	RegionAfrica = "africa"
	// RegionEasternAfrica is a region identifier for Eastern Africa.
	RegionEasternAfrica = "eastern-africa"
	// RegionMiddleAfrica is a region identifier for Middle Africa.
	RegionMiddleAfrica = "middle-africa"
	// RegionNorthernAfrica is a region identifier for Northern Africa.
	RegionNorthernAfrica = "northern-africa"
	// RegionSouthernAfrica is a region identifier for Southern Africa.
	RegionSouthernAfrica = "southern-africa"
	// RegionWesternAfrica is a region identifier for Western Africa.
	RegionWesternAfrica = "western-africa"
	// RegionAmericas is a region identifier for Americas.
	RegionAmericas = "americas"
	// RegionLatinAmericaCaribbean is a region identifier for Latin America and
	// Caribbean.
	RegionLatinAmericaCaribbean = "latin-america-caribbean"
	// RegionSouthAmerica is a region identifier for South America.
	RegionSouthAmerica = "south-america"
	// RegionCaribbean is a region identifier for Caribbean.
	RegionCaribbean = "caribbean"
	// RegionCentralAmerica is a region identifier for Central America.
	RegionCentralAmerica = "central-america"
	// RegionNorthernAmerica is a region identifier for Northern America.
	RegionNorthernAmerica = "northern-america"
	// RegionAsia is a region identifier for Asia.
	RegionAsia = "asia"
	// RegionCentralAsia is a region identifier for Central Asia.
	RegionCentralAsia = "central-asia"
	// RegionEasternAsia is a region identifier for Eastern Asia.
	RegionEasternAsia = "eastern-asia"
	// RegionSouthernAsia is a region identifier for Southern Asia.
	RegionSouthernAsia = "southern-asia"
	// RegionSouthEasternAsia is a region identifier for South Eastern Asia
	RegionSouthEasternAsia = "south-eastern-asia"
	// RegionWesternAsia is a region identifier for Western Asia.
	RegionWesternAsia = "western-asia"
	// RegionEurope is a region identifier for Europe.
	RegionEurope = "europe"
	// RegionEasternEurope is a region identifier for Eastern Europe.
	RegionEasternEurope = "eastern-europe"
	// RegionNorthernEurope is a region identifier for Northern Europe,
	RegionNorthernEurope = "northern-europe"
	// RegionSouthernEurope is a region identifier for Southern Europe.
	RegionSouthernEurope = "southern-europe"
	// RegionWesternEurope is a region identifier for Western Europe.
	RegionWesternEurope = "western-europe"
	// RegionOceania is a region identifier for Oceania.
	RegionOceania = "oceania"
	// RegionAustraliaNewZealand is a region identifier for Australia and New
	// Zealand.
	RegionAustraliaNewZealand = "australia-new-zealand"
	// RegionMelanesia is a region identifier for Melanesia.
	RegionMelanesia = "melanesia"
	// RegionMicronesia is a region identifier for Micronesia.
	RegionMicronesia = "micronesia"
	// RegionPolynesia is a region identifier for Polynesia.
	RegionPolynesia = "polynesia"
	// RegionAntarctica is a region identifier for Antarctica.
	RegionAntarctica = "antarctica"
)
View Source 
const (
	// MalwareResultMalicious AV tool reported the malware binary as malicious.
	MalwareResultMalicious = "malicious"
	// MalwareResultSuspicious AV tool reported the malware binary as
	// suspicious but not definitively malicious.
	MalwareResultSuspicious = "suspicious"
	// MalwareResultBenign AV tool reported the malware binary as benign.
	MalwareResultBenign = "benign"
	// MalwareResultUnknown AV tool was unable to determine whether the malware
	// binary is malicious.
	MalwareResultUnknown = "unknown"
)
View Source 
const (
	// MalwareTypeAdware is any software that is funded by advertising. Adware
	// may also gather sensitive user information from a system.
	MalwareTypeAdware = "adware"
	// MalwareTypeBackdoor is a malicious program that allows an attacker to
	// perform actions on a remote system, such as transferring files,
	// acquiring passwords, or executing arbitrary commands.
	MalwareTypeBackdoor = "backdoor"
	// MalwareTypeBot is a program that resides on an infected system,
	// communicating with and forming part of a botnet. The bot may be
	// implanted by a worm or Trojan, which opens a backdoor. The bot then
	// monitors the backdoor for further instructions.
	MalwareTypeBot = "bot"
	// MalwareTypeBootkit is a malicious program which targets the Master Boot
	// Record of the target computer.
	MalwareTypeBootkit = "bootkit"
	// MalwareTypeDDoS is a program that is used to perform a distributed
	// denial of service attack.
	MalwareTypeDDoS = "ddos"
	// MalwareTypeDownloader is a small trojan file programmed to download and
	// execute other files, usually more complex malware.
	MalwareTypeDownloader = "downloader"
	// MalwareTypeDropper is a type of trojan that deposits an enclosed payload
	// (generally, other malware) onto the target computer.
	MalwareTypeDropper = "dropper"
	// MalwareTypeExploitKit is a software toolkit to target common
	// vulnerabilities.
	MalwareTypeExploitKit = "exploit-kit"
	// MalwareTypeKeylogger is a type of malware that surreptitiously monitors
	// keystrokes and either records them for later retrieval or sends them
	// back to a central collection point.
	MalwareTypeKeylogger = "keylogger"
	// MalwareTypeRansomware is a type of malware that encrypts files on a
	// victim's system, demanding payment of ransom in return for the access
	// codes required to unlock files.
	MalwareTypeRansomware = "ransomware"
	// MalwareTypeRemoteAccessTrojan is a remote access trojan program (or
	// RAT), is a trojan horse capable of controlling a machine through
	// commands issued by a remote attacker.
	MalwareTypeRemoteAccessTrojan = "remote-access-trojan"
	// MalwareTypeResourceExploitation is a type of malware that steals a
	// system's resources (e.g., CPU cycles), such as a malicious bitcoin
	// miner.
	MalwareTypeResourceExploitation = "resource-exploitation"
	// MalwareTypeRogueSecuritySoftware is a fake security product that demands
	// money to clean phony infections.
	MalwareTypeRogueSecuritySoftware = "rogue-security-software"
	// MalwareTypeRootkit is a type of malware that hides its files or
	// processes from normal methods of monitoring in order to conceal its
	// presence and activities. Rootkits can operate at a number of levels,
	// from the application level — simply replacing or adjusting the settings
	// of system software to prevent the display of certain information —
	// through hooking certain functions or inserting modules or drivers into
	// the operating system kernel, to the deeper level of firmware or
	// virtualization rootkits, which are activated before the operating system
	// and thus even harder to detect while the system is running.
	MalwareTypeRootkit = "rootkit"
	// MalwareTypeScreenCapture is a type of malware used to capture images
	// from the target systems screen, used for exfiltration and command and
	// control.
	MalwareTypeScreenCapture = "screen-capture"
	// MalwareTypeSpyware is a software that gathers information on a user's
	// system without their knowledge and sends it to another party. Spyware is
	// generally used to track activities for the purpose of delivering
	// advertising.
	MalwareTypeSpyware = "spyware"
	// MalwareTypeTrojan is any malicious computer program which is used to
	// hack into a computer by misleading users of its true intent.
	MalwareTypeTrojan = "trojan"
	// MalwareTypeUnknown is used if not enough information available to
	// determine the type of malware.
	MalwareTypeUnknown = "unknown"
	// MalwareTypeVirus is a malicious computer program that replicates by
	// reproducing itself or infecting other programs by modifying them.
	MalwareTypeVirus = "virus"
	// MalwareTypeWebshell is a malicious script used by an attacker with the
	//intent to escalate and maintain persistent access on an already
	//compromised web application.
	MalwareTypeWebshell = "webshell"
	// MalwareTypeWiper is a piece of malware whose primary aim is to delete
	// files or entire disks on a machine.
	MalwareTypeWiper = "wiper"
	// MalwareTypeWorm is a self-replicating, self-contained program that
	// usually executes itself without user intervention.
	MalwareTypeWorm = "worm"
)
View Source 
const (
	// MalwareCapabilitiesAccessesRemoteMachines indicates that the malware
	// instance or family is able to access one or more remote machines.
	MalwareCapabilitiesAccessesRemoteMachines = "accesses-remote-machines"
	// MalwareCapabilitiesAntiDebugging indicates that the malware instance or
	// family is able to prevent itself from being debugged and/or from being
	// run in a debugger or is able to make debugging more difficult.
	MalwareCapabilitiesAntiDebugging = "anti-debugging"
	// MalwareCapabilitiesAntiDisassembly indicates that the malware instance
	// or family is able to prevent itself from being disassembled or make
	// disassembly more difficult.
	MalwareCapabilitiesAntiDisassembly = "anti-disassembly"
	// MalwareCapabilitiesAntiEmulation indicates that the malware instance or
	// family is able to prevent its execution inside of an emulator or is able
	// to make emulation more difficult.
	MalwareCapabilitiesAntiEmulation = "anti-emulation"
	// MalwareCapabilitiesAntiMemoryForensics indicates that the malware
	// instance or family is able to prevent or make memory forensics more
	// difficult.
	MalwareCapabilitiesAntiMemoryForensics = "anti-memory-forensics"
	// MalwareCapabilitiesAntiSandbox indicates that the malware instance or
	// family is able to prevent sandbox-based behavioral analysis or make it
	// more difficult.
	MalwareCapabilitiesAntiSandbox = "anti-sandbox"
	// MalwareCapabilitiesAntiVM indicates that the malware instance or family
	// is able to prevent virtual machine (VM) based behavioral analysis or
	// make it more difficult.
	MalwareCapabilitiesAntiVM = "anti-vm"
	// MalwareCapabilitiesCapturesInputPeripherals indicates that the malware
	// instance or family is able to capture data from a system's input
	// peripheral devices, such as a keyboard or mouse. This includes things
	// like keylogging.
	MalwareCapabilitiesCapturesInputPeripherals = "captures-input-peripherals"
	// MalwareCapabilitiesCapturesOutputPeripherals indicates that the malware
	// instance or family captures data sent to a system's output peripherals,
	// such as a display. Examples include things like screen scraping.
	MalwareCapabilitiesCapturesOutputPeripherals = "captures-output-peripherals"
	// MalwareCapabilitiesCapturesSystemStateData indicates that the malware
	// instance or family is able to capture information about a system's state
	// (e.g., data currently in its RAM).
	MalwareCapabilitiesCapturesSystemStateData = "captures-system-state-data"
	// MalwareCapabilitiesCleansTracesOfInfection indicates that the malware
	// instance or family is able to clean traces of its infection (e.g., file
	// system artifacts) from a system.
	MalwareCapabilitiesCleansTracesOfInfection = "cleans-traces-of-infection"
	// MalwareCapabilitiesCommitsFraud indicates that the malware instance or
	// family commits fraud, such as click fraud (for example).
	MalwareCapabilitiesCommitsFraud = "commits-fraud"
	// MalwareCapabilitiesCommunicatesWithC2 indicates that the malware
	// instance or family is able to communicate (i.e., send or receive data)
	// with a command and control (C2) server.
	MalwareCapabilitiesCommunicatesWithC2 = "communicates-with-c2"
	// MalwareCapabilitiesCompromisesDataAvailability indicates that the
	// malware instance or family is able to compromise the availability of
	// data on the local system on which it is executing and/or one or more
	// remote systems. For example, encrypting data on disk, as done by
	// ransomware.
	MalwareCapabilitiesCompromisesDataAvailability = "compromises-data-availability"
	// MalwareCapabilitiesCompromisesDataIntegrity indicates that the malware
	// instance or family is able to compromise the integrity of some data that
	// resides on (e.g., in the case of files) or is received/transmitted
	// (e.g., in the case of network traffic) by the system on which it is
	// executing.
	MalwareCapabilitiesCompromisesDataIntegrity = "compromises-data-integrity"
	// MalwareCapabilitiesCompromisesSystemAvailability indicates that the
	// malware instance or family is able to consume system resources for its
	// malicious purposes, such as password cracking or participating in a DDoS
	// botnet, thereby compromising the availability of the local system and/or
	// one or more remote systems.
	MalwareCapabilitiesCompromisesSystemAvailability = "compromises-system-availability"
	// MalwareCapabilitiesControlsLocalMachine indicates that the malware
	// instance or family is able to control the machine on which it is
	// executing (e.g., RATs).
	MalwareCapabilitiesControlsLocalMachine = "controls-local-machine"
	// MalwareCapabilitiesDegradesSecuritySoftware indicates that the malware
	// instance or family is able to bypass or disable security programs or
	// operating system security features on a system (including mobile
	// devices), either by stopping them from executing or by making changes to
	// their code or configuration parameters. For example, malware that blocks
	// the local machine from accessing the websites of security vendors.
	MalwareCapabilitiesDegradesSecuritySoftware = "degrades-security-software"
	// MalwareCapabilitiesDegradesSystemUpdates indicates that the malware
	// instance or family is able to disable the downloading and installation
	// of system updates and patches.
	MalwareCapabilitiesDegradesSystemUpdates = "degrades-system-updates"
	// MalwareCapabilitiesDeterminesC2Server indicates that the malware
	// instance or family is able to identify one or more command and control
	// (C2) servers with which to communicate (e.g., DGA).
	MalwareCapabilitiesDeterminesC2Server = "determines-c2-server"
	// MalwareCapabilitiesEmailsSpam indicates that the malware instance or
	// family is able to send spam email messages.
	MalwareCapabilitiesEmailsSpam = "emails-spam"
	// MalwareCapabilitiesEscalatesPrivileges indicates that the malware
	// instance or family is able to escalate the privileges under which it is
	// executing.
	MalwareCapabilitiesEscalatesPrivileges = "escalates-privileges"
	// MalwareCapabilitiesEvadesAV indicates that the malware instance or
	// family is able to evade detection by antivirus tools.
	MalwareCapabilitiesEvadesAV = "evades-av"
	// MalwareCapabilitiesExfiltratesData indicates that the malware instance
	// or family is able to gather, prepare, (possibly obfuscate) data and
	// transmit it to exfiltration points.
	MalwareCapabilitiesExfiltratesData = "exfiltrates-data"
	// MalwareCapabilitiesFingerprintsHost indicates that the malware instance
	// or family is able to fingerprint or probe the configuration of the host
	// system on which it is executing for the purpose of altering its behavior
	// based on this environment.
	MalwareCapabilitiesFingerprintsHost = "fingerprints-host"
	// MalwareCapabilitiesHidesArtifacts indicates that the malware instance or
	// family is able to hide its artifacts, such as files and open ports.
	MalwareCapabilitiesHidesArtifacts = "hides-artifacts"
	// MalwareCapabilitiesHidesExecutingCode indicates that the malware
	// instance or family is able to hide its code by compromising the
	// bootloader, kernel modules, hypervisor, etc.
	MalwareCapabilitiesHidesExecutingCode = "hides-executing-code"
	// MalwareCapabilitiesInfectsFiles indicates that the malware instance or
	// family is able to infect one or more files on the system on which it
	// executes. For example, malware which injects a malicious payload into
	// all PDFs on a host as a means of propagation.
	MalwareCapabilitiesInfectsFiles = "infects-files"
	// MalwareCapabilitiesInfectsRemoteMachines indicates that the malware
	// instance or family is able to self-propagate to a remote machine or
	// infect a remote machine with malware that is different than itself.
	MalwareCapabilitiesInfectsRemoteMachines = "infects-remote-machines"
	// MalwareCapabilitiesInstallsOtherComponents indicates that the malware
	// instance or family is able to install additional components. This
	// encompasses the dropping/downloading of other malicious components such
	// as libraries, other malware, and tools.
	MalwareCapabilitiesInstallsOtherComponents = "installs-other-components"
	// MalwareCapabilitiesPersistsAfterSystemReboot indicates that the malware
	// instance or family is able to continue executing after the reboot of the
	// system on which it is resident.
	MalwareCapabilitiesPersistsAfterSystemReboot = "persists-after-system-reboot"
	// MalwareCapabilitiesPreventsArtifactAccess indicates that the malware
	// instance or family is able to prevent its artifacts (e.g., files,
	// registry keys, etc.) from being accessed.
	MalwareCapabilitiesPreventsArtifactAccess = "prevents-artifact-access"
	// MalwareCapabilitiesPreventsArtifactDeletion indicates that the malware
	// instance or family is able to prevent its artifacts (e.g., files,
	// registry keys, etc.) from being deleted.
	MalwareCapabilitiesPreventsArtifactDeletion = "prevents-artifact-deletion"
	// MalwareCapabilitiesProbesNetworkEnvironment indicates that the malware
	// instance or family is able to probe the properties of its network
	// environment, e.g. to determine whether it funnels traffic through a
	// proxy.
	MalwareCapabilitiesProbesNetworkEnvironment = "probes-network-environment"
	// MalwareCapabilitiesSelfModifies indicates that the malware instance or
	// family is able to modify itself.
	MalwareCapabilitiesSelfModifies = "self-modifies"
	// MalwareCapabilitiesStealsAuthenticationCredentials indicates that the
	// malware instance is able to steal authentication credentials.
	MalwareCapabilitiesStealsAuthenticationCredentials = "steals-authentication-credentials"
	// MalwareCapabilitiesViolatesSystemOperationalIntegrity indicates that the
	// malware instance or family is able to compromise the operational
	// integrity of the system on which it is executing and/or one or more
	// remote systems, e.g., by causing them to operate beyond their set of
	// specified operational parameters. For example, malware that causes the
	// CPU fan on the machine that it is executing to spin at a higher than
	// normal speed.
	MalwareCapabilitiesViolatesSystemOperationalIntegrity = "violates-system-operational-integrity"
)
View Source 
const (
	// ArchitectureAlpha specifies the Alpha architecture.
	ArchitectureAlpha = "alpha"
	// ArchitectureArm specifies the ARM architecture.
	ArchitectureArm = "arm"
	// ArchitectureIA64 specifies the 64-bit IA (Itanium) architecture.
	ArchitectureIA64 = "ia-64"
	// ArchitectureMIPS specifies the MIPS architecture.
	ArchitectureMIPS = "mips"
	// ArchitecturePowerPC specifies the PowerPC architecture.
	ArchitecturePowerPC = "powerpc"
	// ArchitectureSPARC specifies the SPARC architecture.
	ArchitectureSPARC = "sparc"
	// ArchitectureX86 specifies the 32-bit x86 architecture.
	ArchitectureX86 = "x86"
	// ArchitectureX8664 specifies the 64-bit x86 architecture.
	ArchitectureX8664 = "x86-64"
)
View Source 
const (
	// ImplementationLanguageApplescript specifies the AppleScript programming
	// language.
	ImplementationLanguageApplescript = "applescript"
	// ImplementationLanguageBash specifies the Bash programming language.
	ImplementationLanguageBash = "bash"
	// ImplementationLanguageC specifies the C programming language.
	ImplementationLanguageC = "c"
	// ImplementationLanguageCpp specifies the C++ programming language.
	ImplementationLanguageCpp = "c++"
	// ImplementationLanguageCsharp specifies the C# programming language.
	ImplementationLanguageCsharp = "c#"
	// ImplementationLanguageGo specifies the Go (sometimes referred to as
	// golang) programming language.
	ImplementationLanguageGo = "go"
	// ImplementationLanguageJava specifies the JAVA programming language.
	ImplementationLanguageJava = "java"
	// ImplementationLanguageJavascript specifies the JavaScript programming
	// language.
	ImplementationLanguageJavascript = "javascript"
	// ImplementationLanguageLua specifies the Lua programming language.
	ImplementationLanguageLua = "lua"
	// ImplementationLanguageObjectiveC specifies the Objective-C programming
	// language.
	ImplementationLanguageObjectiveC = "objective-c"
	// ImplementationLanguagePerl specifies the Perl programming language.
	ImplementationLanguagePerl = "perl"
	// ImplementationLanguagePHP specifies the PHP programming language.
	ImplementationLanguagePHP = "php"
	// ImplementationLanguagePowershell specifies the Windows Powershell
	// programming language.
	ImplementationLanguagePowershell = "powershell"
	// ImplementationLanguagePython specifies the Python programming language.
	ImplementationLanguagePython = "python"
	// ImplementationLanguageRuby specifies the Ruby programming language.
	ImplementationLanguageRuby = "ruby"
	// ImplementationLanguageScala specifies the Scala programming language.
	ImplementationLanguageScala = "scala"
	// ImplementationLanguageSwift specifies the Swift programming language.
	ImplementationLanguageSwift = "swift"
	// ImplementationLanguageTypeScript specifies the TypeScript programming
	// language.
	ImplementationLanguageTypeScript = "typescript"
	// ImplementationLanguageVisualBasic specifies the Visual Basic programming
	// language.
	ImplementationLanguageVisualBasic = "visual-basic"
	// ImplementationLanguageX8632 specifies the x86 32-bit Assembly
	// programming language.
	ImplementationLanguageX8632 = "x86-32"
	// ImplementationLanguageX8664 specifies the x86 64-bit Assembly
	// programming language.
	ImplementationLanguageX8664 = "x86-64"
)
View Source 
const (
	// SpecVersion20 is the spec_version string for STIX™ 2.0.
	SpecVersion20 = "2.0"
	// SpecVersion21 is the spec_version string for STIX™ 2.1.
	SpecVersion21 = "2.1"
)
View Source 
const (
	// ReportTypeAttackPattern subject is a characterization of one or more
	// attack patterns and related information.
	ReportTypeAttackPattern = "attack-pattern"
	// ReportTypeCampaign subject is a characterization of one or more
	// campaigns and related information.
	ReportTypeCampaign = "campaign"
	// ReportTypeIdentity subject is a characterization of one or more
	// identities and related information.
	ReportTypeIdentity = "identity"
	// ReportTypeIndicator subject is a characterization of one or more
	// indicators and related information.
	ReportTypeIndicator = "indicator"
	// ReportTypeIntrusionSet subject is a characterization of one or more
	// intrusion sets and related information.
	ReportTypeIntrusionSet = "intrusion-set"
	// ReportTypeMalware subject is a characterization of one or more malware
	// instances and related information.
	ReportTypeMalware = "malware"
	// ReportTypeObservedData subject is a characterization of observed data
	// and related information.
	ReportTypeObservedData = "observed-data"
	// ReportTypeThreatActor subject is a characterization of one or more
	// threat actors and related information.
	ReportTypeThreatActor = "threat-actor"
	// ReportTypeThreatReport subject is a broad characterization of a threat
	// across multiple facets.
	ReportTypeThreatReport = "threat-report"
	// ReportTypeTool subject is a characterization of one or more tools and
	// related information.
	ReportTypeTool = "tool"
	// ReportTypeVulnerability subject is a characterization of one or more
	// vulnerabilities and related information.
	ReportTypeVulnerability = "vulnerability"
)
View Source 
const (
	// ThreatActorTypeActivist are highly motivated, potentially destructive
	// supporter of a social or political cause (e.g., trade, labor,
	// environment, etc.) that attempts to disrupt an organization's business
	// model or damage their image. This category includes actors sometimes
	// referred to as anarchists, cyber vandals, extremists, and hacktivists.
	ThreatActorTypeActivist = "activist"
	// ThreatActorTypeCompetitor is an organization that competes in the same
	// economic marketplace. The goal of a competitor is to gain an advantage
	// in business with respect to the rival organization it targets. It
	// usually does this by copying intellectual property, trade secrets,
	// acquisition strategies, or other technical or business data from a rival
	// organization with the intention of using the data to bolster its own
	// assets and market position.
	ThreatActorTypeCompetitor = "competitor"
	// ThreatActorTypeCrimeSyndicate is an enterprise organized to conduct
	// significant, large-scale criminal activity for profit. Crime syndicates,
	// also known as organized crime, are generally large, well-resourced
	// groups that operate to create profit from all types of crime.
	ThreatActorTypeCrimeSyndicate = "crime-syndicate"
	// ThreatActorTypeCriminal is an individual who commits computer crimes,
	// often for personal financial gain and often involves the theft of
	// something valuable. Intellectual property theft, extortion via
	// ransomware, and physical destruction are common examples. A criminal as
	// defined here refers to those acting individually or in very small or
	// informal groups. For sophisticated organized criminal activity, see the
	// crime syndicate descriptor.
	ThreatActorTypeCriminal = "criminal"
	// ThreatActorTypeHacker is an individual that tends to break into networks
	// for the thrill or the challenge of doing so. Hackers may use advanced
	// skills or simple attack scripts they have downloaded.
	ThreatActorTypeHacker = "hacker"
	// ThreatActorTypeInsiderAccidental is a non-hostile insider who
	// unintentionally exposes the organization to harm. “Insider” in this
	// context includes any person extended internal trust, such as regular
	// employees, contractors, consultants, and temporary workers.
	ThreatActorTypeInsiderAccidental = "insider-accidental"
	// ThreatActorTypeInsiderDisgruntled is a current or former insiders who
	// seek revengeful and harmful retaliation for perceived wrongs. “Insider”
	// in this context includes any person extended internal trust, such as
	// regular employees, contractors, consultants, and temporary workers.
	// Disgruntled threat actors may have extensive knowledge that can be
	// leveraged when conducting attacks and can take any number of actions
	// including sabotage, violence, theft, fraud, espionage, or embarrassing
	// individuals or the organization.
	ThreatActorTypeInsiderDisgruntled = "insider-disgruntled"
	// ThreatActorTypeNationState are entities who work for the government or
	// military of a nation state or who work at their direction. These actors
	// typically have access to significant support, resources, training, and
	// tools and are capable of designing and executing very sophisticated and
	// effective Intrusion Sets and Campaigns.
	ThreatActorTypeNationState = "nation-state"
	// ThreatActorTypeSensationalist seeks to cause embarrassment and brand
	// damage by exposing sensitive information in a manner designed to cause a
	// public relations crisis. A sensationalist may be an individual or small
	// group of people motivated primarily by a need for notoriety. Unlike the
	// activist, the sensationalist generally has no political goal, and is not
	// using bad PR to influence the target to change its behavior or business
	// practices.
	ThreatActorTypeSensationalist = "sensationalist"
	// ThreatActorTypeSpy secretly collects sensitive information for use,
	// dissemination, or sale. Traditional spies (governmental and industrial)
	// are part of a well-resourced intelligence organization and are capable
	// of very sophisticated clandestine operations. However, insiders such as
	// employees or consultants acting as spies can be just as effective and
	// damaging, even when their activities are largely opportunistic and not
	// part of an overall campaign.
	ThreatActorTypeSpy = "spy"
	// ThreatActorTypeTerrorist uses extreme violence to advance a social or
	// political agenda as well as monetary crimes to support its activities.
	// In this context a terrorist refers to individuals who target
	// noncombatants with violence to send a message of fear far beyond the
	// actual events. They may act independently or as part of a terrorist
	// organization. Terrorist organizations must typically raise much of their
	// operating budget through criminal activity, which often occurs online.
	// Terrorists are also often adept at using and covertly manipulating
	// social media for both recruitment and impact.
	ThreatActorTypeTerrorist = "terrorist"
	// ThreatActorTypeUnknown is used if there is not enough information
	// available to determine the type of threat actor.
	ThreatActorTypeUnknown = "unknown"
)
View Source 
const (
	// ThreatActorRoleAgent executes attacks either on behalf of themselves or
	// at the direction of someone else.
	ThreatActorRoleAgent = "agent"
	// ThreatActorRoleDirector directs the activities, goals, and objectives of
	// the malicious activities.
	ThreatActorRoleDirector = "director"
	// ThreatActorRoleIndependent s a threat actor acting by themselves.
	ThreatActorRoleIndependent = "independent"
	// ThreatActorRoleInfrastructureArchitect is someone who designs the battle
	// space.
	ThreatActorRoleInfrastructureArchitect = "infrastructure-architect"
	// ThreatActorRoleInfrastructureOperator provides and supports the attack
	// infrastructure that is used to deliver the attack (botnet providers,
	// cloud services, etc.).
	ThreatActorRoleInfrastructureOperator = "infrastructure-operator"
	// ThreatActorRoleMalwareAuthor authors malware or other malicious tools.
	ThreatActorRoleMalwareAuthor = "malware-author"
	// ThreatActorRoleSponsor funds the malicious activities.
	ThreatActorRoleSponsor = "sponsor"
)
View Source 
const (
	// ThreatActorSophisticationNone can carry out random acts of disruption or
	// destruction by running tools they do not understand. Actors in this
	// category have average computer skills.
	//
	// Example Roles: Average User
	//
	// These actors:
	//		* can not launch targeted attacks
	ThreatActorSophisticationNone = "none"
	// ThreatActorSophisticationMinimal can minimally use existing and
	// frequently well known and easy-to-find techniques and programs or
	// scripts to search for and exploit weaknesses in other computers.
	// Commonly referred to as a script-kiddie.
	//
	// These actors rely on others to develop the malicious tools, delivery
	// mechanisms, and execution strategy and often do not fully understand the
	// tool they are using or how they work. They also lack the ability to
	// conduct their own reconnaissance and targeting research.
	//
	// Example Roles: Script-Kiddie
	//
	// These actors:
	//		* attack known weaknesses;
	//		* use well known scripts and tools; and
	//		* have minimal knowledge of the tools.
	ThreatActorSophisticationMinimal = "minimal"
	// ThreatActorSophisticationIntermediate can proficiently use existing
	// attack frameworks and toolkits to search for and exploit vulnerabilities
	// in computers or systems. Actors in this category have computer skills
	// equivalent to an IT professional and typically have a working knowledge
	// of networks, operating systems, and possibly even defensive techniques
	// and will typically exhibit some operational security.
	//
	// These actors rely others to develop the malicious tools and delivery
	// mechanisms but are able to plan their own execution strategy. They are
	// proficient in the tools they are using and how they work and can even
	// make minimal modifications as needed.
	//
	// Example Roles: Toolkit User
	//
	// These actors:
	//		* attack known vulnerabilities;
	//		* use attack frameworks and toolkits; and
	//		* have proficient knowledge of the tools.
	ThreatActorSophisticationIntermediate = "intermediate"
	// ThreatActorSophisticationAdvanced can develop their own tools or scripts
	// from publicly known vulnerabilities to target systems and users. Actors
	// in this category are very adept at IT systems and have a background in
	// software development along with a solid understanding of defensive
	// techniques and operational security.
	//
	// These actors rely on others to find and identify weaknesses and
	// vulnerabilities in systems, but are able to create their own tools,
	// delivery mechanisms, and execution strategies.
	//
	// Example Roles: Toolkit Developer
	//
	// These actors:
	//		* attack known vulnerabilities;
	//		* can create their own tools; and
	//		* have proficient knowledge of the tools.
	ThreatActorSophisticationAdvanced = "advanced"
	// ThreatActorSophisticationExpert can focus on the discovery and use of
	// unknown malicious code, are is adept at installing user and kernel mode
	// rootkits, frequently use data mining tools, target corporate executives
	// and key users (government and industry) for the purpose of stealing
	// personal and corporate data. Actors in this category are very adept at
	// IT systems and software development and are experts with security
	// systems, defensive techniques, attack methods, and operational security.
	//
	// Example Roles: Vulnerability Researcher, Reverse Engineer, Threat
	// Researcher, Malware Creator
	//
	// These actors:
	//		* attack unknown and known vulnerabilities;
	//		* can create  their own tools from scratch; and
	//		* have proficient knowledge of the tools.
	ThreatActorSophisticationExpert = "expert"
	// ThreatActorSophisticationInnovator typically, criminal or state actors who
	// are organized, highly technical, proficient, well-funded professionals
	// working in teams to discover new vulnerabilities and develop exploits.
	//
	// Demonstrates sophisticated capability. An innovator has the ability to
	// create and script unique programs and codes targeting virtually any form
	// of technology. At this level, this actor has a deep knowledge of
	// networks, operating systems, programming languages, firmware, and
	// infrastructure topologies and will demonstrate operational security when
	// conducting his activities. Innovators are largely responsible for the
	// discovery of 0-day vulnerabilities and the development of new attack
	// techniques.
	//
	// Example Roles: Toolkit Innovator, 0-Day Exploit Author
	//
	// These actors:
	//		* attack unknown and known vulnerabilities;
	//		* create attacks against 0-Day exploits from scratch; and
	//		* create new and innovative attacks and toolkits.
	ThreatActorSophisticationInnovator = "innovator"
	// ThreatActorSophisticationStrategic is a state actors who create
	// vulnerabilities through an active program to “influence” commercial
	// products and services during design, development or manufacturing, or
	// with the ability to impact products while in the supply chain to enable
	// exploitation of networks and systems of interest.
	//
	// These actors:
	//		* can create or use entire supply chains to launch an attack;
	//		* can create and design attacks for any systems, software package,
	//		  or device; and
	//		* are responsible for APT-level attacks.
	ThreatActorSophisticationStrategic = "strategic"
)
View Source 
const (
	// ToolTypeDenialOfService is used to perform denial of service attacks or
	// DDoS attacks, such as Low Orbit Ion Cannon (LOIC) and DHCPig.
	ToolTypeDenialOfService = "denial-of-service"
	// ToolTypeExploitation is used to exploit software and systems, such as
	// sqlmap and Metasploit.
	ToolTypeExploitation = "exploitation"
	// ToolTypeInformationGathering is used to enumerate system and network
	// information, e.g., NMAP.
	ToolTypeInformationGathering = "information-gathering"
	// ToolTypeNetworkCapture is used to capture network traffic, such as
	// Wireshark and Kismet
	ToolTypeNetworkCapture = "network-capture"
	// ToolTypeCredentialExploitation is used to crack password databases or
	// otherwise exploit/discover credentials, either locally or remotely, such
	// as John the Ripper and NCrack.
	ToolTypeCredentialExploitation = "credential-exploitation"
	// ToolTypeRemoteAccess is used to access machines remotely, such as VNC
	// and Remote Desktop.
	ToolTypeRemoteAccess = "remote-access"
	// ToolTypeVulnerabilityScanning is used to scan systems and networks for
	// vulnerabilities, e.g., Nessus.
	ToolTypeVulnerabilityScanning = "vulnerability-scanning"
	// ToolTypeUnknown if there is not enough information available to
	// determine the type of tool.
	ToolTypeUnknown = "unknown"
)
View Source 
const (
	// AccountFacebook specifies a Facebook account.
	AccountFacebook string = "facebook"
	// AccountLdap specifies an LDAP account.
	AccountLdap string = "ldap"
	// AccountNis specifies a NIS account
	AccountNis string = "nis"
	// AccountOpenid specifies an OpenID account.
	AccountOpenid string = "openid"
	// AccountRadius specifies a RADIUS account.
	AccountRadius string = "radius"
	// AccountSkype specifies a Skype account.
	AccountSkype string = "skype"
	// AccountTacacs specifies a TACACS account.
	AccountTacacs string = "tacacs"
	// AccountTwitter specifies a Twitter account.
	AccountTwitter string = "twitter"
	// AccountUnix specifies a POSIX account.
	AccountUnix string = "unix"
	// AccountWindowsLocal specifies a Windows local account.
	AccountWindowsLocal string = "windows-local"
	// AccountWindowsDomain specifies a Windows domain account.
	AccountWindowsDomain string = "windows-domain"
)
View Source 
const LockheedMartinCyberKillChain = "lockheed-martin-cyber-kill-chain"

LockheedMartinCyberKillChain is the kill chain name for Lockheed Martin Cyber Kill Chain™.

Variables

View Source 
var (
	// ErrPropertyMissing is returned if not at least one of the required
	// properties are missing
	ErrPropertyMissing = errors.New("at least one of the description, url, or externalID properties MUST be present")
	// ErrInvalidProperty is returned if the value for a property is invalid.
	ErrInvalidProperty = errors.New("invalid value for the property")
	// ErrInvalidParameter is returned if function is called with an invalid
	// function parameter.
	ErrInvalidParameter = errors.New("invalid parameter")
)
View Source 
var AllTypes = []STIXType{
	TypeAutonomousSystem,
	TypeArtifact,
	TypeAttackPattern,
	TypeCampaign,
	TypeCourseOfAction,
	TypeDirectory,
	TypeDomainName,
	TypeEmailAddress,
	TypeEmailMIME,
	TypeEmailMessage,
	TypeExtensionDefinition,
	TypeFile,
	TypeGrouping,
	TypeIPv4Addr,
	TypeIPv6Addr,
	TypeIdentity,
	TypeIncident,
	TypeIndicator,
	TypeInfrastructure,
	TypeIntrusionSet,
	TypeLanguageContent,
	TypeLocation,
	TypeMACAddress,
	TypeMalware,
	TypeMalwareAnalysis,
	TypeMarkingDefinition,
	TypeMutex,
	TypeNetworkTraffic,
	TypeNote,
	TypeObservedData,
	TypeOpinion,
	TypeProcess,
	TypeRegistryKey,
	TypeRelationship,
	TypeReport,
	TypeSighting,
	TypeSoftware,
	TypeThreatActor,
	TypeTool,
	TypeURL,
	TypeUserAccount,
	TypeVulnerability,
	TypeX509Certificate,
}

AllTypes is a list of all STIX types.

View Source 
var CyberObservableNamespace = uuid.MustParse("00abedb4-aa42-466c-9c01-fed23315a9b7")

CyberObservableNamespace is the UUIDv5 namespace for for STIX Cyber-observable Object.

View Source 
var TLPAmber = &MarkingDefinition{}

TLPAmber is the TLP:AMBER marking as defined by STIX 2.1.

View Source 
var TLPGreen = &MarkingDefinition{}

TLPGreen is the TLP:GREEN marking as defined by STIX 2.1.

View Source 
var TLPRed = &MarkingDefinition{}

TLPRed is the TLP:RED marking as defined by STIX 2.1.

View Source 
var TLPWhite = &MarkingDefinition{}

TLPWhite is the TLP:WHITE marking as defined by STIX 2.1.

Functions

func HasValidIdentifier added in v0.5.0 

func HasValidIdentifier(obj STIXObject) bool

HasValidIdentifier checks that the STIXObject has a valid identifer.

func IsValidIdentifier 

func IsValidIdentifier(id Identifier) bool

IsValidIdentifier checks if the Identifier is of valid format.

Types

type AltDataStream 

type AltDataStream struct {
	// Name specifies the name of the alternate data stream.
	Name string `json:"name"`
	// Hashes specifies a dictionary of hashes for the data contained in the
	// alternate data stream.
	Hashes Hashes `json:"hashes,omitempty"`
	// Size specifies the size of the alternate data stream, in bytes.
	Size int64 `json:"size,omitempty"`
}

AltDataStream represents an NTFS alternate data stream.

type ArchiveFileExtension 

type ArchiveFileExtension struct {
	// Contains specifies the files that are contained in the archive. It MUST
	// contain references to one or more File objects.
	Contains []Identifier `json:"contains_refs"`
	// Comment specifies a comment included as part of the archive file.
	Comment string `json:"comment,omitempty"`
}

ArchiveFileExtension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext.

type Artifact 

type Artifact struct {
	STIXCyberObservableObject
	// MimeType should, whenever feasible, be one of the values defined in the
	// Template column in the IANA media type registry. Maintaining a
	// comprehensive universal catalog of all extant file types is obviously
	// not possible. When specifying a MIME Type not included in the IANA
	// registry, implementers should use their best judgement so as to
	// facilitate interoperability.
	MimeType string `json:"mime_type,omitempty"`
	// Payload specifies the binary data contained in the artifact. This
	// property MUST NOT be present if url is provided.
	Payload Binary `json:"payload_bin,omitempty"`
	// URL a valid URL that resolves to the unencoded content. This property
	// MUST NOT be present if Payload is provided.
	URL string `json:"url,omitempty"`
	// Hashes are hashes for the contents of the URL or the Payload.
	// This property MUST be present when the url property is present.
	Hashes Hashes `json:"hashes,omitempty"`
	// Encryption is used if the artifact is encrypted, specifies the type of
	// encryption algorithm the binary data is encoded in.
	Encryption EncryptionAlgorithm `json:"encryption_algorithm,omitempty"`
	// Key specifies the decryption key for the encrypted binary data. For
	// example, this may be useful in cases of sharing malware samples, which
	// are often encoded in an encrypted archive.
	Key string `json:"decryption_key,omitempty"`
}

Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers.

func NewArtifact 

func NewArtifact(opts ...STIXOption) (*Artifact, error)

NewArtifact creates a new Artifact object.

func (*Artifact) MarshalJSON added in v0.8.0 

func (o *Artifact) MarshalJSON() ([]byte, error)

type AttackPattern 

type AttackPattern struct {
	STIXDomainObject
	// Name is used to identify the Attack Pattern.
	Name string `json:"name"`
	// Description provides more details and context about the Attack Pattern,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Aliases are alternative names used to identify this Attack Pattern.
	Aliases []string `json:"aliases,omitempty"`
	// KillChainPhase is a list of Kill Chain Phases for which this Attack
	// Pattern is used.
	KillChainPhase []*KillChainPhase `json:"kill_chain_phases,omitempty"`
}

AttackPattern is a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC.

func NewAttackPattern 

func NewAttackPattern(name string, opts ...STIXOption) (*AttackPattern, error)

NewAttackPattern creates a new AttackPattern object.

func (*AttackPattern) AddDelivers 

func (a *AttackPattern) AddDelivers(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDelivers creates a relationship to a malware delivered by this object.

func (*AttackPattern) AddTargets 

func (a *AttackPattern) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets creates a relationship to either an identity, location, or vulnerability that is targeted by this attack pattern.

func (*AttackPattern) AddUses 

func (a *AttackPattern) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses creates a relationship to either a malware or tool that is used by the attack pattern.

func (*AttackPattern) MarshalJSON added in v0.8.0 

func (o *AttackPattern) MarshalJSON() ([]byte, error)

type AutonomousSystem added in v0.3.0 

type AutonomousSystem struct {
	STIXCyberObservableObject
	// Number specifies the number assigned to the AS. Such assignments are
	// typically performed by a Regional Internet Registry (RIR).
	Number int64 `json:"number"`
	// Name specifies the name of the AS.
	Name string `json:"name,omitempty"`
	// RIR specifies the name of the Regional Internet Registry (RIR) that
	// assigned the number to the AS.
	RIR string `json:"rir,omitempty"`
}

AutonomousSystem object represents the properties of an Autonomous System (AS).

func NewAutonomousSystem added in v0.3.0 

func NewAutonomousSystem(number int64, opts ...STIXOption) (*AutonomousSystem, error)

NewAutonomousSystem creates a new AutonomousSystem object.

func (*AutonomousSystem) MarshalJSON added in v0.8.0 

func (o *AutonomousSystem) MarshalJSON() ([]byte, error)

type Binary 

type Binary []byte

Binary data type represents a sequence of bytes. The JSON MTI serialization represents this as a base64-­encoded string. Other serializations SHOULD use a native binary type, if available.

func (Binary) MarshalJSON 

func (typ Binary) MarshalJSON() ([]byte, error)

MarshalJSON converts the binary data to base64 for JSON serialization.

func (Binary) String 

func (typ Binary) String() string

String turns the Binary data into a base64 encoded string.

func (*Binary) UnmarshalJSON 

func (typ *Binary) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the binary data from the json data.

type Bundle 

type Bundle struct {
	// Type property identifies the type of object.
	Type STIXType `json:"type"`
	// ID is an identifier for this Bundle. The id property for the Bundle is
	// designed to help tools that may need it for processing, but tools are
	// not required to store or track it. Tools that consume STIX should not
	// rely on the ability to refer to bundles by ID.
	ID Identifier `json:"id"`
	// Objects specifies a set of one or more STIX Objects.
	Objects []json.RawMessage `json:"objects,omitempty"`
}

Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and the objects contained within the Bundle are not considered related by virtue of being in the same Bundle.

func NewBundle added in v0.2.0 

func NewBundle(objs ...STIXObject) (*Bundle, error)

NewBundle creates a new STIX Bundle.

type Campaign 

type Campaign struct {
	STIXDomainObject
	// Name used to identify the Campaign.
	Name string `json:"name"`
	// Description provides more details and context about the Campaign,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Aliases are a lternative names used to identify this Campaign
	Aliases []string `json:"aliases,omitempty"`
	// FirstSeen is the time that this Campaign was first seen.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen is the time that this Campaign was last seen.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
	// Objective defines the Campaign’s primary goal, objective, desired
	// outcome, or intended effect — what the Threat Actor or Intrusion Set
	// hopes to accomplish with this Campaign.
	Objective string `json:"objective,omitempty"`
}

Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.

func NewCampaign 

func NewCampaign(name string, opts ...STIXOption) (*Campaign, error)

NewCampaign creates a new Campaign object.

func (*Campaign) AddAttributedTo 

func (c *Campaign) AddAttributedTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddAttributedTo creates a relationship to either an intrusion set or a threat actor that is attributed to the campaign.

func (*Campaign) AddCompromises 

func (c *Campaign) AddCompromises(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCompromises creates a relationship to an infrastructure that is compromised as part of the campaign.

func (*Campaign) AddOriginatesFrom 

func (c *Campaign) AddOriginatesFrom(id Identifier, opts ...STIXOption) (*Relationship, error)

AddOriginatesFrom creates a relationship to a location that the campaign originates from the related location.

func (*Campaign) AddTargets 

func (c *Campaign) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets creates a relationship to either an identity, location, or vulnerability that is targeted by this campaign.

func (*Campaign) AddUses 

func (c *Campaign) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses creates a relationship to either a malware or tool that is used by the campaign

func (*Campaign) MarshalJSON added in v0.8.0 

func (o *Campaign) MarshalJSON() ([]byte, error)

type Collection added in v0.7.0 

type Collection struct {
	// contains filtered or unexported fields
}

Collection is a collection of STIX objects. This object is not part of the STIX specification.

func FromJSON 

func FromJSON(data []byte, opts ...CollectionOption) (*Collection, error)

FromJSON parses JSON data and returns a Collection with the extracted objects.

Example 
package main

import (
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	data := []byte(
		`
[
   {
	  "type":"infrastructure",
	  "spec_version":"2.1",
	  "id":"infrastructure--d09c50cf-5bab-465e-9e2d-543912148b73",
	  "created":"2016-11-22T09:22:30.000Z",
	  "modified":"2016-11-22T09:22:30.000Z",
	  "name":"Example Target List Host",
	  "infrastructure_types":[
		 "hosting-target-lists"
	  ]
   },
   {
	  "type":"relationship",
	  "spec_version":"2.1",
	  "id":"relationship--37ac0c8d-f86d-4e56-aee9-914343959a4c",
	  "created":"2016-11-23T08:17:27.000Z",
	  "modified":"2016-11-23T08:17:27.000Z",
	  "relationship_type":"uses",
	  "source_ref":"malware--3a41e552-999b-4ad3-bedc-332b6d9ff80c",
	  "target_ref":"infrastructure--d09c50cf-5bab-465e-9e2d-543912148b73"
   },
   {
	  "type":"malware",
	  "spec_version":"2.1",
	  "id":"malware--3a41e552-999b-4ad3-bedc-332b6d9ff80c",
	  "created":"2016-11-12T14:31:09.000Z",
	  "modified":"2016-11-12T14:31:09.000Z",
	  "is_family":true,
	  "malware_types":[
		 "bot"
	  ],
	  "name":"IMDDOS"
   },
   {
	  "type":"relationship",
	  "spec_version":"2.1",
	  "id":"relationship--81f12913-1372-4c96-85ec-E9034ac98aba",
	  "created":"2016-11-23T10:42:39.000Z",
	  "modified":"2016-11-23T10:42:39.000Z",
	  "relationship_type":"consists-of",
	  "source_ref":"infrastructure--d09c50cf-5bab-465e-9e2d-543912148b73",
	  "target_ref":"domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5"
   },
   {
	  "id":"domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5",
	  "type":"domain-name",
	  "value":"example.com"
   }
]
`)
	collection, _ := stix2.FromJSON(data)
	fmt.Println(collection.DomainName("domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5").Value)
	fmt.Println(collection.Malware("malware--3a41e552-999b-4ad3-bedc-332b6d9ff80c").Name)
}

Output:

example.com
IMDDOS

func New added in v0.7.0 

func New(opts ...CollectionOption) *Collection

New creates a new Collection.

func (*Collection) AS added in v0.7.0 

func (c *Collection) AS(id Identifier) *AutonomousSystem

AS returns the AS with the identifier id.

func (*Collection) ASs added in v0.7.0 

func (c *Collection) ASs() []*AutonomousSystem

ASs returns all the AS in the collection.

func (*Collection) Add added in v0.7.0 

func (c *Collection) Add(obj STIXObject) error

Add adds or updates an object in the collection.

func (*Collection) AllMalware added in v0.7.0 

func (c *Collection) AllMalware() []*Malware

AllMalware returns all the Malware in the collection.

func (*Collection) AllNetworkTraffic added in v0.7.0 

func (c *Collection) AllNetworkTraffic() []*NetworkTraffic

AllNetworkTraffic returns all the NetworkTraffic in the collection.

func (*Collection) AllObjects added in v0.7.0 

func (c *Collection) AllObjects() []STIXObject

AllObjects returns a slice of all STIXObjects that are in the collection.

func (*Collection) AllObservedData added in v0.7.0 

func (c *Collection) AllObservedData() []*ObservedData

AllObservedData returns all the ObservedData in the collection.

func (*Collection) AllSoftware added in v0.7.0 

func (c *Collection) AllSoftware() []*Software

AllSoftware returns all the Software in the collection.

func (*Collection) Artifact added in v0.7.0 

func (c *Collection) Artifact(id Identifier) *Artifact

Artifact returns the Artifact with the identifier id.

func (*Collection) Artifacts added in v0.7.0 

func (c *Collection) Artifacts() []*Artifact

Artifacts returns all the Artifacts in the collection.

func (*Collection) AttackPattern added in v0.7.0 

func (c *Collection) AttackPattern(id Identifier) *AttackPattern

AttackPattern returns the AttackPattern with the identifier id.

func (*Collection) AttackPatterns added in v0.7.0 

func (c *Collection) AttackPatterns() []*AttackPattern

AttackPatterns returns all the AttackPatterns in the collection.

func (*Collection) Campaign added in v0.7.0 

func (c *Collection) Campaign(id Identifier) *Campaign

Campaign returns the Campaign with the identifier id.

func (*Collection) Campaigns added in v0.7.0 

func (c *Collection) Campaigns() []*Campaign

Campaigns returns all the Campaigns in the collection.

func (*Collection) CourseOfAction added in v0.7.0 

func (c *Collection) CourseOfAction(id Identifier) *CourseOfAction

CourseOfAction returns the CourseOfAction with the identifier id.

func (*Collection) CourseOfActions added in v0.7.0 

func (c *Collection) CourseOfActions() []*CourseOfAction

CourseOfActions returns all the CourseOfActions in the collection.

func (*Collection) Directories added in v0.7.0 

func (c *Collection) Directories() []*Directory

Directories returns all the Directories in the collection.

func (*Collection) Directory added in v0.7.0 

func (c *Collection) Directory(id Identifier) *Directory

Directory returns the Directory with the identifier id.

func (*Collection) DomainName added in v0.7.0 

func (c *Collection) DomainName(id Identifier) *DomainName

DomainName returns the DomainName with the identifier id.

func (*Collection) DomainNames added in v0.7.0 

func (c *Collection) DomainNames() []*DomainName

DomainNames returns all the DomainNames in the collection.

func (*Collection) EmailAddress added in v0.7.0 

func (c *Collection) EmailAddress(id Identifier) *EmailAddress

EmailAddress returns the EmailAddress with the identifier id.

func (*Collection) EmailAddresses added in v0.7.0 

func (c *Collection) EmailAddresses() []*EmailAddress

EmailAddresses returns all the EmailAddresses in the collection.

func (*Collection) EmailMessage added in v0.7.0 

func (c *Collection) EmailMessage(id Identifier) *EmailMessage

EmailMessage returns the EmailMessage with the identifier id.

func (*Collection) EmailMessages added in v0.7.0 

func (c *Collection) EmailMessages() []*EmailMessage

EmailMessages returns all the EmailMessages in the collection.

func (*Collection) ExtensionDefinition added in v0.8.0 

func (c *Collection) ExtensionDefinition(id Identifier) *ExtensionDefinition

ExtensionDefinition returns the ExtensionDefinition with the identifier id.

func (*Collection) ExtensionDefinitions added in v0.8.0 

func (c *Collection) ExtensionDefinitions() []*ExtensionDefinition

ExtensionDefinitions returns all the ExtensionDefinitions in the collection.

func (*Collection) File added in v0.7.0 

func (c *Collection) File(id Identifier) *File

File returns the File with the identifier id.

func (*Collection) Files added in v0.7.0 

func (c *Collection) Files() []*File

Files returns all the Files in the collection.

func (*Collection) Get added in v0.7.0 

func (c *Collection) Get(id Identifier) STIXObject

Get returns the object with matching ID or nil if it does not exist in the collection.

func (*Collection) GetAll added in v0.8.0 

func (c *Collection) GetAll(typ STIXType) []STIXObject

GetAll returns all the items of the STIXType in the collection. This can be used to return for example, custom types. Nil is returned if not types are part of the collection.

func (*Collection) Group added in v0.7.0 

func (c *Collection) Group(id Identifier) *Grouping

Group returns the Group with the identifier id.

func (*Collection) Groups added in v0.7.0 

func (c *Collection) Groups() []*Grouping

Groups returns all the Groups in the collection.

func (*Collection) IPv4Address added in v0.7.0 

func (c *Collection) IPv4Address(id Identifier) *IPv4Address

IPv4Address returns the IPv4Address with the identifier id.

func (*Collection) IPv4Addresses added in v0.7.0 

func (c *Collection) IPv4Addresses() []*IPv4Address

IPv4Addresses returns all the IPv4Addresses in the collection.

func (*Collection) IPv6Address added in v0.7.0 

func (c *Collection) IPv6Address(id Identifier) *IPv6Address

IPv6Address returns the IPv6Address with the identifier id.

func (*Collection) IPv6Addresses added in v0.7.0 

func (c *Collection) IPv6Addresses() []*IPv6Address

IPv6Addresses returns all the IPv6Addresses in the collection.

func (*Collection) Identities added in v0.7.0 

func (c *Collection) Identities() []*Identity

Identities returns all the Identities in the collection.

func (*Collection) Identity added in v0.7.0 

func (c *Collection) Identity(id Identifier) *Identity

Identity returns the Identity with the identifier id.

func (*Collection) Incident added in v0.10.0 

func (c *Collection) Incident(id Identifier) *Incident

Incident returns the Incident with the identifier id.

func (*Collection) Incidents added in v0.10.0 

func (c *Collection) Incidents() []*Incident

Incidents returns all the Incidents in the collection

func (*Collection) Indicator added in v0.7.0 

func (c *Collection) Indicator(id Identifier) *Indicator

Indicator returns the Indicator with the identifier id.

func (*Collection) Indicators added in v0.7.0 

func (c *Collection) Indicators() []*Indicator

Indicators returns all the Indicators in the collection.

func (*Collection) Infrastructure added in v0.7.0 

func (c *Collection) Infrastructure(id Identifier) *Infrastructure

Infrastructure returns the Infrastructure with the identifier id.

func (*Collection) Infrastructures added in v0.7.0 

func (c *Collection) Infrastructures() []*Infrastructure

Infrastructures returns all the Infrastructures in the collection.

func (*Collection) IntrusionSet added in v0.7.0 

func (c *Collection) IntrusionSet(id Identifier) *IntrusionSet

IntrusionSet returns the IntrusionSet with the identifier id.

func (*Collection) IntrusionSets added in v0.7.0 

func (c *Collection) IntrusionSets() []*IntrusionSet

IntrusionSets returns all the IntrusionSets in the collection.

func (*Collection) LanguageContent added in v0.7.0 

func (c *Collection) LanguageContent(id Identifier) *LanguageContent

LanguageContent returns the LanguageContent with the identifier id.

func (*Collection) LanguageContents added in v0.7.0 

func (c *Collection) LanguageContents() []*LanguageContent

LanguageContents returns all the LanguageContents in the collection.

func (*Collection) Location added in v0.7.0 

func (c *Collection) Location(id Identifier) *Location

Location returns the Location with the identifier id.

func (*Collection) Locations added in v0.7.0 

func (c *Collection) Locations() []*Location

Locations returns all the Locations in the collection.

func (*Collection) MAC added in v0.7.0 

func (c *Collection) MAC(id Identifier) *MACAddress

MAC returns the MAC with the identifier id.

func (*Collection) MACs added in v0.7.0 

func (c *Collection) MACs() []*MACAddress

MACs returns all the MACs in the collection.

func (*Collection) Malware added in v0.7.0 

func (c *Collection) Malware(id Identifier) *Malware

Malware returns the Malware with the identifier id.

func (*Collection) MalwareAnalyses added in v0.7.0 

func (c *Collection) MalwareAnalyses() []*MalwareAnalysis

MalwareAnalyses returns all the MalwareAnalyses in the collection.

func (*Collection) MalwareAnalysis added in v0.7.0 

func (c *Collection) MalwareAnalysis(id Identifier) *MalwareAnalysis

MalwareAnalysis returns the MalwareAnalysis with the identifier id.

func (*Collection) MarkingDefinition added in v0.7.0 

func (c *Collection) MarkingDefinition(id Identifier) *MarkingDefinition

MarkingDefinition returns the MarkingDefinition with the identifier id.

func (*Collection) MarkingDefinitions added in v0.7.0 

func (c *Collection) MarkingDefinitions() []*MarkingDefinition

MarkingDefinitions returns all the MarkingDefinitions in the collection.

func (*Collection) Mutex added in v0.7.0 

func (c *Collection) Mutex(id Identifier) *Mutex

Mutex returns the Mutex with the identifier id.

func (*Collection) Mutexes added in v0.7.0 

func (c *Collection) Mutexes() []*Mutex

Mutexes returns all the Mutexes in the collection.

func (*Collection) NetworkTraffic added in v0.7.0 

func (c *Collection) NetworkTraffic(id Identifier) *NetworkTraffic

NetworkTraffic returns the NetworkTraffic with the identifier id.

func (*Collection) Note added in v0.7.0 

func (c *Collection) Note(id Identifier) *Note

Note returns the Note with the identifier id.

func (*Collection) Notes added in v0.7.0 

func (c *Collection) Notes() []*Note

Notes returns all the Notes in the collection.

func (*Collection) ObservedData added in v0.7.0 

func (c *Collection) ObservedData(id Identifier) *ObservedData

ObservedData returns the ObservedData with the identifier id.

func (*Collection) Opinion added in v0.7.0 

func (c *Collection) Opinion(id Identifier) *Opinion

Opinion returns the Opinion with the identifier id.

func (*Collection) Opinions added in v0.7.0 

func (c *Collection) Opinions() []*Opinion

Opinions returns all the Opinions in the collection.

func (*Collection) Process added in v0.7.0 

func (c *Collection) Process(id Identifier) *Process

Process returns the Process with the identifier id.

func (*Collection) Processes added in v0.7.0 

func (c *Collection) Processes() []*Process

Processes returns all the Processes in the collection.

func (*Collection) RegistryKey added in v0.7.0 

func (c *Collection) RegistryKey(id Identifier) *RegistryKey

RegistryKey returns the RegistryKey with the identifier id.

func (*Collection) RegistryKeys added in v0.7.0 

func (c *Collection) RegistryKeys() []*RegistryKey

RegistryKeys returns all the RegistryKeys in the collection.

func (*Collection) Relationship added in v0.7.0 

func (c *Collection) Relationship(id Identifier) *Relationship

Relationship returns the Relationship with the identifier id.

func (*Collection) Relationships added in v0.7.0 

func (c *Collection) Relationships() []*Relationship

Relationships returns all the Relationships in the collection.

func (*Collection) Report added in v0.7.0 

func (c *Collection) Report(id Identifier) *Report

Report returns the Report with the identifier id.

func (*Collection) Reports added in v0.7.0 

func (c *Collection) Reports() []*Report

Reports returns all the Reports in the collection.

func (*Collection) Sighting added in v0.7.0 

func (c *Collection) Sighting(id Identifier) *Sighting

Sighting returns the Sighting with the identifier id.

func (*Collection) Sightings added in v0.7.0 

func (c *Collection) Sightings() []*Sighting

Sightings returns all the Sightings in the collection.

func (*Collection) Software added in v0.7.0 

func (c *Collection) Software(id Identifier) *Software

Software returns the Software with the identifier id.

func (*Collection) ThreatActor added in v0.7.0 

func (c *Collection) ThreatActor(id Identifier) *ThreatActor

ThreatActor returns the ThreatActor with the identifier id.

func (*Collection) ThreatActors added in v0.7.0 

func (c *Collection) ThreatActors() []*ThreatActor

ThreatActors returns all the ThreatActors in the collection.

func (*Collection) ToBundle added in v0.7.0 

func (c *Collection) ToBundle() (*Bundle, error)

ToBundle returns a STIX bundle with all the STIXObjects in the Collection.

Example 
package main

import (
	"bytes"
	"encoding/json"
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	c := stix2.New()
	ip, err := stix2.NewIPv4Address("10.0.0.1")
	if err != nil {
		fmt.Println(err)
	}
	c.Add(ip)
	ip, err = stix2.NewIPv4Address("10.0.0.2")
	if err != nil {
		fmt.Println(err)
	}
	c.Add(ip)
	b, err := c.ToBundle()
	if err != nil {
		fmt.Println(err)
	}
	data, err := json.Marshal(b)
	if err != nil {
		fmt.Println(err)
	}
	if !bytes.Contains(data, []byte("10.0.0.2")) {
		fmt.Println("IP not in bundle")
	}
}

Output:

func (*Collection) Tool added in v0.7.0 

func (c *Collection) Tool(id Identifier) *Tool

Tool returns the Tool with the identifier id.

func (*Collection) Tools added in v0.7.0 

func (c *Collection) Tools() []*Tool

Tools returns all the Tools in the collection.

func (*Collection) URL added in v0.7.0 

func (c *Collection) URL(id Identifier) *URL

URL returns the URL with the identifier id.

func (*Collection) URLs added in v0.7.0 

func (c *Collection) URLs() []*URL

URLs returns all the URLs in the collection.

func (*Collection) UserAccount added in v0.7.0 

func (c *Collection) UserAccount(id Identifier) *UserAccount

UserAccount returns the UserAccount with the identifier id.

func (*Collection) UserAccounts added in v0.7.0 

func (c *Collection) UserAccounts() []*UserAccount

UserAccounts returns all the UserAccounts in the collection.

func (*Collection) Vulnerabilities added in v0.7.0 

func (c *Collection) Vulnerabilities() []*Vulnerability

Vulnerabilities returns all the Vulnerabilities in the collection.

func (*Collection) Vulnerability added in v0.7.0 

func (c *Collection) Vulnerability(id Identifier) *Vulnerability

Vulnerability returns the Vulnerability with the identifier id.

func (*Collection) X509Certificate added in v0.7.0 

func (c *Collection) X509Certificate(id Identifier) *X509Certificate

X509Certificate returns the X509Certificate with the identifier id.

func (*Collection) X509Certificates added in v0.7.0 

func (c *Collection) X509Certificates() []*X509Certificate

X509Certificates returns all the X509Certificates in the collection.

type CollectionOption added in v0.7.0 

type CollectionOption func(c *Collection)

CollectionOption is an optional parameter when constructing a Collection.

func DropCustomOption added in v0.8.0 

func DropCustomOption() CollectionOption

func NoSortOption added in v0.7.0 

func NoSortOption() CollectionOption

NoSortOption instructs the collection to not track the order items have been added. By default, GetAll items returns the objects in the order they were added. If this option is provided, the order returned is non-deterministic.

func UseCustomParser added in v0.9.0 

func UseCustomParser(typ STIXType, handler func(data []byte) (STIXObject, error)) CollectionOption

UseCustomParser allows for providing a parser for Custom objects. This can be used to parse a specific object into a concrete type.

type CourseOfAction 

type CourseOfAction struct {
	STIXDomainObject
	// Name used to identify the Course of Action.
	Name string `json:"name"`
	// Description provides more details and context about the Course of
	// Action, potentially including its purpose and its key characteristics.
	// In some cases, this property may contain the actual course of action in
	// prose text.
	Description string `json:"description,omitempty"`
}

CourseOfAction (CoA) is a recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence. The CoA may be preventative to deter exploitation or corrective to counter its potential impact. The CoA may describe automatable actions (applying patches, configuring firewalls, etc.), manual processes, or a combination of the two. For example, a CoA that describes how to remediate a vulnerability could describe how to apply the patch that removes that vulnerability.

func NewCourseOfAction 

func NewCourseOfAction(name string, opts ...STIXOption) (*CourseOfAction, error)

NewCourseOfAction creates a new CourseOfAction object.

func (*CourseOfAction) AddInvestigates 

func (c *CourseOfAction) AddInvestigates(id Identifier, opts ...STIXOption) (*Relationship, error)

AddInvestigates creates an investigate relationship between the course of action and an indicator.

func (*CourseOfAction) AddMitigates 

func (c *CourseOfAction) AddMitigates(id Identifier, opts ...STIXOption) (*Relationship, error)

AddMitigates creates a relationship to an attack pattern, indicator, malware, tool, or vulnerability that are mitigated by the object.

func (*CourseOfAction) AddRemediates 

func (c *CourseOfAction) AddRemediates(id Identifier, opts ...STIXOption) (*Relationship, error)

AddRemediates creates a relationship to a malware or a vulnerability that are remediated by the object.

func (*CourseOfAction) MarshalJSON added in v0.8.0 

func (o *CourseOfAction) MarshalJSON() ([]byte, error)

type CustomObject added in v0.8.0 

type CustomObject map[string]interface{}

CustomObject is a custom STIX object that allows for extending the specification by creating a new type.

Example 
package main

import (
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	// Define the custom fields
	ext := &stix2.CustomObject{}
	ext.Set("some_new_property", "a string value")

	// The extension definition.
	ed, _ := stix2.NewExtensionDefinition(
		"A custom extension",
		"https://example.com/v1/schema",
		"1.0",
		[]stix2.ExtensionType{stix2.ExtensionTypePropertyExtension},
	)

	// Create a DomainName object with the additional field.
	d, _ := stix2.NewDomainName("example.com", stix2.OptionExtension(string(ed.ID), ext))

	fmt.Println(d.Extensions[string(ed.ID)].(*stix2.CustomObject).GetAsString("some_new_property"))

}

Output:

a string value
Example (Attack) 
package main

import (
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	data := []byte(`[{
		"id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
		"description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
		"name": "Credentials from Password Stores",
		"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
		"object_marking_refs": [
			"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
		],
		"external_references": [
			{
				"source_name": "mitre-attack",
				"external_id": "T1555",
				"url": "https://attack.mitre.org/techniques/T1555"
			}
		],
		"type": "attack-pattern",
		"kill_chain_phases": [
			{
				"kill_chain_name": "mitre-attack",
				"phase_name": "credential-access"
			}
		],
		"modified": "2021-04-29T21:00:19.428Z",
		"created": "2020-02-11T18:48:28.456Z",
		"x_mitre_platforms": [
			"Linux",
			"macOS",
			"Windows"
		],
		"x_mitre_is_subtechnique": false,
		"x_mitre_version": "1.0",
		"x_mitre_detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password  or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.",
		"x_mitre_permissions_required": [
			"Administrator"
		],
		"x_mitre_data_sources": [
			"Process: Process Creation",
			"File: File Access",
			"Command: Command Execution",
			"Process: OS API Execution",
			"Process: Process Access"
		],
		"spec_version": "2.1",
		"x_mitre_domains": [
			"enterprise-attack"
		],
		"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}]`)

	col, err := stix2.FromJSON(data)
	if err != nil {
		fmt.Println(err)
	}

	obj := col.AttackPattern(stix2.Identifier("attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0"))
	fmt.Println(obj.Name)

	// Get the custom properties.
	ext := obj.GetExtendedTopLevelProperties()
	fmt.Println(ext.GetAsString("x_mitre_version"))

}

Output:

Credentials from Password Stores
1.0
Example (CustomAttackType) 
package main

import (
	"encoding/json"
	"fmt"

	"github.com/TcM1911/stix2"
)

func main() {
	data := []byte(`[{
		"id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
		"description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
		"name": "Credentials from Password Stores",
		"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
		"object_marking_refs": [
			"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
		],
		"external_references": [
			{
				"source_name": "mitre-attack",
				"external_id": "T1555",
				"url": "https://attack.mitre.org/techniques/T1555"
			}
		],
		"type": "attack-pattern",
		"kill_chain_phases": [
			{
				"kill_chain_name": "mitre-attack",
				"phase_name": "credential-access"
			}
		],
		"modified": "2021-04-29T21:00:19.428Z",
		"created": "2020-02-11T18:48:28.456Z",
		"x_mitre_platforms": [
			"Linux",
			"macOS",
			"Windows"
		],
		"x_mitre_is_subtechnique": false,
		"x_mitre_version": "1.0",
		"x_mitre_detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password  or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.",
		"x_mitre_permissions_required": [
			"Administrator"
		],
		"x_mitre_data_sources": [
			"Process: Process Creation",
			"File: File Access",
			"Command: Command Execution",
			"Process: OS API Execution",
			"Process: Process Access"
		],
		"spec_version": "2.1",
		"x_mitre_domains": [
			"enterprise-attack"
		],
		"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}]`)

	type mitreAttackPattern struct {
		stix2.AttackPattern
		Platforms      []string `json:"x_mitre_platforms"`
		IsSubTechnique bool     `json:"x_mitre_is_subtechnique"`
		Version        string   `json:"x_mitre_version"`
	}

	col, err := stix2.FromJSON(data, stix2.UseCustomParser(stix2.TypeAttackPattern, func(data []byte) (stix2.STIXObject, error) {
		var obj mitreAttackPattern
		err := json.Unmarshal(data, &obj)
		return &obj, err
	}))

	if err != nil {
		fmt.Println(err)
		return
	}

	obj := col.Get(stix2.Identifier("attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0")).(*mitreAttackPattern)
	fmt.Println(obj.Name)

	// Get the custom properties.
	fmt.Println(obj.Version)

}

Output:

Credentials from Password Stores
1.0

func (*CustomObject) Get added in v0.8.0 

func (c *CustomObject) Get(key string) interface{}

Get retrieves an attribute from the custom object.

func (*CustomObject) GetAsNumber added in v0.8.0 

func (c *CustomObject) GetAsNumber(key string) int64

GetAsNumber returns the requested attribute as a number. The value has to be an expected integer.

func (*CustomObject) GetAsString added in v0.8.0 

func (c *CustomObject) GetAsString(key string) string

GetAsString returns the requested attribute as a string.

func (*CustomObject) GetAsStringSlice added in v0.8.0 

func (c *CustomObject) GetAsStringSlice(key string) []string

GetAsStringSlice returns the requested attribute as a string slice.

func (*CustomObject) GetCreated added in v0.8.0 

func (c *CustomObject) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*CustomObject) GetExtendedTopLevelProperties added in v0.8.0 

func (s *CustomObject) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object. For a CustomObject, this method just returns a pointer to the object itself.

func (*CustomObject) GetID added in v0.8.0 

func (c *CustomObject) GetID() Identifier

GetID returns the identifier for the object.

func (*CustomObject) GetModified added in v0.8.0 

func (c *CustomObject) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*CustomObject) GetType added in v0.8.0 

func (c *CustomObject) GetType() STIXType

GetType returns the object's type.

func (*CustomObject) Set added in v0.8.0 

func (c *CustomObject) Set(key string, val interface{})

Set adds an attribute to the custom object.

type Directory 

type Directory struct {
	STIXCyberObservableObject
	// Path specifies the path, as originally observed, to the directory on the
	// file system.
	Path string `json:"path"`
	// PathEnc specifies the observed encoding for the path. The value MUST be
	// specified if the path is stored in a non-Unicode encoding. This value
	// MUST be specified using the corresponding name from the 2013-12-20
	// revision of the IANA character set registry. If the preferred MIME name
	// for a character set is defined, this value MUST be used; if it is not
	// defined, then the Name value from the registry MUST be used instead.
	PathEnc string `json:"path_enc,omitempty"`
	// Ctime specifies the date/time the directory was created.
	Ctime *Timestamp `json:"ctime,omitempty"`
	// Mtime specifies the date/time the directory was last written
	// to/modified.
	Mtime *Timestamp `json:"mtime,omitempty"`
	// Atime specifies the date/time the directory was last accessed.
	Atime *Timestamp `json:"atime,omitempty"`
	// Contains specifies a list of references to other File and/or Directory
	// objects contained within the directory.
	Contains []Identifier `json:"contains_refs,omitempty"`
}

Directory object represents the properties common to a file system directory.

func NewDirectory 

func NewDirectory(path string, opts ...STIXOption) (*Directory, error)

NewDirectory creates a new Directory object.

func (*Directory) MarshalJSON added in v0.8.0 

func (o *Directory) MarshalJSON() ([]byte, error)

type DomainName added in v0.3.0 

type DomainName struct {
	STIXCyberObservableObject
	// Value specifies the value of the domain name. The value of this property
	// MUST conform to RFC1034, and each domain and sub-domain contained within
	// the domain name MUST conform to RFC5890.
	Value string `json:"value"`
	// ResolvesTo specifies a list of references to one or more IP addresses or
	// domain names that the domain name resolves to. The objects referenced in
	// this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for
	// cases such as CNAME records).
	ResolvesTo []Identifier `json:"resolves_to_refs,omitempty"`
}

DomainName object represents the properties of a network domain name.

func NewDomainName added in v0.3.0 

func NewDomainName(value string, opts ...STIXOption) (*DomainName, error)

NewDomainName creates a new DomainName object.

func (*DomainName) AddResolvesTo added in v0.3.0 

func (c *DomainName) AddResolvesTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddResolvesTo describes that this Domain Name resolves to one or more IP addresses or domain names.

func (*DomainName) MarshalJSON added in v0.8.0 

func (o *DomainName) MarshalJSON() ([]byte, error)

type EmailAddress 

type EmailAddress struct {
	STIXCyberObservableObject
	// Value specifies the value of the email address. This MUST NOT include
	// the display name.
	Value string `json:"value"`
	// DisplayName specifies a single email display name, i.e., the name that
	// is displayed to the human user of a mail application.
	DisplayName string `json:"display_name,omitempty"`
	// BelongsTo specifies the user account that the email address belongs to,
	// as a reference to a User Account object.
	BelongsTo Identifier `json:"belongs_to_ref,omitempty"`
}

EmailAddress object represents a single email address.

func NewEmailAddress 

func NewEmailAddress(value string, opts ...STIXOption) (*EmailAddress, error)

NewEmailAddress creates a new EmailAddress object.

func (*EmailAddress) MarshalJSON added in v0.8.0 

func (o *EmailAddress) MarshalJSON() ([]byte, error)

type EmailMIME 

type EmailMIME struct {
	// Body specifies the contents of the MIME part if the content_type is not
	// provided or starts with text/ (e.g., in the case of plain text or HTML
	// email).
	Body string `json:"body,omitempty"`
	// BodyRaw specifies the contents of non-textual MIME parts, that is those
	// whose content_type does not start with text/, as a reference to an
	// Artifact object or File object.
	BodyRaw Identifier `json:"body_raw_ref,omitempty"`
	// ContentType specifies the value of the “Content-Type” header field of
	// the MIME part.
	ContentType string `json:"content_type,omitempty"`
	// ContentDisposition specifies the value of the “Content-Disposition”
	// header field of the MIME part.
	ContentDisposition string `json:"content_disposition,omitempty"`
}

EmailMIME specifies one component of a multi-part email body.

type EmailMessage 

type EmailMessage struct {
	STIXCyberObservableObject
	// IsMultipart indicates whether the email body contains multiple MIME
	// parts.
	IsMultipart bool `json:"is_multipart"`
	// Date specifies the date/time that the email message was sent.
	Date *Timestamp `json:"date,omitempty"`
	// ContentType specifies the value of the “Content-Type” header of the
	// email message.
	ContentType string `json:"content_type,omitempty"`
	// From specifies the value of the “From:” header of the email message. The
	// "From:" field specifies the author of the message, that is, the
	// mailbox(es) of the person or system responsible for the writing of the
	// message.
	From Identifier `json:"from_ref,omitempty"`
	// Sender specifies the value of the “Sender” field of the email message.
	// The "Sender:" field specifies the mailbox of the agent responsible for
	// the actual transmission of the message.
	Sender Identifier `json:"sender_ref,omitempty"`
	// To pecifies the mailboxes that are “To:” recipients of the email
	// message.
	To []Identifier `json:"to_refs,omitempty"`
	// CC specifies the mailboxes that are “CC:” recipients of the email
	// message.
	CC []Identifier `json:"cc_refs,omitempty"`
	// BCC specifies the mailboxes that are “BCC:” recipients of the email
	// message.
	BCC []Identifier `json:"bcc_refs,omitempty"`
	// MessageID specifies the Message-ID field of the email message.
	MessageID string `json:"message_id,omitempty"`
	// Subject specifies the subject of the email message.
	Subject string `json:"subject,omitempty"`
	// ReceivedLines specifies one or more "Received" header fields that may be
	// included in the email headers.
	ReceivedLines []string `json:"received_lines,omitempty"`
	// AdditionalHeaderFields specifies any other header fields (except for
	// date, received_lines, content_type, from_ref, sender_ref, to_refs,
	// cc_refs, bcc_refs, and subject) found in the email message.
	AdditionalHeaderFields map[string][]string `json:"additional_header_fields,omitempty"`
	// Body specifies a string containing the email body. This property MUST
	// NOT be used if IsMultipart is true.
	Body string `json:"body,omitempty"`
	// BodyMultipart specifies a list of the MIME parts that make up the email
	// body. This property MUST NOT be used if IsMultipart is false.
	BodyMultipart []EmailMIME `json:"body_multipart,omitempty"`
	// RawEmail specifies the raw binary contents of the email message,
	// including both the headers and body, as a reference to an Artifact
	// object.
	RawEmail Identifier `json:"raw_email_ref,omitempty"`
}

EmailMessage rrepresents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs. Header field values that have been encoded as described in section 2 of RFC2047 MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property.

func NewEmailMessage 

func NewEmailMessage(multipart bool, opts ...STIXOption) (*EmailMessage, error)

NewEmailMessage creates a new EmailMessage object.

func (*EmailMessage) MarshalJSON added in v0.8.0 

func (o *EmailMessage) MarshalJSON() ([]byte, error)

type EncryptionAlgorithm 

type EncryptionAlgorithm uint8

EncryptionAlgorithm is the encryption algorithms used for sharing defanged and/or confidential artifacts. 

const (
	// EncryptionAlgorithmNone no encryption is used.
	EncryptionAlgorithmNone EncryptionAlgorithm = iota
	// EncryptionAlgorithmAES256GCM the AES-256-GCM cipher.
	EncryptionAlgorithmAES256GCM
	// EncryptionAlgorithmChaCha20Poly1305 the ChaCha20-Poly1305 stream
	// cipher.
	EncryptionAlgorithmChaCha20Poly1305
	// EncryptionAlgorithmMimeTypeIndicated mean encryption algorithm is
	// self-defined by the artifact's data. The specified mime-type tells you
	// which format it is, e.g., Word Doc or GPG. This is intended for formats
	// like Zip files and Word files which take a simple password, or GPG
	// armored files that contain the key blob along with the file.
	EncryptionAlgorithmMimeTypeIndicated
)

func (EncryptionAlgorithm) MarshalJSON added in v0.8.2 

func (typ EncryptionAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON converts the enum type to the JSON string.

func (EncryptionAlgorithm) String 

func (typ EncryptionAlgorithm) String() string

String returns the string representation of the type.

func (*EncryptionAlgorithm) UnmarshalJSON 

func (typ *EncryptionAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the encryption algorithm from the json data.

type ExtensionDefinition added in v0.8.0 

type ExtensionDefinition struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version"`
	// The created_by_ref property specifies the id property of the identity
	// object that describes the entity that created this object. If this
	// attribute is omitted, the source of this information is undefined. This
	// may be used by object creators who wish to remain anonymous.
	CreatedBy Identifier `json:"created_by_ref"`
	// The created property represents the time at which the object was
	// originally created. The object creator can use the time it deems most
	// appropriate as the time the object was created, but it MUST be precise
	// to the nearest millisecond (exactly three digits after the decimal place
	// in seconds). The created property MUST NOT be changed when creating a
	// new version of the object.
	Created *Timestamp `json:"created"`
	// The modified property is only used by STIX Objects that support
	// versioning and represents the time that this particular version of the
	// object was last modified. The object creator can use the time it deems
	// most appropriate as the time this version of the object was modified,
	// but it must be precise to the nearest millisecond (exactly three digits
	// after the decimal place in seconds). If the created property is defined,
	// then the value of the modified property for a given object version MUST
	// be later than or equal to the value of the created property. Object
	// creators MUST set the modified property when creating a new version of
	// an object if the created property was set.
	Modified *Timestamp `json:"modified"`
	// The revoked property is only used by STIX Objects that support
	// versioning and indicates whether the object has been revoked. Revoked
	// objects are no longer considered valid by the object creator. Revoking
	// an object is permanent; future versions of the object with this id MUST
	// NOT be created.
	Revoked bool `json:"revoked,omitempty"`
	// The labels property specifies a set of terms used to describe this
	// object. The terms are user-defined or trust-group defined and their
	// meaning is outside the scope of this specification and MAY be ignored.
	// Where an object has a specific property defined in the specification for
	// characterizing subtypes of that object, the labels property MUST NOT be
	// used for that purpose. For example, the Malware SDO has a property
	// malware_types that contains a list of Malware subtypes (dropper, RAT,
	// etc.). In this example, the labels property cannot be used to describe
	// these Malware subtypes.
	Labels []string `json:"labels,omitempty"`
	// The ExternalReferences property specifies a list of external references
	// which refers to non-STIX information. This property is used to provide
	// one or more URLs, descriptions, or IDs to records in other systems.
	ExternalReferences []*ExternalReference `json:"external_references,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// Name used for display purposes during execution, development, or debugging.
	Name string `json:"name"`
	// Description is a detailed explanation of what data the extension conveys and
	// how it is intended to be used.
	// While the description property is optional this property SHOULD be populated.
	// Note that the schema property is the normative definition of the extension,
	// and this property, if present, is for documentation purposes only.
	Description string `json:"description,omitempty"`
	// Schema is the normative definition of the extension, either as a URL or as
	// plain text explaining the definition.
	// A URL SHOULD point to a JSON schema or a location that contains information
	// about the schema.
	// NOTE: It is recommended that an external reference be provided to the
	// comprehensive documentation of the extension-definition.
	Schema string `json:"schema"`
	// Version of this extension. Producers of STIX extensions are encouraged to
	// follow standard semantic versioning procedures where the version number
	// follows the pattern, MAJOR.MINOR.PATCH. This will allow consumers to
	// distinguish between the three different levels of compatibility typically
	// identified by such versioning strings.
	Version string `json:"version"`
	// ExtensionTypes property specifies one or more extension types contained
	// within this extension.
	// When this property includes toplevel-property- extension then the
	// extension_properties property SHOULD include one or more property names.
	ExtensionTypes []ExtensionType `json:"extension_types"`
	// ExtensionProperties contains the list of new property names that are added
	// to an object by an extension.
	// This property MUST only be used when the extension_types property includes
	// a value of toplevel- property-extension. In other words, when new properties
	// are being added at the top-level of an existing object.
	ExtensionProperties []string `json:"extension_properties,omitempty"`
}

func NewExtensionDefinition added in v0.8.0 

func NewExtensionDefinition(name string, schema string, version string, extTypes []ExtensionType, opts ...STIXOption) (*ExtensionDefinition, error)

NewExtensionDefinition creates a new ExtensionDefinition object.

func (*ExtensionDefinition) GetCreated added in v0.8.0 

func (e *ExtensionDefinition) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*ExtensionDefinition) GetExtendedTopLevelProperties added in v0.8.0 

func (s *ExtensionDefinition) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*ExtensionDefinition) GetID added in v0.8.0 

func (e *ExtensionDefinition) GetID() Identifier

GetID returns the identifier for the object.

func (*ExtensionDefinition) GetModified added in v0.8.0 

func (e *ExtensionDefinition) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*ExtensionDefinition) GetType added in v0.8.0 

func (e *ExtensionDefinition) GetType() STIXType

GetType returns the object's type.

type ExtensionType added in v0.8.0 

type ExtensionType uint8

ExtensionType describes what type of extension it is. 

const (
	// ExtensionTypeInvalid indicates that the extension type used is invalid.
	ExtensionTypeInvalid ExtensionType = iota
	// ExtensionTypeNewSDO specifies that the Extension includes a new SDO.
	ExtensionTypeNewSDO
	// ExtensionTypeNewSCO specifies that the Extension includes a new SCO.
	ExtensionTypeNewSCO
	// ExtensionTypeNewSRO specifies that the Extension includes a new SDO.
	ExtensionTypeNewSRO
	// ExtensionTypePropertyExtension specifies that the extension includes
	// additional properties for a given STIX object.
	ExtensionTypePropertyExtension
	// ExtensionTypeToplevelPropertyExtension specifies that the Extension includes
	// additional properties for a given STIX Object at the top-level.
	// Organizations are encouraged to use the property-extension instead of
	// this extension type.
	ExtensionTypeToplevelPropertyExtension
)

func (ExtensionType) MarshalJSON added in v0.10.3 

func (o ExtensionType) MarshalJSON() ([]byte, error)

MarshalJSON converts the uint8 to string for JSON serialization.

func (ExtensionType) String added in v0.8.0 

func (typ ExtensionType) String() string

String returns the string representation of the type.

func (*ExtensionType) UnmarshalJSON added in v0.8.0 

func (typ *ExtensionType) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the encryption algorithm from the json data.

type Extensions added in v0.8.0 

type Extensions map[string]interface{}

func (*Extensions) UnmarshalJSON added in v0.8.0 

func (o *Extensions) UnmarshalJSON(b []byte) error

type ExternalReference 

type ExternalReference struct {
	// Name of the source that the external-reference is defined within
	// (system, registry, organization, etc.).
	Name string `json:"source_name"`
	// Description is a human readable description.
	Description string `json:"description,omitempty"`
	// URL is a reference to an external resource.
	URL string `json:"url,omitempty"`
	// Hashes specifies a dictionary of hashes for the contents of the url.
	// This SHOULD be provided when the url property is present.
	Hashes Hashes `json:"hashes,omitempty"`
	// ExternalID is an identifier for the external reference content.
	ExternalID string `json:"external_id,omitempty"`
}

ExternalReference is used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

func NewExternalReference 

func NewExternalReference(name, description, url, externalID string, hashes map[HashAlgorithm]string) (*ExternalReference, error)

NewExternalReference creates a new external reference.

func ParseExternalReference 

func ParseExternalReference(data []byte) (*ExternalReference, error)

ParseExternalReference parses external reference JSON data to *ExternalReference struct

type File 

type File struct {
	STIXCyberObservableObject
	// Hashes specifies a dictionary of hashes for the file.
	Hashes Hashes `json:"hashes,omitempty"`
	// Size specifies the size of the file, in bytes. The value of this
	// property MUST NOT be negative.
	Size int64 `json:"size,omitempty"`
	// Name specifies the name of the file.
	Name string `json:"name,omitempty"`
	// NameEnc specifies the observed encoding for the name of the file. This
	// value MUST be specified using the corresponding name from the 2013-12-20
	// revision of the IANA character set registry. If the value from the
	// Preferred MIME Name column for a character set is defined, this value
	// MUST be used; if it is not defined, then the value from the Name column
	// in the registry MUST be used instead.
	NameEnc string `json:"name_enc,omitempty"`
	// MagicNumber specifies the hexadecimal constant (“magic number”)
	// associated with a specific file format that corresponds to the file, if
	// applicable.
	MagicNumber Hex `json:"magic_number_hex,omitempty"`
	// MimeType specifies the MIME type name specified for the file, e.g.,
	// application/msword.
	MimeType string `json:"mime_type,omitempty"`
	// Ctime specifies the date/time the file was created.
	Ctime *Timestamp `json:"ctime,omitempty"`
	// Mtime specifies the date/time the file was last written to/modified.
	Mtime *Timestamp `json:"mtime,omitempty"`
	// Atime specifies the date/time the file was last accessed.
	Atime *Timestamp `json:"atime,omitempty"`
	// ParentDirectory specifies the parent directory of the file, as a
	// reference to a Directory object.
	ParentDirectory Identifier `json:"parent_directory_ref,omitempty"`
	// Contains specifies a list of references to other Cyber-observable
	// Objects contained within the file, such as another file that is appended
	// to the end of the file, or an IP address that is contained somewhere in
	// the file.
	Contains []Identifier `json:"contains_refs,omitempty"`
	// Content specifies the content of the file, represented as an Artifact
	// object.
	Content Identifier `json:"content_ref,omitempty"`
}

File object represents the properties of a file. A File object MUST contain at least one of hashes or name.

func NewFile 

func NewFile(name string, hashes Hashes, opts ...STIXOption) (*File, error)

NewFile creates a new File object. A File object MUST contain at least one of hashes or name.

func (*File) ArchiveExtension 

func (f *File) ArchiveExtension() *ArchiveFileExtension

ArchiveExtension returns the archive extension for the object or nil.

func (*File) MarshalJSON added in v0.8.0 

func (o *File) MarshalJSON() ([]byte, error)

func (*File) NTFSExtension 

func (f *File) NTFSExtension() *NTFSFileExtension

NTFSExtension returns the NTFS extension for the object or nil.

func (*File) PDFExtension 

func (f *File) PDFExtension() *PDFExtension

PDFExtension returns the PDF extension for the object or nil.

func (*File) RasterImageExtension 

func (f *File) RasterImageExtension() *RasterImageExtension

RasterImageExtension returns the raster image extension for the object or nil.

func (*File) WindowsPEBinaryExtension 

func (f *File) WindowsPEBinaryExtension() *WindowsPEBinaryExtension

WindowsPEBinaryExtension returns the Windows PE binary extension for the object or nil.

type GranularMarking 

type GranularMarking struct {
	// Lang property identifies the language of the text identified by this
	// marking. The value of the lang property, if present, MUST be an RFC5646
	// language code.
	Lang string `json:"lang,omitempty"`
	// Marking  property specifies the ID of the marking-definition object that
	// describes the marking.
	Marking Identifier `json:"marking_ref,omitempty"`
	// Selectors property specifies a list of selectors for content contained
	// within the STIX Object in which this property appears.
	Selectors []string `json:"selectors"`
}

GranularMarking defines how the marking-definition object referenced by the Marking property or a language specified by the Lang property applies to a set of content identified by the list of selectors in the Selectors property.

type Grouping 

type Grouping struct {
	STIXDomainObject
	// Name is used to identify the Grouping.
	Name string `json:"name,omitempty"`
	// Description provides more details and context about the Grouping,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Context provides a short descriptor of the particular context shared by
	// the content referenced by the Grouping. This is an open vocabulary and
	// values SHOULD come from the GroupingContext constants.
	Context string `json:"context"`
	// Objects specifies the STIX Objects that are referred to by this
	// Grouping.
	Objects []Identifier `json:"object_refs"`
}

Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report.

A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, and SROs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping.

func NewGrouping 

func NewGrouping(context string, objects []Identifier, opts ...STIXOption) (*Grouping, error)

NewGrouping creates a new Grouping object.

func (*Grouping) MarshalJSON added in v0.8.0 

func (o *Grouping) MarshalJSON() ([]byte, error)

type HTTPRequestExtension 

type HTTPRequestExtension struct {
	// Method specifies the HTTP method portion of the HTTP request line, as a
	// lowercase string.
	Method string `json:"request_method"`
	// Value specifies the value (typically a resource path) portion of the
	// HTTP request line.
	Value string `json:"request_value"`
	// HTTPVersion specifies the HTTP version portion of the HTTP request line,
	// as a lowercase string.
	HTTPVersion string `json:"request_version,omitempty"`
	// Header specifies all of the HTTP header fields that may be found in the
	// HTTP client request, as a dictionary.
	Header map[string][]string `json:"request_header,omitempty"`
	// BodyLength specifies the length of the HTTP message body, if included,
	// in bytes.
	BodyLength int64 `json:"message_body_length,omitempty"`
	// Body specifies the data contained in the HTTP message body, if included.
	Body Identifier `json:"message_body_data_ref,omitempty"`
}

HTTPRequestExtension specifies a default extension for capturing network traffic properties specific to HTTP requests.

type HashAlgorithm 

type HashAlgorithm string

HashAlgorithm is a vocabulary of hashing algorithms. 

const (
	// MD5 is the MD5 message digest algorithm. The corresponding hash string
	// for this value MUST be a valid MD5 message digest as defined in
	// [RFC1321].
	MD5 HashAlgorithm = "MD5"
	// SHA1 is the SHA­-1 (secure-­hash algorithm 1) cryptographic hash
	// function. The corresponding hash string for this value MUST be a valid
	// SHA-1 message digest as defined in [RFC3174].
	SHA1 HashAlgorithm = "SHA-1"
	// SHA256 is the SHA-­256 cryptographic hash function (part of the SHA­2
	// family). The corresponding hash string for this value MUST be a valid
	// SHA-256 message digest as defined in [RFC6234].
	SHA256 HashAlgorithm = "SHA-256"
	// SHA512 is the SHA-­512 cryptographic hash function (part of the SHA­2
	// family). The corresponding hash string for this value MUST be a valid
	// SHA-512 message digest as defined in [RFC6234].
	SHA512 HashAlgorithm = "SHA-512"
	// SHA3256 is the SHA3-256 cryptographic hash function. The corresponding
	// hash string for this value MUST be a valid SHA3-256 message digest as
	// defined in [FIPS202].
	SHA3256 HashAlgorithm = "SHA3-256"
	// SHA3512 is the SHA3-512 cryptographic hash function. The corresponding
	// hash string for this value MUST be a valid SHA3-512 message digest as
	// defined in [FIPS202].
	SHA3512 HashAlgorithm = "SHA3-512"
	// SSDEEP is the ssdeep fuzzy hashing algorithm. The corresponding hash
	// string for this value MUST be a valid piecewise hash as defined in the
	// [SSDEEP] specification.
	SSDEEP HashAlgorithm = "SSDEEP"
	// TLSH is the TLSH fuzzy hashing algorithm. The corresponding hash string
	// for this value MUST be a valid 35 byte long hash as defined in the [TLSH]
	// specification.
	TLSH HashAlgorithm = "TLSH"
)

type Hashes 

type Hashes map[HashAlgorithm]string

Hashes represents one or more cryptographic hashes, as a special set of key/value pairs. Accordingly, the name of each hashing algorithm MUST be specified as a key in the dictionary and MUST identify the name of the hashing algorithm used to generate the corresponding value. This name SHOULD come from one of the values defined in the hash-algorithm-ov.

Dictionary keys MUST be unique in each hashes property, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST have a minimum length of 3 ASCII characters and MUST be no longer than 250 ASCII characters in length.

To enhance compatibility, the SHA-256 hash SHOULD be used whenever possible.

type Hex 

type Hex string

Hex type encodes an array of octets (8-bit bytes) as hexadecimal. The string MUST consist of an even number of hexadecimal characters, which are the digits '0' through '9' and the lower-case letters 'a' through 'f'. In order to allow pattern matching on custom objects.

type ICMPExtension 

type ICMPExtension struct {
	// Type specifies the ICMP type byte.
	Type Hex `json:"icmp_type_hex"`
	// Code specifies the ICMP code byte.
	Code Hex `json:"icmp_code_hex"`
}

ICMPExtension specifies a default extension for capturing network traffic properties specific to ICMP.

type IPv4Address 

type IPv4Address struct {
	STIXCyberObservableObject
	// Value specifies the values of one or more IPv4 addresses expressed using
	// CIDR notation. If a given IPv4Address object represents a single IPv4
	// address, the CIDR /32 suffix MAY be omitted. Example: 10.2.4.5/24
	Value string `json:"value"`
	// ResolvesTo specifies a list of references to one or more Layer 2 Media
	// Access Control (MAC) addresses that the IPv4 address resolves to.
	ResolvesTo []Identifier `json:"resolves_to_refs,omitempty"`
	// BelongsTo specifies a list of references to one or more autonomous
	// systems (AS) that the IPv4 address belongs to.
	BelongsTo []Identifier `json:"belongs_to_refs,omitempty"`
}

IPv4Address represents one or more IPv4 addresses expressed using CIDR notation.

func NewIPv4Address 

func NewIPv4Address(value string, opts ...STIXOption) (*IPv4Address, error)

NewIPv4Address creates a new IPv4Address object.

func (*IPv4Address) AddBelongsTo 

func (c *IPv4Address) AddBelongsTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddBelongsTo describes that this IPv4 Address belongs to one or more autonomous systems (AS).

func (*IPv4Address) AddResolvesTo 

func (c *IPv4Address) AddResolvesTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddResolvesTo describes that this IPv4Address resolves to one or more Layer 2 Media Access Control (MAC) addresses.

func (*IPv4Address) MarshalJSON added in v0.8.0 

func (o *IPv4Address) MarshalJSON() ([]byte, error)

type IPv6Address 

type IPv6Address struct {
	STIXCyberObservableObject
	// Value specifies the values of one or more IPv6 addresses expressed using
	// CIDR notation. If a given IPv6Address object represents a single IPv6
	// address, the CIDR /128 suffix MAY be omitted.
	Value string `json:"value"`
	// ResolvesTo specifies a list of references to one or more Layer 2 Media
	// Access Control (MAC) addresses that the IPv6 address resolves to.
	ResolvesTo []Identifier `json:"resolves_to_refs,omitempty"`
	// BelongsTo specifies a list of references to one or more autonomous
	// systems (AS) that the IPv6 address belongs to.
	BelongsTo []Identifier `json:"belongs_to_refs,omitempty"`
}

IPv6Address represents one or more IPv6 addresses expressed using CIDR notation.

func NewIPv6Address 

func NewIPv6Address(value string, opts ...STIXOption) (*IPv6Address, error)

NewIPv6Address creates a new IPv6Address object.

func (*IPv6Address) AddBelongsTo 

func (c *IPv6Address) AddBelongsTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddBelongsTo describes that this IPv6 Address belongs to one or more autonomous systems (AS).

func (*IPv6Address) AddResolvesTo 

func (c *IPv6Address) AddResolvesTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddResolvesTo describes that this IPv6Address resolves to one or more Layer 2 Media Access Control (MAC) addresses.

func (*IPv6Address) MarshalJSON added in v0.8.0 

func (o *IPv6Address) MarshalJSON() ([]byte, error)

type Identifier 

type Identifier string

Identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value.

func NewIdentifier 

func NewIdentifier(typ STIXType) Identifier

NewIdentifier creates a new Identifier. The Identifier uses the STIXType and a UUIDv4 to produce a random ID. This function should be used when generating identifiers for TIX Domain Objects, STIX Relationship Objects, STIX Meta Objects, and STIX Bundle Object.

func NewObservableIdentifier added in v0.8.0 

func NewObservableIdentifier(value string, typ STIXType) Identifier

NewObservableIdentifier creates a new STIX Cyber-observable Object identifier.

func (Identifier) ForType 

func (i Identifier) ForType(typ STIXType) bool

ForType checks if the identifier is for the STIXType.

func (Identifier) ForTypes 

func (i Identifier) ForTypes(typ ...STIXType) bool

ForTypes checks if the Identifier is for any of the types given. True is returned if one of the types matches.

type Identity 

type Identity struct {
	STIXDomainObject
	// Name is the name of this Identity. When referring to a specific entity
	// (e.g., an individual or organization), this property SHOULD contain the
	// canonical name of the specific entity.
	Name string `json:"name"`
	// Description provides more details and context about the Identity,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Roles is a list of roles that this Identity performs (e.g., CEO, Domain
	// Administrators, Doctors, Hospital, or Retailer). No open vocabulary is
	// yet defined for this property.
	Roles []string `json:"roles,omitempty"`
	// Class is the type of entity that this Identity describes, e.g.,
	// an individual or organization.
	Class string `json:"identity_class"`
	// Sectors is a list of industry sectors that this Identity belongs to.
	Sectors []string `json:"sectors,omitempty"`
	// ContactInformation is the contact information (e-mail, phone number,
	// etc.) for this Identity. No format for this information is currently
	// defined by this specification.
	ContactInformation string `json:"contact_information,omitempty"`
}

Identity can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities.

func NewIdentity 

func NewIdentity(name string, opts ...STIXOption) (*Identity, error)

NewIdentity creates a new Identity object.

func (*Identity) AddLocatedAt 

func (c *Identity) AddLocatedAt(id Identifier, opts ...STIXOption) (*Relationship, error)

AddLocatedAt creates a relationship to a location hat the Identity is located at or in the related Location.

func (*Identity) MarshalJSON added in v0.8.0 

func (o *Identity) MarshalJSON() ([]byte, error)

type Incident added in v0.10.0 

type Incident struct {
	STIXDomainObject
	// Name used to identify the Incident.
	Name string `json:"name"`
	// A description that provides more details and context about the Incident,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
}

The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3.

func NewIncident added in v0.10.0 

func NewIncident(name string, opts ...STIXOption) (*Incident, error)

NewCampaign creates a new Campaign object.

func (*Incident) MarshalJSON added in v0.10.0 

func (o *Incident) MarshalJSON() ([]byte, error)

type Indicator 

type Indicator struct {
	STIXDomainObject
	// Name is used to identify the Indicator. Producers SHOULD provide this
	// property to help products and analysts understand what this Indicator
	// actually does.
	Name string `json:"name,omitempty"`
	// Description provides more details and context about the Indicator,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Types is an open vocabulary that specifies a set of
	// categorizations for this indicator.
	Types []string `json:"indicator_types,omitempty"`
	// Pattern is the detection pattern for this Indicator.
	Pattern string `json:"pattern"`
	// PatternType is the type of pattern used in this indicator. The property
	// is an open vocabulary and currently has the values of stix, snort, and
	// yara.
	PatternType string `json:"pattern_type"`
	// PatternVersion is the version of the pattern that is used. For patterns
	// that do not have a formal specification, the build or code version that
	// the pattern is known to work with SHOULD be used.
	PatternVersion string `json:"pattern_version,omitempty"`
	// ValidFrom is the time from which this Indicator is considered a valid
	// indicator of the behaviors it is related or represents.
	ValidFrom *Timestamp `json:"valid_from"`
	// ValidUntil is the time at which this Indicator should no longer
	// considered a valid indicator of the behaviors it is related to or
	// represents.
	ValidUntil *Timestamp `json:"valid_until,omitempty"`
	// KillChainPhases is the kill chain phase(s) to which this Indicator
	// corresponds.
	KillChainPhase []*KillChainPhase `json:"kill_chain_phases,omitempty"`
}

Indicator contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc.

func NewIndicator 

func NewIndicator(pattern, patternType string, validFrom *Timestamp, opts ...STIXOption) (*Indicator, error)

NewIndicator creates a new Indicator object.

func (*Indicator) AddBasedOn 

func (c *Indicator) AddBasedOn(id Identifier, opts ...STIXOption) (*Relationship, error)

AddBasedOn creates a relationship that describes hat the indicator was created based on information from an observed-data object.

func (*Indicator) AddIndicates 

func (c *Indicator) AddIndicates(id Identifier, opts ...STIXOption) (*Relationship, error)

AddIndicates creates a relationship that describes that the Indicator can detect evidence of the related Attack Pattern, Campaign, Infrastructure, Intrusion Set, Malware, Threat Actor, or Tool. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.

func (*Indicator) MarshalJSON added in v0.8.0 

func (o *Indicator) MarshalJSON() ([]byte, error)

type Infrastructure 

type Infrastructure struct {
	STIXDomainObject
	// Name is the name or characterizing text used to identify the
	// Infrastructure.
	Name string `json:"name"`
	// Description provides more details and context about the Infrastructure,
	// potentially including its purpose, how it is being used, how it relates
	// to other intelligence activities captured in related objects, and its
	// key characteristics.
	Description string `json:"description,omitempty"`
	// Types is the type of infrastructure being described.
	Types []string `json:"infrastructure_types,omitempty"`
	// Aliases are alternative names used to identify this Infrastructure.
	Aliases []string `json:"aliases,omitempty"`
	// KillChainPhase is a list of Kill Chain Phases for which this
	// Infrastructure is used.
	KillChainPhase []*KillChainPhase `json:"kill_chain_phases,omitempty"`
	// FirstSeen is the time that this Infrastructure was first seen performing
	// malicious activities.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen is the time that this Infrastructure was last seen performing
	// malicious activities.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
}

Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defence, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure.

func NewInfrastructure 

func NewInfrastructure(name string, opts ...STIXOption) (*Infrastructure, error)

NewInfrastructure creates a new Infrastructure object.

func (*Infrastructure) AddCommunicatesWith 

func (c *Infrastructure) AddCommunicatesWith(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCommunicatesWith documents that this infrastructure instance communicates with the defined network addressable resource.

func (*Infrastructure) AddConsistsOf 

func (c *Infrastructure) AddConsistsOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddConsistsOf documents the objects that are used to make up an infrastructure instance, such as ipv4-addr, ipv6-addr, domain-name, url. An infrastructure instance consists of zero or more objects.

func (*Infrastructure) AddControls 

func (c *Infrastructure) AddControls(id Identifier, opts ...STIXOption) (*Relationship, error)

AddControls describes that this infrastructure controls some other infrastructure or a malware instance (or family).

func (*Infrastructure) AddDelivers 

func (c *Infrastructure) AddDelivers(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDelivers describes that this infrastructure controls some other infrastructure or a malware instance (or family).

func (*Infrastructure) AddHas 

func (c *Infrastructure) AddHas(id Identifier, opts ...STIXOption) (*Relationship, error)

AddHas describes that this specific Infrastructure has this specific Vulnerability.

func (*Infrastructure) AddHosts 

func (c *Infrastructure) AddHosts(id Identifier, opts ...STIXOption) (*Relationship, error)

AddHosts describes that this infrastructure has a tool running on it or is used to passively host the tool / malware.

func (*Infrastructure) AddLocatedAt 

func (c *Infrastructure) AddLocatedAt(id Identifier, opts ...STIXOption) (*Relationship, error)

AddLocatedAt describes that the infrastructure originates from the related location.

func (*Infrastructure) AddUses 

func (c *Infrastructure) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses describes that this infrastructure uses this other infrastructure to achieve its objectives.

func (*Infrastructure) MarshalJSON added in v0.8.0 

func (o *Infrastructure) MarshalJSON() ([]byte, error)

type IntrusionSet 

type IntrusionSet struct {
	STIXDomainObject
	// Name is used to identify this IntrusionSet.
	Name string `json:"name"`
	// Description provides more details and context about the Intrusion Set,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Aliases are alternative names used to identify this IntrusionSet.
	Aliases []string `json:"aliases,omitempty"`
	// FirstSeen is the time that this Intrusion Set was first seen. This
	// property is a summary property of data from sightings and other data
	// that may or may not be available in STIX. If new sightings are received
	// that are earlier than the first seen timestamp, the object may be
	// updated to account for the new data.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen is the time that this Intrusion Set was last seen. This
	// property is a summary property of data from sightings and other data
	// that may or may not be available in STIX. If new sightings are received
	// that are later than the last seen timestamp, the object may be updated
	// to account for the new data.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
	// Goals is the high-level goals of this Intrusion Set, namely, what are
	// they trying to do. For example, they may be motivated by personal gain,
	// but their goal is to steal credit card numbers. To do this, they may
	// execute specific Campaigns that have detailed objectives like
	// compromising point of sale systems at a large retailer. Another example:
	// to gain information about latest merger and IPO information from ACME
	// Bank.
	Goals []string `json:"goals,omitempty"`
	// ResourceLevel defines the organizational level at which this Intrusion
	// Set typically works, which in turn determines the resources available to
	// this Intrusion Set for use in an attack. This is an open vocabulary and
	// values SHOULD come from the AttackResourceLevel vocabulary.
	ResourceLevel string `json:"resource_level,omitempty"`
	// PrimaryMotivation is the primary reason, motivation, or purpose behind
	// this Intrusion Set. The motivation is why the Intrusion Set wishes to
	// achieve the goal (what they are trying to achieve). For example, an
	// Intrusion Set with a goal to disrupt the finance sector in a country
	// might be motivated by ideological hatred of capitalism. This is an open
	// vocabulary and values SHOULD come from the AttackMotivation vocabulary.
	PrimaryMotivation string `json:"primary_motivation,omitempty"`
	// SecondaryMotivation is the secondary reasons, motivations, or purposes
	// behind this Intrusion Set. These motivations can exist as an equal or
	// near-equal cause to the primary motivation. However, it does not replace
	// or necessarily magnify the primary motivation, but it might indicate
	// additional context. The position in the list has no significance. This
	// is an open vocabulary and values SHOULD come from the AttackMotivation
	// vocabulary.
	SecondaryMotivations []string `json:"secondary_motivations,omitempty"`
}

IntrusionSet is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An IntrusionSet may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor. New activity can be attributed to an IntrusionSet even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one IntrusionSet to supporting another, or they may support multiple IntrusionSets.

Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an IntrusionSet is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes.

While sometimes an IntrusionSet is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.

func NewIntrusionSet 

func NewIntrusionSet(name string, opts ...STIXOption) (*IntrusionSet, error)

NewIntrusionSet creates a new IntrusionSet object.

func (*IntrusionSet) AddAttributedTo 

func (c *IntrusionSet) AddAttributedTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddAttributedTo describes that the related Threat Actor is involved in carrying out the Intrusion Set.

func (*IntrusionSet) AddCompromises 

func (c *IntrusionSet) AddCompromises(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCompromises describes that the Intrusion Set compromises the related Infrastructure.

func (*IntrusionSet) AddHosts 

func (c *IntrusionSet) AddHosts(id Identifier, opts ...STIXOption) (*Relationship, error)

AddHosts describes that the Intrusion Set hosts the related Infrastructure (e.g. an actor that rents botnets to other threat actors).

func (*IntrusionSet) AddOriginatesFrom 

func (c *IntrusionSet) AddOriginatesFrom(id Identifier, opts ...STIXOption) (*Relationship, error)

AddOriginatesFrom describes that the Intrusion Set originates from the related location and SHOULD NOT be used to define attribution.

func (*IntrusionSet) AddOwns 

func (c *IntrusionSet) AddOwns(id Identifier, opts ...STIXOption) (*Relationship, error)

AddOwns describes that the Intrusion Set owns the related Infrastructure (e.g. an actor that rents botnets to other threat actors).

func (*IntrusionSet) AddTargets 

func (c *IntrusionSet) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets describes that the Intrusion Set uses exploits of the related Vulnerability or targets the type of victims described by the related Identity or Location.

func (*IntrusionSet) AddUses 

func (c *IntrusionSet) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses describes that attacks carried out as part of the Intrusion Set typically use the related Attack Pattern, Infrastructure, Malware, or Tool.

func (*IntrusionSet) MarshalJSON added in v0.8.0 

func (o *IntrusionSet) MarshalJSON() ([]byte, error)

type KillChainPhase 

type KillChainPhase struct {
	// Name is the name of the kill chain. The value of this property SHOULD be
	// all lowercase and SHOULD use hyphens instead of spaces or underscores as
	// word separators.
	Name string `json:"kill_chain_name"`
	// Phase is the name of the phase in the kill chain. The value of this
	// property SHOULD be all lowercase and SHOULD use hyphens instead of
	// spaces or underscores as word separators.
	Phase string `json:"phase_name"`
}

KillChainPhase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. When referencing the Lockheed Martin Cyber Kill Chain™, the kill_chain_name property MUST be LockheedMartinCyberKillChain.

func NewKillChainPhase 

func NewKillChainPhase(name, phase string) (*KillChainPhase, error)

NewKillChainPhase creates a new KillChainPhase, both arguments are required.

func ParseKillChainPhase 

func ParseKillChainPhase(data []byte) (*KillChainPhase, error)

ParseKillChainPhase parses a KillChainPhase object from the JSON data.

type LanguageContent 

type LanguageContent struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version"`
	// The created_by_ref property specifies the id property of the identity
	// object that describes the entity that created this object. If this
	// attribute is omitted, the source of this information is undefined. This
	// may be used by object creators who wish to remain anonymous.
	CreatedBy Identifier `json:"created_by_ref,omitempty"`
	// The created property represents the time at which the object was
	// originally created. The object creator can use the time it deems most
	// appropriate as the time the object was created, but it MUST be precise
	// to the nearest millisecond (exactly three digits after the decimal place
	// in seconds). The created property MUST NOT be changed when creating a
	// new version of the object.
	Created *Timestamp `json:"created"`
	// The modified property is only used by STIX Objects that support
	// versioning and represents the time that this particular version of the
	// object was last modified. The object creator can use the time it deems
	// most appropriate as the time this version of the object was modified,
	// but it must be precise to the nearest millisecond (exactly three digits
	// after the decimal place in seconds). If the created property is defined,
	// then the value of the modified property for a given object version MUST
	// be later than or equal to the value of the created property. Object
	// creators MUST set the modified property when creating a new version of
	// an object if the created property was set.
	Modified *Timestamp `json:"modified"`
	// The revoked property is only used by STIX Objects that support
	// versioning and indicates whether the object has been revoked. Revoked
	// objects are no longer considered valid by the object creator. Revoking
	// an object is permanent; future versions of the object with this id MUST
	// NOT be created.
	Revoked bool `json:"revoked,omitempty"`
	// The labels property specifies a set of terms used to describe this
	// object. The terms are user-defined or trust-group defined and their
	// meaning is outside the scope of this specification and MAY be ignored.
	// Where an object has a specific property defined in the specification for
	// characterizing subtypes of that object, the labels property MUST NOT be
	// used for that purpose. For example, the Malware SDO has a property
	// malware_types that contains a list of Malware subtypes (dropper, RAT,
	// etc.). In this example, the labels property cannot be used to describe
	// these Malware subtypes.
	Labels []string `json:"labels,omitempty"`
	// The confidence property identifies the confidence that the creator has
	// in the correctness of their data. The confidence value MUST be a number
	// in the range of 0-100.
	Confidence int `json:"confidence,omitempty"`
	// The ExternalReferences property specifies a list of external references
	// which refers to non-STIX information. This property is used to provide
	// one or more URLs, descriptions, or IDs to records in other systems.
	ExternalReferences []*ExternalReference `json:"external_references,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// Specifies any extensions of the object, as a dictionary.
	Extensions Extensions `json:"extensions,omitempty"`
	// Object identifies the id of the object that this Language Content
	// applies to. It MUST be the identifier for a STIX Object.
	Object Identifier `json:"object_ref"`
	// ObjectModified identifies the modified time of the object that this
	// Language Content applies to. It MUST be an exact match for the modified
	// time of the STIX Object being referenced.
	ObjectModified *Timestamp `json:"object_modified,omitempty"`
	// Contents contains the actual Language Content (translation).
	//
	// The keys in the dictionary MUST be RFC 5646 language codes for which
	// language content is being provided [RFC5646]. The values each consist of
	// a dictionary that mirrors the properties in the target object
	// (identified by object_ref and object_modified). For example, to provide
	// a translation of the name property on the target object the key in the
	// dictionary would be name.
	// For each key in the nested dictionary:
	//	* If the original property is a string, the corresponding property
	//	in the language content object MUST contain a string with the
	//	content for that property in the language of the top-level key.
	//	* If the original property is a list, the corresponding property in
	//	the translation object must also be a list. Each item in this list
	//	recursively maps to the item at the same position in the list
	//	contained in the target object. The lists MUST have the same
	//	length.
	//	* In the event that translations are only provided for some list
	//	items, the untranslated list items MUST be represented by an empty
	//	string (""). This indicates to a consumer of the Language Content
	//	object that they should interpolate the translated list items in
	//	the Language Content object with the corresponding (untranslated)
	//	list items from the original object as indicated by the object_ref
	//	property.
	//	* If the original property is an object (including dictionaries),
	//	the corresponding location in the translation object must also be
	//	an object. Each key/value field in this object recursively maps to
	//	the object with the same key in the original.
	//
	// The translation object MAY contain only a subset of the translatable
	// fields of the original. Keys that point to non-translatable properties
	// in the target or to properties that do not exist in the target object
	// MUST be ignored.
	Contents map[string]map[string]interface{} `json:"contents"`
	// contains filtered or unexported fields
}

LanguageContent represents text content for STIX Objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation.

func NewLanguageContent 

func NewLanguageContent(object Identifier, content map[string]map[string]interface{}, opts ...STIXOption) (*LanguageContent, error)

NewLanguageContent creates a new LanguageContent object.

func (*LanguageContent) GetCreated added in v0.4.0 

func (l *LanguageContent) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*LanguageContent) GetExtendedTopLevelProperties added in v0.8.0 

func (s *LanguageContent) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*LanguageContent) GetID added in v0.2.0 

func (l *LanguageContent) GetID() Identifier

GetID returns the identifier for the object.

func (*LanguageContent) GetModified added in v0.4.0 

func (l *LanguageContent) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*LanguageContent) GetType added in v0.2.0 

func (l *LanguageContent) GetType() STIXType

GetType returns the object's type.

func (*LanguageContent) MarshalJSON added in v0.8.0 

func (o *LanguageContent) MarshalJSON() ([]byte, error)

type Location 

type Location struct {
	STIXDomainObject
	// Name is used to identify the Location.
	Name string `json:"name,omitempty"`
	// Description is a textual description of the Location.
	Description string `json:"description,omitempty"`
	// Latitude of the Location in decimal degrees. Positive numbers describe
	// latitudes north of the equator, and negative numbers describe latitudes
	// south of the equator. The value of this property MUST be between -90.0
	// and 90.0, inclusive.
	Latitude float64 `json:"latitude,omitempty"`
	// Longitude of the Location in decimal degrees. Positive numbers describe
	// longitudes east of the prime meridian and negative numbers describe
	// longitudes west of the prime meridian. The value of this property MUST
	// be between -180.0 and 180.0, inclusive.
	Longitude float64 `json:"longitude,omitempty"`
	// Precision of the coordinates specified by the latitude and longitude
	// properties. This is measured in meters. The actual Location may be
	// anywhere up to precision meters from the defined point. If this property
	// is not present, then the precision is unspecified. If this property is
	// present, the latitude and longitude properties MUST be present.
	Precision float64 `json:"precision,omitempty"`
	// Region that this Location describes.
	Region string `json:"region,omitempty"`
	// Country  that this Location describes. This property SHOULD contain a
	// valid ISO 3166-1 ALPHA-2 Code.
	Country string `json:"country,omitempty"`
	// AdminstrativeArea is the state, province, or other sub-national
	// administrative area that this Location describes.
	AdministrativeArea string `json:"administrative_area,omitempty"`
	// City that this Location describes.
	City string `json:"city,omitempty"`
	// StreetAddress that this Location describes. This property includes all
	// aspects or parts of the street address. For example, some addresses may
	// have multiple lines including a mailstop or apartment number.
	StreetAddress string `json:"street_address,omitempty"`
	// PostalCode for this Location.
	PostalCode string `json:"postal_code,omitempty"`
}

Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude.

Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe.

The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States.

At least one of the following properties/sets of properties MUST be provided:

  • region
  • country
  • latitude and longitude

When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value.

If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates.

func NewLocation 

func NewLocation(region, country string, lat, long float64, opts ...STIXOption) (*Location, error)

NewLocation creates a new Location object.

func (*Location) MarshalJSON added in v0.8.0 

func (o *Location) MarshalJSON() ([]byte, error)

type MACAddress 

type MACAddress struct {
	STIXCyberObservableObject
	// Value specifies the value of a single MAC address.
	Value string `json:"value"`
}

MACAddress represents a single Media Access Control (MAC) address.

func NewMACAddress 

func NewMACAddress(value string, opts ...STIXOption) (*MACAddress, error)

NewMACAddress creates a new MACAddress object.

func (*MACAddress) MarshalJSON added in v0.8.0 

func (o *MACAddress) MarshalJSON() ([]byte, error)

type Malware 

type Malware struct {
	STIXDomainObject
	// Name is used to identify the malware instance or family, as specified by
	// the producer of the SDO. For a malware family the name MUST be defined.
	// If a name for a malware instance is not available, the SHA-256 hash
	// value or sample’s filename MAY be used instead.
	Name string `json:"name,omitempty"`
	// Description provides more details and context about the malware instance
	// or family, potentially including its purpose and its key
	// characteristics.
	Description string `json:"description,omitempty"`
	// Types is an open vocabulary that specifies a set of
	// categorizations for the malware being described.
	Types []string `json:"malware_types,omitempty"`
	// IsFamily tells whether the object represents a malware family (if true)
	// or a malware instance (if false).
	IsFamily bool `json:"is_family"`
	// Aliases are alternative names used to identify this malware or malware
	// family.
	Aliases []string `json:"aliases,omitempty"`
	// KillChainPhashe is a list of Kill Chain Phases for which this malware
	// can be used.
	KillChainPhase []*KillChainPhase `json:"kill_chain_phases,omitempty"`
	// FirstSeen is the time that the malware instance or family was first
	// seen.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen is the time that the malware family or malware instance was
	// last seen.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
	// OperatingSystems is operating system the malware family or malware instance is
	// executable on. This applies to virtualized operating systems as well
	// as those running on bare metal.
	//
	// The value of this property MUST be the identifier for a SCO software object.
	OperatingSystems []Identifier `json:"operating_system_refs,omitempty"`
	// Architecture is the processor architectures (e.g., x86, ARM, etc.) that
	// the malware instance or family is executable on.
	Architecture []string `json:"architecture_execution_envs,omitempty"`
	// Languages is the programming language(s) used to implement the malware
	// instance or family.
	Languages []string `json:"implementation_languages,omitempty"`
	// Capabilities specifies any capabilities identified for the malware
	// instance or family.
	Capabilities []string `json:"capabilities,omitempty"`
	// Samples pecifies a list of identifiers of the SCO file or artifact
	// objects associated with this malware instance(s) or family. If is_family
	// is false, then all samples listed in sample_refs MUST refer to the same
	// binary data.
	Samples []Identifier `json:"sample_refs,omitempty"`
}

Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.

The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.

The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides.

func NewMalware 

func NewMalware(family bool, opts ...STIXOption) (*Malware, error)

NewMalware creates a new Malware object.

func (*Malware) AddAuthoredBy 

func (c *Malware) AddAuthoredBy(id Identifier, opts ...STIXOption) (*Relationship, error)

AddAuthoredBy describes that the malware instance or family was developed by the related threat actor or intrusion set.

func (*Malware) AddBeaconsTo 

func (c *Malware) AddBeaconsTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddBeaconsTo describes that the malware instance or family beacons to data to the related Infrastructure.

func (*Malware) AddCommunicatesWith 

func (c *Malware) AddCommunicatesWith(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCommunicatesWith documents that this malware instance (or family) communicates with (beacons to, connects to, or exfiltrated data to) the defined network addressable resource.

func (*Malware) AddControls 

func (c *Malware) AddControls(id Identifier, opts ...STIXOption) (*Relationship, error)

AddControls documents hat this malware instance (or family) can control other malware which may be resident on the same system on which it is executing. Note that this is not meant to imply or state that the malware instance or family drops other malware (which is covered by the drops relationship). Rather, it is meant to state that the malware instance or family is able to subvert or control other malware to achieve its goals.

func (*Malware) AddDownloads 

func (c *Malware) AddDownloads(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDownloads documents that this malware instance (or family) downloads another malware instance, tool or file. This is especially common with “first-stage” malware instances such as downloaders and droppers.

func (*Malware) AddDrops 

func (c *Malware) AddDrops(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDrops documents that this malware instance (or family) drops another malware instance, tool or file. This is especially common with “first-stage” malware instances such as downloaders and droppers.

func (*Malware) AddExfiltratesTo 

func (c *Malware) AddExfiltratesTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddExfiltratesTo describes that the malware instance or family exfiltrates data to the related Infrastructure.

func (*Malware) AddExploits 

func (c *Malware) AddExploits(id Identifier, opts ...STIXOption) (*Relationship, error)

AddExploits documents hat this malware instance or family exploits or attempts to exploit a particular vulnerability.

func (*Malware) AddOriginatesFrom 

func (c *Malware) AddOriginatesFrom(id Identifier, opts ...STIXOption) (*Relationship, error)

AddOriginatesFrom documents that this malware instance or family originates from a particular location.

func (*Malware) AddTargets 

func (c *Malware) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets documents that a malware instance or family is being used to target an Identity, Infrastructure, or Location. For malware families, this can be used to capture the full set of identities, infrastructures, or locations targeted by the family.

func (*Malware) AddUses 

func (c *Malware) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses documents that this malware instance or family uses the attack pattern, infrastructure, malware, or tool to achieve its objectives.

func (*Malware) AddVariantOf 

func (c *Malware) AddVariantOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddVariantOf documents that one malware instance or family is a variant of another malware instance or family. Only the following uses of this relationship are valid: Malware instance → Malware family: a Malware instance is a variant of a Malware family. For example, a particular Zeus version 2 sample is a variant of the broader Zeus family. Malware family → Malware family: a Malware family is a variant of another Malware family. For example, the Gameover Zeus family is a variant of the broader Zeus family. Malware instance → Malware instance: a Malware instance is a variant of another Malware instance. For example, a particular Cryptolocker instance that is based on an another Cryptolocker instance with minor changes. Malware family → Malware instance: this relationship MUST NOT be used as it is not semantically valid.

func (*Malware) MarshalJSON added in v0.8.0 

func (o *Malware) MarshalJSON() ([]byte, error)

type MalwareAnalysis 

type MalwareAnalysis struct {
	STIXDomainObject
	// Product is the name of the analysis engine or product that was used.
	// Product names SHOULD be all lowercase with words separated by a dash
	// "-". For cases where the name of a product cannot be specified, a value
	// of "anonymized" MUST be used.
	Product string `json:"product"`
	// Version of the analysis product that was used to perform the analysis.
	Version string `json:"version,omitempty"`
	// HostVM is a description of the virtual machine environment used to host
	// the guest operating system (if applicable) that was used for the dynamic
	// analysis of the malware instance or family. If this value is not
	// included in conjunction with the operating_system_ref property, this
	// means that the dynamic analysis may have been performed on bare metal
	// (i.e. without virtualization) or the information was redacted. The value
	// of this property MUST be the identifier for a SCO software object.
	HostVM Identifier `json:"host_vm_ref,omitempty"`
	// OS is the operating system used for the dynamic analysis of the malware
	// instance or family. This applies to virtualized operating systems as
	// well as those running on bare metal. The value of this property MUST be
	// the identifier for a SCO software object.
	OperatingSystem Identifier `json:"operating_system_ref,omitempty"`
	// InstalledSoftware is a list of any non-standard software installed on
	// the operating system (specified through the operating-system value) used
	// for the dynamic analysis of the malware instance or family. The value of
	// this property MUST be the identifier for a SCO software object.
	InstalledSoftware []Identifier `json:"installed_software_refs,omitempty"`
	// ConfigurationVersion captures the named configuration of additional product
	// configuration parameters for this analysis run. For example, when a
	// product is configured to do full depth analysis of Window™ PE files.
	// This configuration may have a named version and that named version can
	// be captured in this property. This will ensure additional runs can be
	// configured in the same way.
	ConfigurationVersion string `json:"configuration_version,omitempty"`
	// Modules aptures the specific analysis modules that were used and
	// configured in the product during this analysis run. For example,
	// configuring a product to support analysis of Dridex.
	Modules []string `json:"modules,omitempty"`
	// AnalysisEngineVersion is the version of the analysis engine or product
	// (including AV engines) that was used to perform the analysis.
	AnalysisEngineVersion string `json:"analysis_engine_version,omitempty"`
	// AnalysisDefinitionVersion is the version of the analysis definitions
	// used by the analysis tool (including AV tools).
	AnalysisDefinitionVersion string `json:"analysis_definition_version,omitempty"`
	// Submitted is the date and time that the malware was first submitted for
	// scanning or analysis. This value will stay constant while the scanned
	// date can change. For example, when MalwareAnalysis was submitted to a virus
	// analysis tool.
	Submitted *Timestamp `json:"submitted,omitempty"`
	// AnalysisStarted is the date and time that the malware analysis was
	// initiated.
	AnalysisStarted *Timestamp `json:"analysis_started,omitempty"`
	// AnalysisEnded is the date and time that the malware analysis ended.
	AnalysisEnded *Timestamp `json:"analysis_ended,omitempty"`
	// ResultName is the classification result or name assigned to the malware
	// instance by the AV scanner tool.
	ResultName string `json:"result_name,omitempty"`
	// Result is the classification result as determined by the scanner or tool
	// analysis process.
	Result string `json:"result,omitempty"`
	// AnalysisSCOs contains the references to the STIX Cyber-observable
	// Objects that were captured during the analysis process.
	AnalysisSCOs []Identifier `json:"analysis_sco_refs,omitempty"`
	// Sample contains the reference to the SCO file, network traffic or
	// artifact object that this malware analysis was performed against.
	// Caution should be observed when creating an SRO between Malware and
	// Malware Analysis objects when the Malware sample_refs property does not
	// contain the SCO that is included in the Malware Analysis sample_ref
	// property.  Note, this property can also contain a reference to an SCO
	// which is not associated with Malware (i.e., some SCO which was scanned
	// and found to be benign.)
	Sample Identifier `json:"sample_ref,omitempty"`
}

MalwareAnalysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.

func NewMalwareAnalysis 

func NewMalwareAnalysis(product, result string, analysisSCOs []Identifier, opts ...STIXOption) (*MalwareAnalysis, error)

NewMalwareAnalysis creates a new MalwareAnalysis object. One of result or analysisSCOs must be provided.

func (*MalwareAnalysis) AddAnalysisOf added in v0.8.0 

func (c *MalwareAnalysis) AddAnalysisOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddAnalysisOf describes that the malware analysis is results for the related malware.

func (*MalwareAnalysis) AddCharacterizes 

func (c *MalwareAnalysis) AddCharacterizes(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCharacterizes describes that the malware analysis is describes the related malware.

func (*MalwareAnalysis) AddDynamicAnalysisOf 

func (c *MalwareAnalysis) AddDynamicAnalysisOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDynamicAnalysisOf describes hat the malware analysis is dynamic analysis results for the related malware.

func (*MalwareAnalysis) AddStaticAnalysisOf 

func (c *MalwareAnalysis) AddStaticAnalysisOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddStaticAnalysisOf describes that the malware analysis is static analysis results for the related malware.

func (*MalwareAnalysis) MarshalJSON added in v0.8.0 

func (o *MalwareAnalysis) MarshalJSON() ([]byte, error)

type MarkingDefinition 

type MarkingDefinition struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version"`
	// The created_by_ref property specifies the id property of the identity
	// object that describes the entity that created this object. If this
	// attribute is omitted, the source of this information is undefined. This
	// may be used by object creators who wish to remain anonymous.
	CreatedBy Identifier `json:"created_by_ref,omitempty"`
	// The created property represents the time at which the object was
	// originally created. The object creator can use the time it deems most
	// appropriate as the time the object was created, but it MUST be precise
	// to the nearest millisecond (exactly three digits after the decimal place
	// in seconds). The created property MUST NOT be changed when creating a
	// new version of the object.
	Created *Timestamp `json:"created"`
	// The ExternalReferences property specifies a list of external references
	// which refers to non-STIX information. This property is used to provide
	// one or more URLs, descriptions, or IDs to records in other systems.
	ExternalReferences []*ExternalReference `json:"external_references,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// Specifies any extensions of the object, as a dictionary.
	Extensions Extensions `json:"extensions,omitempty"`
	// Name is used to identify the Marking Definition.
	Name string `json:"name,omitempty"`
	// DefinitionType identifies the type of Marking Definition. The value of
	// the definition_type property SHOULD be one of statement or tlp.
	DefinitionType string `json:"definition_type"`
	// Definition contains the marking object itself (e.g., the TLP marking,
	// the Statement, or some other marking definition defined).
	Definition interface{} `json:"definition"`
	// contains filtered or unexported fields
}

MarkingDefinition represents a specific marking. Data markings typically represent handling or sharing requirements for data and are applied in the object_marking_refs and granular_markings properties on STIX Objects, which reference a list of IDs for marking-definition objects.

Two marking definition types are defined in this specification: TLP, to capture TLP markings, and Statement, to capture text marking statements. In addition, it is expected that the FIRST Information Exchange Policy (IEP) will be included in a future version once a machine-usable specification for it has been defined.

Unlike other STIX Objects, Marking Definition objects cannot be versioned because it would allow for indirect changes to the markings on a STIX Object. For example, if a Statement marking is changed from "Reuse Allowed" to "Reuse Prohibited", all STIX Objects marked with that Statement marking would effectively have an updated marking without being updated themselves. Instead, a new Statement marking with the new text should be created and the marked objects updated to point to the new marking.

func NewMarkingDefinition 

func NewMarkingDefinition(typ string, definition interface{}, opts ...STIXOption) (*MarkingDefinition, error)

NewMarkingDefinition creates a new MarkingDefinition object.

func (*MarkingDefinition) GetCreated added in v0.4.0 

func (m *MarkingDefinition) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*MarkingDefinition) GetExtendedTopLevelProperties added in v0.8.0 

func (s *MarkingDefinition) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*MarkingDefinition) GetID added in v0.2.0 

func (m *MarkingDefinition) GetID() Identifier

GetID returns the identifier for the object.

func (*MarkingDefinition) GetModified added in v0.4.0 

func (m *MarkingDefinition) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*MarkingDefinition) GetType added in v0.2.0 

func (m *MarkingDefinition) GetType() STIXType

GetType returns the object's type.

func (*MarkingDefinition) MarshalJSON added in v0.8.0 

func (o *MarkingDefinition) MarshalJSON() ([]byte, error)

type Mutex 

type Mutex struct {
	STIXCyberObservableObject
	// Name specifies the name of the mutex object.
	Name string `json:"name"`
}

Mutex represents the properties of a mutual exclusion (mutex) object.

func NewMutex 

func NewMutex(value string, opts ...STIXOption) (*Mutex, error)

NewMutex creates a new Mutex object.

func (*Mutex) MarshalJSON added in v0.8.0 

func (o *Mutex) MarshalJSON() ([]byte, error)

type NTFSFileExtension 

type NTFSFileExtension struct {
	// SID specifies the security ID (SID) value assigned to the file.
	SID string `json:"sid,omitempty"`
	// AltDataStreams specifies a list of NTFS alternate data streams that
	// exist for the file.
	AltDataStreams []AltDataStream `json:"alternate_data_streams,omitempty"`
}

NTFSFileExtension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system. The key for this extension when used in the extensions dictionary MUST be ntfs-ext. An object using the NTFS File Extension MUST contain at least one property from this extension.

type NetworkTraffic 

type NetworkTraffic struct {
	STIXCyberObservableObject
	// Start specifies the date/time the network traffic was initiated, if
	// known.
	Start *Timestamp `json:"start,omitempty"`
	// End specifies the date/time the network traffic ended, if known.
	End *Timestamp `json:"end,omitempty"`
	// IsActive indicates whether the network traffic is still ongoing.
	IsActive bool `json:"is_active,omitempty"`
	// Src specifies the source of the network traffic, as a reference to a
	// Cyber-observable Object.
	Src Identifier `json:"src_ref,omitempty"`
	// Dst specifies the destination of the network traffic, as a reference to
	// a Cyber-observable Object.
	Dst Identifier `json:"dst_ref,omitempty"`
	// SrcPort specifies the source port used in the network traffic, as an
	// integer. The port value MUST be in the range of 0 - 65535.
	SrcPort int64 `json:"src_port,omitempty"`
	// DstPort specifies the destination port used in the network traffic, as
	// an integer. The port value MUST be in the range of 0 - 65535.
	DstPort int64 `json:"dst_port,omitempty"`
	// Protocols specifies the protocols observed in the network traffic, along
	// with their corresponding state. Protocols MUST be listed in low to high
	// order, from outer to inner in terms of packet encapsulation. That is,
	// the protocols in the outer level of the packet, such as IP, MUST be
	// listed first. The protocol names SHOULD come from the service names
	// defined in the Service Name column of the IANA Service Name and Port
	// Number Registry. In cases where there is variance in the name of a
	// network protocol not included in the IANA Registry, content producers
	// should exercise their best judgement, and it is recommended that
	// lowercase names be used for consistency with the IANA registry.
	//		Examples:
	// 		ipv4, tcp, http
	// 		ipv4, udp
	// 		ipv6, tcp, http
	// 		ipv6, tcp, ssl, https
	Protocols []string `json:"protocols"`
	// SrcByteCount specifies the number of bytes, as a positive integer, sent
	// from the source to the destination.
	SrcByteCount int64 `json:"src_byte_count,omitempty"`
	// DstByteCount specifies the number of bytes, as a positive integer, sent
	// from the destination to the source.
	DstByteCount int64 `json:"dst_byte_count,omitempty"`
	// SrcPackets specifies the number of packets, as a positive integer, sent
	// from the source to the destination.
	SrcPackets int64 `json:"src_packets,omitempty"`
	// DstPackets specifies the number of packets, as a positive integer, sent
	// from the destination to the source.
	DstPackets int64 `json:"dst_packets,omitempty"`
	// IPFIX specifies any IP Flow Information Export data for the traffic, as
	// a dictionary. Each key/value pair in the dictionary represents the
	// name/value of a single IPFIX element. Accordingly, each dictionary key
	// SHOULD be a case-preserved version of the IPFIX element name, e.g.,
	// octetDeltaCount. Each dictionary value MUST be either an integer or a
	// string, as well as a valid IPFIX property.
	IPFIX map[string]interface{} `json:"ipfix,omitempty"`
	// SrcPayload specifies the bytes sent from the source to the destination.
	SrcPayload Identifier `json:"src_payload_ref,omitempty"`
	// DstPayload specifies the bytes sent from the destination to the source.
	DstPayload Identifier `json:"dst_payload_ref,omitempty"`
	// Encapsulates links to other network-traffic objects encapsulated by this
	// network-traffic object.
	Encapsulates []Identifier `json:"encapsulates_refs,omitempty"`
	// Encapsulated links to another network-traffic object which encapsulates
	// this object.
	Encapsulated Identifier `json:"encapsulated_by_ref,omitempty"`
}

NetworkTraffic represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.

To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (Src and Dst, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the Src or Dst properties and SHOULD contain the SrcPort and DstPort properties.

func NewNetworkTraffic 

func NewNetworkTraffic(proto []string, opts ...STIXOption) (*NetworkTraffic, error)

NewNetworkTraffic creates a new NetworkTraffic object. A NetworkTraffic object MUST contain at least one of hashes or name.

func (*NetworkTraffic) HTTPRequestExtension 

func (n *NetworkTraffic) HTTPRequestExtension() *HTTPRequestExtension

HTTPRequestExtension returns the HTTP request extension for the object or nil.

func (*NetworkTraffic) ICMPExtension 

func (n *NetworkTraffic) ICMPExtension() *ICMPExtension

ICMPExtension returns the ICMP extension for the object or nil.

func (*NetworkTraffic) MarshalJSON added in v0.8.0 

func (o *NetworkTraffic) MarshalJSON() ([]byte, error)

func (*NetworkTraffic) SocketExtension 

func (n *NetworkTraffic) SocketExtension() *SocketExtension

SocketExtension returns the socket extension for the object or nil.

func (*NetworkTraffic) TCPExtension 

func (n *NetworkTraffic) TCPExtension() *TCPExtension

TCPExtension returns the tcp extension for the object or nil.

type Note 

type Note struct {
	STIXDomainObject
	// Abstract is a brief summary of the note content.
	Abstract string `json:"abstract,omitempty"`
	// Content is the content of the note.
	Content string `json:"content"`
	// Authors is/are the name of the author(s) of this note (e.g., the
	// analyst(s) that created it).
	Authors []string `json:"authors,omitempty"`
	// Objects are the STIX Objects that the note is being applied to.
	Objects []Identifier `json:"object_refs"`
}

Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object.

func NewNote 

func NewNote(content string, objects []Identifier, opts ...STIXOption) (*Note, error)

NewNote creates a new Note object.

func (*Note) MarshalJSON added in v0.8.0 

func (o *Note) MarshalJSON() ([]byte, error)

type ObservedData 

type ObservedData struct {
	STIXDomainObject
	// FirstObserved is the beginning of the time window during which the data
	// was seen.
	FirstObserved *Timestamp `json:"first_observed"`
	// LastObserved is the end of the time window during which the data was
	// seen.
	LastObserved *Timestamp `json:"last_observed"`
	// NumberObserved is the number of times that each Cyber-observable object
	// represented in the objects or object_ref property was seen. If present,
	// this MUST be an integer between 1 and 999,999,999 inclusive.
	NumberObserved int64 `json:"number_observed"`
	// Objects is a map of SCO representing the observation. The dictionary
	// MUST contain at least one object. The cyber observable content MAY
	// include multiple objects if those objects are related as part of a
	// single observation. Multiple objects not related to each other via cyber
	// observable Relationships MUST NOT be contained within the same
	// ObservedData instance. This property MUST NOT be present if ObjectRefs
	// is provided. For example, a Network Traffic object and two IPv4 Address
	// objects related via the src_ref and dst_ref properties can be contained
	// in the same Observed Data because they are all related and used to
	// characterize that single entity.
	//
	// NOTE: this property is now deprecated in favor of ObjectRefs and will be
	// removed in a future version.
	Objects map[string]*STIXCyberObservableObject `json:"objects,omitempty"`
	// ObjectRefs is a list of SCOs and SROs representing the observation. The
	// ObjectRefs MUST contain at least one SCO reference if defined.
	ObjectRefs []Identifier `json:"object_refs,omitempty"`
}

ObservedData conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, ObservedData can capture information about an IP address, a network connection, a file, or a registry key. ObservedData is not an intelligence assertion, it is simply the raw information without any context for what it means.

ObservedData can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the NumberObserved property is 1 the ObservedData represents a single entity. When the NumberObserved property is greater than 1, the ObservedData represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the FirstObserved and LastObserved properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations.

ObservedData may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying ObservedData SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the ObservedData for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the ObservedData object. For example, a firewall could emit a single ObservedData instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an ObservedData instance every ten minutes with an IP address and an appropriate NumberObserved value to indicate the number of times that IP address was observed in that window. A sandbox could emit an ObservedData instance containing a file hash that it discovered.

ObservedData may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific ObservedData to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).

To support backwards compatibility, related SCOs can still be specified using the Objects properties, Either the objects property or the ObjectRefs property MUST be provided, but both MUST NOT be present at the same time.

func NewObservedData 

func NewObservedData(firstObserved, lastObserved *Timestamp, numberObserved int64, objectsRef []Identifier, opts ...STIXOption) (*ObservedData, error)

NewObservedData creates a new ObservedData object.

func (*ObservedData) MarshalJSON added in v0.8.0 

func (o *ObservedData) MarshalJSON() ([]byte, error)

type Opinion 

type Opinion struct {
	STIXDomainObject
	// Explanation is an explanation of why the producer has this Opinion. For
	// example, if an Opinion of strongly-disagree is given, the explanation
	// can contain an explanation of why the Opinion producer disagrees and
	// what evidence they have for their disagreement.
	Explanation string `json:"explanation,omitempty"`
	// Authors is the name of the author(s) of this Opinion (e.g., the
	// analyst(s) that created it).
	Authors []string `json:"authors,omitempty"`
	// Value is the opinion that the producer has about all of the STIX
	// Object(s) listed in the Objects property.
	Value OpinionValue `json:"opinion"`
	// Objects is the STIX Objects that the Opinion is being applied to.
	Objects []Identifier `json:"object_refs"`
}

Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions.

For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community.

Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the CreatedBy property, which is meant to capture the organization that created the object.

func NewOpinion 

func NewOpinion(val OpinionValue, objects []Identifier, opts ...STIXOption) (*Opinion, error)

NewOpinion creates a new Opinion object.

func (*Opinion) MarshalJSON added in v0.8.0 

func (o *Opinion) MarshalJSON() ([]byte, error)

type OpinionValue 

type OpinionValue byte

OpinionValue aptures a degree of agreement with the information in a STIX Object. It is an ordered enumeration, with the earlier terms representing disagreement, the middle term neutral, and the later terms representing agreement. 

const (
	// OpinionStronglyDisagree means the creator strongly disagrees with the
	// information and believes it is inaccurate or incorrect.
	OpinionStronglyDisagree OpinionValue = iota + 1
	// OpinionDisagree means the creator disagrees with the information and
	// believes it is inaccurate or incorrect.
	OpinionDisagree
	// OpinionNeutral means the creator is neutral about the accuracy or
	// correctness of the information.
	OpinionNeutral
	// OpinionAgree means the creator agrees with the information and believes
	// that it is accurate and correct.
	OpinionAgree
	// OpinionStronglyAgree means the creator strongly agrees with the
	// information and believes that it is accurate and correct.
	OpinionStronglyAgree
)

func (OpinionValue) MarshalJSON added in v0.10.2 

func (typ OpinionValue) MarshalJSON() ([]byte, error)

func (OpinionValue) String 

func (typ OpinionValue) String() string

String returns the string representation of the OpinionValue.

func (*OpinionValue) UnmarshalJSON 

func (typ *OpinionValue) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the OpinionValue from the json data.

type PDFExtension 

type PDFExtension struct {
	// Version specifies the decimal version number of the string from the PDF
	// header that specifies the version of the PDF specification to which the
	// PDF file conforms. E.g., 1.4.
	Version string `json:"version,omitempty"`
	// IsOptimized specifies whether the PDF file has been optimized.
	IsOptimized bool `json:"is_optimized,omitempty"`
	// DocumentInfo specifies details of the PDF document information dictionary
	// (DID), which includes properties like the document creation data and
	// producer, as a dictionary. Each key in the dictionary SHOULD be a
	// case-preserved version of the corresponding entry in the document
	// information dictionary without the prepended forward slash, e.g., Title.
	// The corresponding value for the key MUST be the value specified for the
	// document information dictionary entry, as a string.
	DocumentInfo map[string]string `json:"document_info_dict,omitempty"`
	// PDFid0 specifies the first file identifier found for the PDF file.
	PDFid0 string `json:"pdfid0,omitempty"`
	// PDFid1 specifies the second file identifier found for the PDF file.
	PDFid1 string `json:"pdfid1,omitempty"`
}

PDFExtension specifies a default extension for capturing properties specific to PDF files. The key for this extension when used in the extensions dictionary MUST be pdf-ext. An object using the PDF File Extension MUST contain at least one property from this extension.

type Process 

type Process struct {
	STIXCyberObservableObject
	// IsHidden specifies whether the process is hidden.
	IsHidden bool `json:"is_hidden,omitempty"`
	// PID specifies the Process ID, or PID, of the process.
	PID int64 `json:"pid,omitempty"`
	// CreatedTime specifies the date/time at which the process was created.
	CreatedTime *Timestamp `json:"created_time,omitempty"`
	// Cwd specifies the current working directory of the process.
	Cwd string `json:"cwd,omitempty"`
	// CommandLine specifies the full command line used in executing the
	// process, including the process name (which may be specified individually
	// via the image_ref.name property) and any arguments.
	CommandLine string `json:"command_line,omitempty"`
	// EnvVars sSpecifies the list of environment variables associated with the
	// process as a dictionary.
	EnvVars map[string]string `json:"environment_variables,omitempty"`
	// OpenedConnections specifies the list of network connections opened by
	// the process, as a reference to one or more Network Traffic objects.
	OpenedConnections []Identifier `json:"opened_connection_refs,omitempty"`
	// CreatorUser specifies the user that created the process, as a reference
	// to a User Account object.
	CreatorUser Identifier `json:"creator_user_ref,omitempty"`
	// Image specifies the executable binary that was executed as the process
	// image, as a reference to a File object.
	Image Identifier `json:"image_ref,omitempty"`
	// Parent specifies the other process that spawned (i.e. is the parent of)
	// this one, as a reference to a Process object.
	Parent Identifier `json:"parent_ref,omitempty"`
	// Child specifies the other processes that were spawned by (i.e. children
	// of) this process, as a reference to one or more other Process objects.
	Child []Identifier `json:"child_refs,omitempty"`
}

Process represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions).

func NewProcess 

func NewProcess(opts ...STIXOption) (*Process, error)

NewProcess creates a new Process object.

func (*Process) MarshalJSON added in v0.8.0 

func (o *Process) MarshalJSON() ([]byte, error)

func (*Process) WindowsProcessExtension 

func (n *Process) WindowsProcessExtension() *WindowsProcessExtension

WindowsProcessExtension returns the Windows process extension for the object or nil.

func (*Process) WindowsServiceExtension 

func (n *Process) WindowsServiceExtension() *WindowsServiceExtension

WindowsServiceExtension returns the Windows service extension for the object or nil.

type RasterImageExtension 

type RasterImageExtension struct {
	// Height specifies the height of the image in the image file, in pixels.
	Height int64 `json:"image_height,omitempty"`
	// Width specifies the width of the image in the image file, in pixels.
	Width int64 `json:"image_width,omitempty"`
	// BitsPerPixel specifies the sum of bits used for each color channel in
	// the image file, and thus the total number of pixels used for expressing
	// the color depth of the image.
	BitsPerPixel int64 `json:"bits_per_pixel,omitempty"`
	// ExifTags specifies the set of EXIF tags found in the image file, as a
	// dictionary. Each key/value pair in the dictionary represents the
	// name/value of a single EXIF tag. Accordingly, each dictionary key MUST
	// be a case-preserved version of the EXIF tag name, e.g., XResolution.
	// Each dictionary value MUST be either an integer (for int* EXIF
	// datatypes) or a string (for all other EXIF datatypes).
	ExifTags map[string]interface{} `json:"exif_tags,omitempty"`
}

RasterImageExtension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. An object using the Raster Image File Extension MUST contain at least one property from this extension.

type RegistryDataType 

type RegistryDataType byte

RegistryDataType is a type of registry data type. 

const (
	// RegUnknownValue is used for unknown type values.
	RegUnknownValue RegistryDataType = iota
	// RegNone is a no defined value type.
	RegNone
	// RegSz is a null-terminated string. This will be either a Unicode or an
	// ANSI string, depending on whether you use the Unicode or ANSI functions.
	RegSz
	// RegExpandSz is a null-terminated string that contains unexpanded
	// references to environment variables (for example, "%PATH%"). It will be
	// a Unicode or ANSI string depending on whether you use the Unicode or
	// ANSI functions.
	RegExpandSz
	// RegBinary is binary data in any form.
	RegBinary
	// RegDword is a 32-bit number.
	RegDword
	// RegDwordBigEndian is a 32-bit number in big-endian format.
	RegDwordBigEndian
	// RegDwordLittleEndian is a 32-bit number in little-endian format.
	RegDwordLittleEndian
	// RegLink is a null-terminated Unicode string that contains the target
	// path of a symbolic link.
	RegLink
	// RegMultiSz is a sequence of null-terminated strings, terminated by an
	// empty string (\0).
	RegMultiSz
	// RegResourceList is a series of nested lists designed to store a resource
	// list used by a hardware device driver or one of the physical devices it
	// controls. This data is detected and written into the ResourceMap tree by
	// the system and is displayed in Registry Editor in hexadecimal format as
	// a Binary Value.
	RegResourceList
	// RegFullResourceDescription is a series of nested lists designed to store
	// a resource list used by a physical hardware device. This data is
	// detected and written into the HardwareDescription tree by the system and
	// is displayed in Registry Editor in hexadecimal format as a Binary Value.
	RegFullResourceDescription
	// RegResourceRequirementsList is a device driver list of hardware resource
	// requirements in Resource Map tree.
	RegResourceRequirementsList
	// RegQword is a 64-bit number.
	RegQword
	// RegInvalidType specifies an invalid key.
	RegInvalidType
)

func (RegistryDataType) MarshalJSON 

func (r RegistryDataType) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (RegistryDataType) String 

func (r RegistryDataType) String() string

String returns the string representation of the type.

func (*RegistryDataType) UnmarshalJSON 

func (r *RegistryDataType) UnmarshalJSON(b []byte) error

UnmarshalJSON deserializes the type from the json data.

type RegistryKey 

type RegistryKey struct {
	STIXCyberObservableObject
	// Key specifies the full registry key including the hive. The value of the
	// key, including the hive portion, SHOULD be case-preserved. The hive
	// portion of the key MUST be fully expanded and not truncated; e.g.,
	// HKEY_LOCAL_MACHINE must be used instead of HKLM.
	Key string `json:"key,omitempty"`
	// Values specifies the values found under the registry key.
	Values []*RegistryValue `json:"values,omitempty"`
	// ModifiedTime specifies the last date/time that the registry key was
	// modified.
	ModifiedTime *Timestamp `json:"modified_time,omitempty"`
	// CreatorUser specifies a reference to the user account that created the
	// registry key.
	CreatorUser Identifier `json:"creator_user_ref,omitempty"`
	// NumberOfSubkeys specifies the number of subkeys contained under the
	// registry key.
	NumberOfSubkeys int64 `json:"number_of_subkeys,omitempty"`
}

RegistryKey object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object.

func NewRegistryKey 

func NewRegistryKey(opts ...STIXOption) (*RegistryKey, error)

NewRegistryKey creates a new RegistryKey object.

func (*RegistryKey) MarshalJSON added in v0.8.0 

func (o *RegistryKey) MarshalJSON() ([]byte, error)

type RegistryValue 

type RegistryValue struct {
	// Name specifies the name of the registry value. For specifying the
	// default value in a registry key, an empty string MUST be used.
	Name string `json:"name,omitempty"`
	// Data specifies the data contained in the registry value.
	Data string `json:"data,omitempty"`
	// DataType specifies the registry (REG_*) data type used in the registry
	// value.
	DataType RegistryDataType `json:"data_type,omitempty"`
}

RegistryValue captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type.

type Relationship 

type Relationship struct {
	STIXRelationshipObject
	// The name used to identify the type of Relationship. This value SHOULD be
	// an exact value listed in the relationships for the source and target
	// SDO, but MAY be any string. The value of this property MUST be in ASCII
	// and is limited to characters a–z (lowercase ASCII), 0–9, and hyphen (-).
	RelationshipType RelationshipType `json:"relationship_type"`
	// A description that provides more details and context about the
	// Relationship, potentially including its purpose and its key
	// characteristics.
	Description string `json:"description,omitempty"`
	// The id of the source (from) object. The value MUST be an ID reference to
	// an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language
	// Content,or Marking Definition).
	Source Identifier `json:"source_ref"`
	// The id of the target (to) object. The value MUST be an ID reference to
	// an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language
	// Content, or Marking Definition).
	Target Identifier `json:"target_ref"`
	// This optional timestamp represents the earliest time at which the
	// Relationship between the objects exists. If this property is a future
	// timestamp, at the time the start_time property is defined, then this
	// represents an estimate by the producer of the intelligence of the
	// earliest time at which relationship will be asserted to be true. If it
	// is not specified, then the earliest time at which the relationship
	// between the objects exists is not defined.
	StartTime *Timestamp `json:"start_time,omitempty"`
	// The latest time at which the Relationship between the objects exists. If
	// this property is a future timestamp, at the time the stop_time property
	// is defined, then this represents an estimate by the producer of the
	// intelligence of the latest time at which relationship will be asserted
	// to be true. If start_time and stop_time are both defined, then stop_time
	// MUST be later than the start_time value. If stop_time is not specified,
	// then the latest time at which the relationship between the objects
	// exists is either not known, not disclosed, or has no defined stop time.
	StopTime *Timestamp `json:"stop_time,omitempty"`
}

Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges".

STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition.

STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail.

func NewRelationship 

func NewRelationship(relType RelationshipType, source, target Identifier, opts ...STIXOption) (*Relationship, error)

NewRelationship creates a new Relationship object.

func (*Relationship) MarshalJSON added in v0.8.0 

func (o *Relationship) MarshalJSON() ([]byte, error)

type RelationshipType 

type RelationshipType string

RelationshipType describes how the source and the target are related. 

const (
	// RelationshipTypeAnalysisOf is an analysis of relationship.
	RelationshipTypeAnalysisOf RelationshipType = "analysis-of"
	// RelationshipTypeAttributedTo is an attributed to relationship.
	RelationshipTypeAttributedTo RelationshipType = "attributed-to"
	// RelationshipTypeAuthoredBy is an authored by relationship.
	RelationshipTypeAuthoredBy RelationshipType = "authored-by"
	// RelationshipTypeBasedOn is a based on relationship.
	RelationshipTypeBasedOn RelationshipType = "based-on"
	// RelationshipTypeBeaconsTo is a beacons to relationship.
	RelationshipTypeBeaconsTo RelationshipType = "beacons-to"
	// RelationshipTypeBelongsTo is a belongs to relationship.
	RelationshipTypeBelongsTo RelationshipType = "belongs-to"
	// RelationshipTypeCharacterizes is a characterizes relationship.
	RelationshipTypeCharacterizes RelationshipType = "characterizes"
	// RelationshipTypeCommunicatesWith is a communicates with relationship.
	RelationshipTypeCommunicatesWith RelationshipType = "communicates-with"
	// RelationshipTypeCompromises is a compromises relationship.
	RelationshipTypeCompromises RelationshipType = "compromises"
	// RelationshipTypeConsistsOf is a consists of relationship.
	RelationshipTypeConsistsOf RelationshipType = "consists-of"
	// RelationshipTypeControls is a controls relationship.
	RelationshipTypeControls RelationshipType = "controls"
	// RelationshipTypeDelivers is a delivers relationship.
	RelationshipTypeDelivers RelationshipType = "delivers"
	// RelationshipTypeDerivedFrom is a derived from relationship.
	RelationshipTypeDerivedFrom RelationshipType = "derived-from"
	// RelationshipTypeDownloads is a downloads relationship.
	RelationshipTypeDownloads RelationshipType = "downloads"
	// RelationshipTypeDrops is a drops relationship.
	RelationshipTypeDrops RelationshipType = "drops"
	// RelationshipTypeDuplicateOf is a duplicate of relationship.
	RelationshipTypeDuplicateOf RelationshipType = "duplicate-of"
	// RelationshipTypeDynamicAnalysisOf is a dynamic analysis of relationship.
	RelationshipTypeDynamicAnalysisOf RelationshipType = "dynamic-analysis-of"
	// RelationshipTypeExfiltratesTo is an exfiltrates to relationship.
	RelationshipTypeExfiltratesTo RelationshipType = "exfiltrates-to"
	// RelationshipTypeExploits is a exploits relationship.
	RelationshipTypeExploits RelationshipType = "exploits"
	// RelationshipTypeHas is a has relationship.
	RelationshipTypeHas RelationshipType = "has"
	// RelationshipTypeHosts is a hosts relationship.
	RelationshipTypeHosts RelationshipType = "hosts"
	// RelationshipTypeImpersonates is an impersonates relationship.
	RelationshipTypeImpersonates RelationshipType = "impersonates"
	// RelationshipTypeIndicates is an indicates relationship.
	RelationshipTypeIndicates RelationshipType = "indicates"
	// RelationshipTypeInvestigates is an indicates relationship.
	RelationshipTypeInvestigates RelationshipType = "investigates"
	// RelationshipTypeLocatedAt is a located at relationship.
	RelationshipTypeLocatedAt RelationshipType = "located-at"
	// RelationshipTypeMitigates is a mitigates relationship.
	RelationshipTypeMitigates RelationshipType = "mitigates"
	// RelationshipTypeOriginatesFrom is an originates from relationship.
	RelationshipTypeOriginatesFrom RelationshipType = "originates-from"
	// RelationshipTypeOwns is an owns relationship.
	RelationshipTypeOwns RelationshipType = "owns"
	// RelationshipTypeRelatedTo is a related to relationship.
	RelationshipTypeRelatedTo RelationshipType = "related-to"
	// RelationshipTypeRemediates is a related to relationship.
	RelationshipTypeRemediates RelationshipType = "remediates"
	// RelationshipTypeResolvesTo is a resolves to relationship.
	RelationshipTypeResolvesTo RelationshipType = "resolves-to"
	// RelationshipTypeStaticAnalysisOf is a static analysis of relationship.
	RelationshipTypeStaticAnalysisOf RelationshipType = "static-analysis-of"
	// RelationshipTypeTargets is a targets relationship.
	RelationshipTypeTargets RelationshipType = "targets"
	// RelationshipTypeUses is a uses relationship.
	RelationshipTypeUses RelationshipType = "uses"
	// RelationshipTypeVariantOf is a variant of relationship.
	RelationshipTypeVariantOf RelationshipType = "variant-of"
)

type Report 

type Report struct {
	STIXDomainObject
	// Name is used to identify the Report.
	Name string `json:"name"`
	// Description that provides more details and context about the Report,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Types is an open vocabulary that specifies the primary subject(s) of
	// this report.
	Types []string `json:"report_types,omitempty"`
	// Published is the date that this Report object was officially published
	// by the creator of this report.
	Published *Timestamp `json:"published"`
	// Objects specifies the STIX Objects that are referred to by this Report.
	Objects []Identifier `json:"object_refs"`
}

Report is a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.

The Report SDO contains a list of references to STIX Objects (the CTI objects included in the report) along with a textual description and the name of the report.

For example, a threat report produced by ACME Defense Corp. discussing the Glass Gazelle campaign should be represented using Report. The Report itself would contain the narrative of the report while the Campaign SDO and any related SDOs (e.g., Indicators for the Campaign, Malware it uses, and the associated Relationships) would be referenced in the report contents.

func NewReport 

func NewReport(name string, published *Timestamp, objects []Identifier, opts ...STIXOption) (*Report, error)

NewReport creates a new Report object.

func (*Report) MarshalJSON added in v0.8.0 

func (o *Report) MarshalJSON() ([]byte, error)

type STIXCyberObservableObject 

type STIXCyberObservableObject struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// This property defines whether or not the data contained within the
	// object has been defanged.
	Defanged bool `json:"defanged,omitempty"`
	// Specifies any extensions of the object, as a dictionary.
	Extensions Extensions `json:"extensions,omitempty"`
	// contains filtered or unexported fields
}

STIXCyberObservableObject represent observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape.

func (*STIXCyberObservableObject) AddDerivedFrom added in v0.4.0 

func (o *STIXCyberObservableObject) AddDerivedFrom(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDerivedFrom adds a relationship to an object that this object is derived from.

func (*STIXCyberObservableObject) AddDuplicateOf added in v0.4.0 

func (o *STIXCyberObservableObject) AddDuplicateOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDuplicateOf adds a relationship to an object that this object is a duplicate of.

func (*STIXCyberObservableObject) AddRelatedTo added in v0.4.0 

func (o *STIXCyberObservableObject) AddRelatedTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddRelatedTo adds a relationship to an object that this object is related to.

func (*STIXCyberObservableObject) GetCreated added in v0.4.0 

func (o *STIXCyberObservableObject) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXCyberObservableObject) GetExtendedTopLevelProperties added in v0.8.0 

func (s *STIXCyberObservableObject) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*STIXCyberObservableObject) GetID added in v0.2.0 

func (o *STIXCyberObservableObject) GetID() Identifier

GetID returns the identifier for the object.

func (*STIXCyberObservableObject) GetModified added in v0.4.0 

func (o *STIXCyberObservableObject) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXCyberObservableObject) GetType added in v0.2.0 

func (o *STIXCyberObservableObject) GetType() STIXType

GetType returns the object's type.

type STIXDomainObject 

type STIXDomainObject struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version"`
	// The created_by_ref property specifies the id property of the identity
	// object that describes the entity that created this object. If this
	// attribute is omitted, the source of this information is undefined. This
	// may be used by object creators who wish to remain anonymous.
	CreatedBy Identifier `json:"created_by_ref,omitempty"`
	// The created property represents the time at which the object was
	// originally created. The object creator can use the time it deems most
	// appropriate as the time the object was created, but it MUST be precise
	// to the nearest millisecond (exactly three digits after the decimal place
	// in seconds). The created property MUST NOT be changed when creating a
	// new version of the object.
	Created *Timestamp `json:"created"`
	// The modified property is only used by STIX Objects that support
	// versioning and represents the time that this particular version of the
	// object was last modified. The object creator can use the time it deems
	// most appropriate as the time this version of the object was modified,
	// but it must be precise to the nearest millisecond (exactly three digits
	// after the decimal place in seconds). If the created property is defined,
	// then the value of the modified property for a given object version MUST
	// be later than or equal to the value of the created property. Object
	// creators MUST set the modified property when creating a new version of
	// an object if the created property was set.
	Modified *Timestamp `json:"modified"`
	// The revoked property is only used by STIX Objects that support
	// versioning and indicates whether the object has been revoked. Revoked
	// objects are no longer considered valid by the object creator. Revoking
	// an object is permanent; future versions of the object with this id MUST
	// NOT be created.
	Revoked bool `json:"revoked,omitempty"`
	// The labels property specifies a set of terms used to describe this
	// object. The terms are user-defined or trust-group defined and their
	// meaning is outside the scope of this specification and MAY be ignored.
	// Where an object has a specific property defined in the specification for
	// characterizing subtypes of that object, the labels property MUST NOT be
	// used for that purpose. For example, the Malware SDO has a property
	// malware_types that contains a list of Malware subtypes (dropper, RAT,
	// etc.). In this example, the labels property cannot be used to describe
	// these Malware subtypes.
	Labels []string `json:"labels,omitempty"`
	// The confidence property identifies the confidence that the creator has
	// in the correctness of their data. The confidence value MUST be a number
	// in the range of 0-100.
	Confidence int `json:"confidence,omitempty"`
	// The lang property identifies the language of the text content in this
	// object. When present, it MUST be a language code conformant to
	// [RFC5646]. If the property is not present, then the language of the
	// content is en (English). This property SHOULD be present if the object
	// type contains translatable text properties (e.g. name, description).
	Lang string `json:"lang,omitempty"`
	// The ExternalReferences property specifies a list of external references
	// which refers to non-STIX information. This property is used to provide
	// one or more URLs, descriptions, or IDs to records in other systems.
	ExternalReferences []*ExternalReference `json:"external_references,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// Specifies any extensions of the object, as a dictionary. The values of
	// the dictionary is either one of the extension types defined by the STIX
	// specification or a *CustomObject.
	Extensions Extensions `json:"extensions,omitempty"`
	// contains filtered or unexported fields
}

STIXDomainObject are higher Level Intelligence Objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape.

func (*STIXDomainObject) AddDerivedFrom added in v0.4.0 

func (s *STIXDomainObject) AddDerivedFrom(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDerivedFrom adds a relationship to an object that this object is derived from.

func (*STIXDomainObject) AddDuplicateOf added in v0.4.0 

func (s *STIXDomainObject) AddDuplicateOf(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDuplicateOf adds a relationship to an object that this object is a duplicate of.

func (*STIXDomainObject) AddRelatedTo added in v0.4.0 

func (s *STIXDomainObject) AddRelatedTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddRelatedTo adds a relationship to an object that this object is related to.

func (*STIXDomainObject) GetCreated added in v0.4.0 

func (s *STIXDomainObject) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXDomainObject) GetExtendedTopLevelProperties added in v0.8.0 

func (s *STIXDomainObject) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*STIXDomainObject) GetID added in v0.2.0 

func (s *STIXDomainObject) GetID() Identifier

GetID returns the identifier for the object.

func (*STIXDomainObject) GetModified added in v0.4.0 

func (s *STIXDomainObject) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXDomainObject) GetType added in v0.2.0 

func (s *STIXDomainObject) GetType() STIXType

GetType returns the object's type.

type STIXObject added in v0.7.0 

type STIXObject interface {
	// GetID returns the identifier for the object.
	GetID() Identifier
	// GetType returns the object's type.
	GetType() STIXType
	// GetCreated returns the created time for the STIX object. If the object
	// does not have a time defined, nil is returned.
	GetCreated() *time.Time
	// GetModified returns the modified time for the STIX object. If the object
	// does not have a time defined, nil is returned.
	GetModified() *time.Time
	// GetExtendedTopLevelProperties returns the extra top level properties or
	// nil for the object.
	GetExtendedTopLevelProperties() *CustomObject
}

STIXObject is a generic representation of a STIX object.

type STIXOption added in v0.7.0 

type STIXOption func(a STIXObject) error

STIXOption is an optional parameter when constructing an STIX object.

func OptionAbstract added in v0.7.0 

func OptionAbstract(s string) STIXOption

OptionAbstract sets the abstract attribute. This option is valid for the types:

  • Note

func OptionAccountCreated added in v0.7.0 

func OptionAccountCreated(s *Timestamp) STIXOption

OptionAccountCreated sets the account created attribute. This option is valid for the types:

  • UserAccount

func OptionAccountExpires added in v0.7.0 

func OptionAccountExpires(s *Timestamp) STIXOption

OptionAccountExpires sets the account expires attribute. This option is valid for the types:

  • UserAccount

func OptionAccountFirstLogin added in v0.7.0 

func OptionAccountFirstLogin(s *Timestamp) STIXOption

OptionAccountFirstLogin sets the account first login attribute. This option is valid for the types:

  • UserAccount

func OptionAccountLastLogin added in v0.7.0 

func OptionAccountLastLogin(s *Timestamp) STIXOption

OptionAccountLastLogin sets the account last login attribute. This option is valid for the types:

  • UserAccount

func OptionAccountLogin added in v0.7.0 

func OptionAccountLogin(s string) STIXOption

OptionAccountLogin sets the account login attribute. This option is valid for the types:

  • UserAccount

func OptionAccountType added in v0.7.0 

func OptionAccountType(s string) STIXOption

OptionAccountType sets the account type attribute. This option is valid for the types:

  • UserAccount

func OptionAdditionalHeaderFields added in v0.7.0 

func OptionAdditionalHeaderFields(s map[string][]string) STIXOption

OptionAdditionalHeaderFields sets the additional header fields attribute. This option is valid for the types:

  • EmailMessage

func OptionAdministrativeArea added in v0.7.0 

func OptionAdministrativeArea(a string) STIXOption

OptionAdministrativeArea sets the administrative area attribute. This option is valid for the types:

  • Location

func OptionAliases added in v0.7.0 

func OptionAliases(a []string) STIXOption

OptionAliases sets the aliases attribute. This option is valid for the types:

  • AttackPattern
  • Campaign
  • Infrastructure
  • IntrusionSet
  • Malware
  • ThreatActor
  • Tool

func OptionAnalysisDefinitionVersion added in v0.7.0 

func OptionAnalysisDefinitionVersion(s string) STIXOption

OptionAnalysisDefinitionVersion sets the analysis definition version attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionAnalysisEnded added in v0.7.0 

func OptionAnalysisEnded(s *Timestamp) STIXOption

OptionAnalysisEnded sets the analysis ended attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionAnalysisEngineVersion added in v0.7.0 

func OptionAnalysisEngineVersion(s string) STIXOption

OptionAnalysisEngineVersion sets the analysis engine version attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionAnalysisStarted added in v0.7.0 

func OptionAnalysisStarted(s *Timestamp) STIXOption

OptionAnalysisStarted sets the analysis started attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionArchitecture added in v0.7.0 

func OptionArchitecture(s []string) STIXOption

OptionArchitecture sets the architecture attribute. This option is valid for the types:

  • Malware

func OptionAtime added in v0.7.0 

func OptionAtime(s *Timestamp) STIXOption

OptionAtime sets the atime attribute. This option is valid for the types:

  • Directory
  • File

func OptionAuthors added in v0.7.0 

func OptionAuthors(s []string) STIXOption

OptionAuthors sets the authors attribute. This option is valid for the types:

  • Note
  • Opinion

func OptionBCC added in v0.7.0 

func OptionBCC(s []Identifier) STIXOption

OptionBCC sets the BCC attribute. This option is valid for the types:

  • EmailMessage

func OptionBelongsTo added in v0.7.0 

func OptionBelongsTo(s Identifier) STIXOption

OptionBelongsTo sets the belongs to attribute. This option is valid for the types:

  • EmailAddress
  • IPv4Address
  • IPv6Address

func OptionBody added in v0.7.0 

func OptionBody(s string) STIXOption

OptionBody sets the body attribute. This option is valid for the types:

  • EmailMessage

func OptionBodyMultipart added in v0.7.0 

func OptionBodyMultipart(s []EmailMIME) STIXOption

OptionBodyMultipart sets the body multipart attribute. This option is valid for the types:

  • EmailMessage

func OptionCC added in v0.7.0 

func OptionCC(s []Identifier) STIXOption

OptionCC sets the CC attribute. This option is valid for the types:

  • EmailMessage

func OptionCPE added in v0.7.0 

func OptionCPE(s string) STIXOption

OptionCPE sets the CPE attribute. This option is valid for the types:

  • Software

func OptionCanEscalatePrivs added in v0.7.0 

func OptionCanEscalatePrivs(s bool) STIXOption

OptionCanEscalatePrivs sets the can escalate privs attribute. This option is valid for the types:

  • UserAccount

func OptionCapabilities added in v0.7.0 

func OptionCapabilities(s []string) STIXOption

OptionCapabilities sets the capabilities attribute. This option is valid for the types:

  • Malware

func OptionChild added in v0.7.0 

func OptionChild(s []Identifier) STIXOption

OptionChild sets the child attribute. This option is valid for the types:

  • Process

func OptionCity added in v0.7.0 

func OptionCity(c string) STIXOption

OptionCity sets the city attribute. This option is valid for the types:

  • Location

func OptionClass added in v0.7.0 

func OptionClass(s string) STIXOption

OptionClass sets the identity class attribute. This option is valid for the types:

  • Identity

func OptionCommandLine added in v0.7.0 

func OptionCommandLine(s string) STIXOption

OptionCommandLine sets the command line attribute. This option is valid for the types:

  • Process

func OptionConfidence added in v0.7.0 

func OptionConfidence(confidence int) STIXOption

OptionConfidence sets the confidence attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent

func OptionConfigurationVersion added in v0.7.0 

func OptionConfigurationVersion(s string) STIXOption

OptionConfigurationVersion sets the configuration version This option is valid for the types:

  • MalwareAnalysis

attribute. This option is valid for the types:

func OptionContactInformation added in v0.7.0 

func OptionContactInformation(s string) STIXOption

OptionContactInformation sets the contact information attribute. This option is valid for the types:

  • Identity

func OptionContains added in v0.7.0 

func OptionContains(s []Identifier) STIXOption

OptionContains sets the contains attribute. This option is valid for the types:

  • Directory
  • File

func OptionContent added in v0.7.0 

func OptionContent(s Identifier) STIXOption

OptionContent sets the content attribute. This option is valid for the types:

  • File

func OptionContentType added in v0.7.0 

func OptionContentType(s string) STIXOption

OptionContentType sets the content type attribute. This option is valid for the types:

  • EmailMessage

func OptionCount added in v0.7.0 

func OptionCount(c int64) STIXOption

OptionCount sets the count attribute. This option is valid for the types:

  • Sighting

func OptionCreated added in v0.7.0 

func OptionCreated(t *Timestamp) STIXOption

OptionCreated sets the created attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition

func OptionCreatedBy added in v0.7.0 

func OptionCreatedBy(id Identifier) STIXOption

OptionCreatedBy sets the created by by attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition

func OptionCreatedTime added in v0.7.0 

func OptionCreatedTime(s *Timestamp) STIXOption

OptionCreatedTime sets the created time attribute. This option is valid for the types:

  • Process

func OptionCreatorUser added in v0.7.0 

func OptionCreatorUser(s Identifier) STIXOption

OptionCreatorUser sets the creator user attribute. This option is valid for the types:

  • Process
  • RegistryKey

func OptionCredential added in v0.7.0 

func OptionCredential(s string) STIXOption

OptionCredential sets the credential attribute. This option is valid for the types:

func OptionCredentialLastChanged added in v0.7.0 

func OptionCredentialLastChanged(s *Timestamp) STIXOption

OptionCredentialLastChanged sets the credential last changed attribute. This option is valid for the types:

  • UserAccount

func OptionCtime added in v0.7.0 

func OptionCtime(s *Timestamp) STIXOption

OptionCtime sets the ctime attribute. This option is valid for the types:

  • Directory
  • File

func OptionCwd added in v0.7.0 

func OptionCwd(s string) STIXOption

OptionCwd sets the cwd attribute. This option is valid for the types:

  • Process

func OptionDate added in v0.7.0 

func OptionDate(s *Timestamp) STIXOption

OptionDate sets the date attribute. This option is valid for the types:

  • EmailMessage

func OptionDefanged added in v0.7.0 

func OptionDefanged(b bool) STIXOption

OptionDefanged sets the defanged attribute. This option is valid for the types:

  • STIX Cyber-observable Objects

func OptionDescription added in v0.7.0 

func OptionDescription(des string) STIXOption

OptionDescription sets the description attribute. This option is valid for the types:

  • AttackPattern
  • Campaign
  • CourseOfAction
  • Grouping
  • Identity
  • Indicator
  • Infrastructure
  • IntrusionSet
  • Location
  • Malware
  • Report
  • ThreatActor
  • Tool
  • Vulnerability
  • Relationship
  • Sighting

func OptionDisplayName added in v0.7.0 

func OptionDisplayName(s string) STIXOption

OptionDisplayName sets the display name attribute. This option is valid for the types:

  • EmailAddress
  • UserAccount

func OptionDst added in v0.7.0 

func OptionDst(s Identifier) STIXOption

OptionDst sets the dst attribute. This option is valid for the types:

  • NetworkTraffic

func OptionDstByteCount added in v0.7.0 

func OptionDstByteCount(s int64) STIXOption

OptionDstByteCount sets the dst byte count attribute. This option is valid for the types:

  • NetworkTraffic

func OptionDstPackets added in v0.7.0 

func OptionDstPackets(s int64) STIXOption

OptionDstPackets sets the dst packets attribute. This option is valid for the types:

  • NetworkTraffic

func OptionDstPayload added in v0.7.0 

func OptionDstPayload(s Identifier) STIXOption

OptionDstPayload sets the src payload attribute. This option is valid for the types:

  • NetworkTraffic

func OptionDstPort added in v0.7.0 

func OptionDstPort(s int64) STIXOption

OptionDstPort sets the dst port attribute. This option is valid for the types:

  • NetworkTraffic

func OptionEncapsulated added in v0.7.0 

func OptionEncapsulated(s Identifier) STIXOption

OptionEncapsulated sets the encapsulated attribute. This option is valid for the types:

  • NetworkTraffic

func OptionEncapsulates added in v0.7.0 

func OptionEncapsulates(s []Identifier) STIXOption

OptionEncapsulates sets the encapsulates attribute. This option is valid for the types:

  • NetworkTraffic

func OptionEncryption added in v0.7.0 

func OptionEncryption(s EncryptionAlgorithm) STIXOption

OptionEncryption sets the encryption algorithm attribute. This option is valid for the types:

  • Artifact

func OptionEnd added in v0.7.0 

func OptionEnd(s *Timestamp) STIXOption

OptionEnd sets the end attribute. This option is valid for the types:

  • NetworkTraffic

func OptionEnvVars added in v0.7.0 

func OptionEnvVars(s map[string]string) STIXOption

OptionEnvVars sets the environment variables attribute. This option is valid for the types:

  • Process

func OptionExplanation added in v0.7.0 

func OptionExplanation(s string) STIXOption

OptionExplanation sets the explanation attribute. This option is valid for the types:

  • Opinion

func OptionExtension added in v0.7.0 

func OptionExtension(name string, value interface{}) STIXOption

OptionExtension adds an extension. This option is valid for the types:

  • All types execpt Bundle and Extension.

func OptionExtensionProperties added in v0.8.0 

func OptionExtensionProperties(value []string) STIXOption

OptionExtensionProperties adds an extension. This option is valid for the types:

  • STIX ExtensionDefinition

func OptionExternalReferences added in v0.7.0 

func OptionExternalReferences(refs []*ExternalReference) STIXOption

OptionExternalReferences sets the external references attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition

func OptionFirstSeen added in v0.7.0 

func OptionFirstSeen(t *Timestamp) STIXOption

OptionFirstSeen sets the first seen attribute. This option is valid for the types:

  • Campaign
  • Infrastructure
  • IntrusionSet
  • Malware
  • ThreatActor
  • Sighting

func OptionFrom added in v0.7.0 

func OptionFrom(s Identifier) STIXOption

OptionFrom sets the from attribute. This option is valid for the types:

  • EmailMessage

func OptionGoals added in v0.7.0 

func OptionGoals(s []string) STIXOption

OptionGoals sets the goals attribute. This option is valid for the types:

  • IntrusionSet
  • ThreatActor

func OptionGranularMarking added in v0.7.0 

func OptionGranularMarking(gm []*GranularMarking) STIXOption

OptionGranularMarking sets the granular marking attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Cyber-observable Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition

func OptionHashes added in v0.7.0 

func OptionHashes(s Hashes) STIXOption

OptionHashes sets the hashes attribute. This option is valid for the types:

  • Artifact
  • File
  • X509Certificate

func OptionHostVM added in v0.7.0 

func OptionHostVM(s Identifier) STIXOption

OptionHostVM sets the host VM attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionIPFIX added in v0.7.0 

func OptionIPFIX(s map[string]interface{}) STIXOption

OptionIPFIX sets the IPFIX attribute. This option is valid for the types:

  • NetworkTraffic

func OptionImage added in v0.7.0 

func OptionImage(s Identifier) STIXOption

OptionImage sets the image attribute. This option is valid for the types:

  • Process

func OptionInstalledSoftware added in v0.7.0 

func OptionInstalledSoftware(s []Identifier) STIXOption

OptionInstalledSoftware sets the installed software attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionIsActive added in v0.7.0 

func OptionIsActive(s bool) STIXOption

OptionIsActive sets the is active attribute. This option is valid for the types:

  • NetworkTraffic

func OptionIsDisabled added in v0.7.0 

func OptionIsDisabled(s bool) STIXOption

OptionIsDisabled sets the is disabled attribute. This option is valid for the types:

  • UserAccount

func OptionIsHidden added in v0.7.0 

func OptionIsHidden(s bool) STIXOption

OptionIsHidden sets the is hidden attribute. This option is valid for the types:

  • Process

func OptionIsPrivileged added in v0.7.0 

func OptionIsPrivileged(s bool) STIXOption

OptionIsPrivileged sets the is privileged attribute. This option is valid for the types:

  • UserAccount

func OptionIsServiceAccount added in v0.7.0 

func OptionIsServiceAccount(s bool) STIXOption

OptionIsServiceAccount sets the is service account attribute. This option is valid for the types:

  • UserAccount

func OptionIssuer added in v0.7.0 

func OptionIssuer(s string) STIXOption

OptionIssuer sets the issuer attribute. This option is valid for the types:

  • X509Certificate

func OptionKey added in v0.7.0 

func OptionKey(s string) STIXOption

OptionKey sets the decryption key attribute. This option is valid for the types:

  • Artifact
  • RegistryKey

func OptionKillChainPhase added in v0.7.0 

func OptionKillChainPhase(k []*KillChainPhase) STIXOption

OptionKillChainPhase sets the kill chain phase attribute. This option is valid for the types:

  • AttackPattern
  • Indicator
  • Infrastructure
  • Malware
  • Tool

func OptionLabels added in v0.7.0 

func OptionLabels(labels []string) STIXOption

OptionLabels sets the labels attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent

func OptionLang added in v0.7.0 

func OptionLang(lang string) STIXOption

OptionLang sets the lang attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects

func OptionLanguages added in v0.7.0 

func OptionLanguages(s []string) STIXOption

OptionLanguages sets the languages attribute. This option is valid for the types:

  • Malware
  • Software

func OptionLastSeen added in v0.7.0 

func OptionLastSeen(t *Timestamp) STIXOption

OptionLastSeen sets the last seen attribute. This option is valid for the types:

  • Campaign
  • Infrastructure
  • IntrusionSet
  • Malware
  • ThreatActor
  • Sighting

func OptionMagicNumber added in v0.7.0 

func OptionMagicNumber(s Hex) STIXOption

OptionMagicNumber sets the magic number attribute. This option is valid for the types:

  • File

func OptionMessageID added in v0.7.0 

func OptionMessageID(s string) STIXOption

OptionMessageID sets the message ID attribute. This option is valid for the types:

  • EmailMessage

func OptionMimeType added in v0.7.0 

func OptionMimeType(s string) STIXOption

OptionMimeType sets the mime type attribute. This option is valid for the types:

  • Artifact
  • File

func OptionModified added in v0.7.0 

func OptionModified(t *Timestamp) STIXOption

OptionModified sets the modified attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent

func OptionModifiedTime added in v0.7.0 

func OptionModifiedTime(s *Timestamp) STIXOption

OptionModifiedTime sets the modified time attribute. This option is valid for the types:

  • RegistryKey

func OptionModules added in v0.7.0 

func OptionModules(s []string) STIXOption

OptionModules sets the modules attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionMtime added in v0.7.0 

func OptionMtime(s *Timestamp) STIXOption

OptionMtime sets the mtime attribute. This option is valid for the types:

  • Directory
  • File

func OptionName added in v0.7.0 

func OptionName(n string) STIXOption

OptionName sets the name attribute. This option is valid for the types:

  • Grouping
  • Indicator
  • Location
  • Malware
  • AutonomousSystem
  • MarkingDefinition

func OptionNameEnc added in v0.7.0 

func OptionNameEnc(s string) STIXOption

OptionNameEnc sets the name encoding attribute. This option is valid for the types:

  • File

func OptionNumberOfSubkeys added in v0.7.0 

func OptionNumberOfSubkeys(s int64) STIXOption

OptionNumberOfSubkeys sets the number of subkeys attribute. This option is valid for the types:

  • RegistryKey

func OptionObjectMarking added in v0.7.0 

func OptionObjectMarking(om []Identifier) STIXOption

OptionObjectMarking sets the object marking attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Cyber-observable Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition

func OptionObjectModified added in v0.7.0 

func OptionObjectModified(s *Timestamp) STIXOption

OptionObjectModified sets the object modified attribute. This option is valid for the types:

  • LanguageContent

func OptionObjective added in v0.7.0 

func OptionObjective(o string) STIXOption

OptionObjective sets the objective attribute. This option is valid for the types:

  • Campaign

func OptionObservedData added in v0.7.0 

func OptionObservedData(d []Identifier) STIXOption

OptionObservedData sets the ObservedData attribute. This option is valid for the types:

  • Sighting

func OptionOpenedConnections added in v0.7.0 

func OptionOpenedConnections(s []Identifier) STIXOption

OptionOpenedConnections sets the opened connections attribute. This option is valid for the types:

  • Process

func OptionOperatingSystem added in v0.7.0 

func OptionOperatingSystem(s Identifier) STIXOption

OptionOperatingSystem sets the OS attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionOperatingSystems added in v0.7.0 

func OptionOperatingSystems(s []Identifier) STIXOption

OptionOperatingSystems sets the OS attribute. This option is valid for the types:

  • Malware

func OptionPID added in v0.7.0 

func OptionPID(s int64) STIXOption

OptionPID sets the PID attribute. This option is valid for the types:

  • Process

func OptionParent added in v0.7.0 

func OptionParent(s Identifier) STIXOption

OptionParent sets the parent attribute. This option is valid for the types:

  • Process

func OptionParentDirectory added in v0.7.0 

func OptionParentDirectory(s Identifier) STIXOption

OptionParentDirectory sets the parent directory attribute. This option is valid for the types:

  • File

func OptionPathEncoding added in v0.7.0 

func OptionPathEncoding(s string) STIXOption

OptionPathEncoding sets the path encoding attribute. This option is valid for the types:

  • Directory

func OptionPatternVersion added in v0.7.0 

func OptionPatternVersion(s string) STIXOption

OptionPatternVersion sets the pattern version attribute. This option is valid for the types:

  • Indicator

func OptionPayload added in v0.7.0 

func OptionPayload(s Binary) STIXOption

OptionPayload sets the payload attribute. This option is valid for the types:

  • Artifact

func OptionPersonalMotivations added in v0.7.0 

func OptionPersonalMotivations(s []string) STIXOption

OptionPersonalMotivations sets the personal motivations attribute. This option is valid for the types:

  • ThreatActor

func OptionPostalCode added in v0.7.0 

func OptionPostalCode(s string) STIXOption

OptionPostalCode sets the postal code attribute. This option is valid for the types:

  • Location

func OptionPrecision added in v0.7.0 

func OptionPrecision(p float64) STIXOption

OptionPrecision sets the precision attribute. This option is valid for the types:

  • Location

func OptionPrimaryMotivation added in v0.7.0 

func OptionPrimaryMotivation(s string) STIXOption

OptionPrimaryMotivation sets the primary motivation attribute. This option is valid for the types:

  • IntrusionSet
  • ThreatActor

func OptionRIR added in v0.7.0 

func OptionRIR(s string) STIXOption

OptionRIR sets the rir attribute. This option is valid for the types:

  • AutonomousSystem

func OptionRawEmail added in v0.7.0 

func OptionRawEmail(s Identifier) STIXOption

OptionRawEmail sets the raw email attribute. This option is valid for the types:

  • EmailMessage

func OptionReceivedLines added in v0.7.0 

func OptionReceivedLines(s []string) STIXOption

OptionReceivedLines sets the received lines attribute. This option is valid for the types:

  • EmailMessage

func OptionResolvesTo added in v0.7.0 

func OptionResolvesTo(s []Identifier) STIXOption

OptionResolvesTo sets the resolves to attribute. This option is valid for the types:

  • DomainName
  • IPv4Address
  • IPv6Address

func OptionResourceLevel added in v0.7.0 

func OptionResourceLevel(s string) STIXOption

OptionResourceLevel sets the resource level attribute. This option is valid for the types:

  • IntrusionSet
  • ThreatActor

func OptionResultName added in v0.7.0 

func OptionResultName(s string) STIXOption

OptionResultName sets the analysis result name attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionRevoked added in v0.7.0 

func OptionRevoked(rev bool) STIXOption

OptionRevoked sets the revoked attribute. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent

func OptionRoles added in v0.7.0 

func OptionRoles(s []string) STIXOption

OptionRoles sets the roles attribute. This option is valid for the types:

  • Identity
  • ThreatActor

func OptionSWID added in v0.7.0 

func OptionSWID(s string) STIXOption

OptionSWID sets the SWID attribute. This option is valid for the types:

  • Software

func OptionSample added in v0.7.0 

func OptionSample(s Identifier) STIXOption

OptionSample sets the analysis sample attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionSamples added in v0.7.0 

func OptionSamples(s []Identifier) STIXOption

OptionSamples sets the samples attribute. This option is valid for the types:

  • Malware

func OptionSecondaryMotivations added in v0.7.0 

func OptionSecondaryMotivations(s []string) STIXOption

OptionSecondaryMotivations sets the secondary motivation attribute. This option is valid for the types:

  • IntrusionSet
  • ThreatActor

func OptionSectors added in v0.7.0 

func OptionSectors(s []string) STIXOption

OptionSectors sets the sectors attribute. This option is valid for the types:

  • Identity

func OptionSelfSigned added in v0.7.0 

func OptionSelfSigned(s bool) STIXOption

OptionSelfSigned sets the self-signed attribute. This option is valid for the types:

  • X509Certificate

func OptionSender added in v0.7.0 

func OptionSender(s Identifier) STIXOption

OptionSender sets the sender attribute. This option is valid for the types:

  • EmailMessage

func OptionSerialNumber added in v0.7.0 

func OptionSerialNumber(s string) STIXOption

OptionSerialNumber sets the serial number attribute. This option is valid for the types:

  • X509Certificate

func OptionSignatureAlgorithm added in v0.7.0 

func OptionSignatureAlgorithm(s string) STIXOption

OptionSignatureAlgorithm sets the signature algorithm attribute. This option is valid for the types:

  • X509Certificate

func OptionSize added in v0.7.0 

func OptionSize(s int64) STIXOption

OptionSize sets the size attribute. This option is valid for the types:

  • File

func OptionSophistication added in v0.7.0 

func OptionSophistication(s string) STIXOption

OptionSophistication sets the sophistication attribute. This option is valid for the types:

  • ThreatActor

func OptionSpecVersion added in v0.7.0 

func OptionSpecVersion(ver string) STIXOption

OptionSpecVersion sets the STIX spec version. This option is valid for the types:

  • STIX Domain Objects
  • STIX Relationships Objects
  • LanguageContent
  • MarkingDefinition
  • Bundle

func OptionSrc added in v0.7.0 

func OptionSrc(s Identifier) STIXOption

OptionSrc sets the src attribute. This option is valid for the types:

  • NetworkTraffic

func OptionSrcByteCount added in v0.7.0 

func OptionSrcByteCount(s int64) STIXOption

OptionSrcByteCount sets the src byte count attribute. This option is valid for the types:

  • NetworkTraffic

func OptionSrcPackets added in v0.7.0 

func OptionSrcPackets(s int64) STIXOption

OptionSrcPackets sets the src packets attribute. This option is valid for the types:

  • NetworkTraffic

func OptionSrcPayload added in v0.7.0 

func OptionSrcPayload(s Identifier) STIXOption

OptionSrcPayload sets the src payload attribute. This option is valid for the types:

  • NetworkTraffic

func OptionSrcPort added in v0.7.0 

func OptionSrcPort(s int64) STIXOption

OptionSrcPort sets the src port attribute. This option is valid for the types:

  • NetworkTraffic

func OptionStart added in v0.7.0 

func OptionStart(s *Timestamp) STIXOption

OptionStart sets the start attribute. This option is valid for the types:

  • NetworkTraffic

func OptionStartTime added in v0.7.0 

func OptionStartTime(t *Timestamp) STIXOption

OptionStartTime sets the start time attribute. This option is valid for the types:

  • Relationship

func OptionStopTime added in v0.7.0 

func OptionStopTime(t *Timestamp) STIXOption

OptionStopTime sets the stop time attribute. This option is valid for the types:

  • Relationship

func OptionStreetAddress added in v0.7.0 

func OptionStreetAddress(s string) STIXOption

OptionStreetAddress sets the street address attribute. This option is valid for the types:

  • Location

func OptionSubject added in v0.7.0 

func OptionSubject(s string) STIXOption

OptionSubject sets the subject attribute. This option is valid for the types:

  • EmailMessage

func OptionSubjectPublicKeyAlgorithm added in v0.7.0 

func OptionSubjectPublicKeyAlgorithm(s string) STIXOption

OptionSubjectPublicKeyAlgorithm sets the subject public key algorithm attribute. This option is valid for the types:

  • X509Certificate

func OptionSubjectPublicKeyExponent added in v0.7.0 

func OptionSubjectPublicKeyExponent(s int64) STIXOption

OptionSubjectPublicKeyExponent sets the subject public key exponent attribute. This option is valid for the types:

  • X509Certificate

func OptionSubjectPublicKeyModulus added in v0.7.0 

func OptionSubjectPublicKeyModulus(s string) STIXOption

OptionSubjectPublicKeyModulus sets the subject public key modulus attribute. This option is valid for the types:

  • X509Certificate

func OptionSubmitted added in v0.7.0 

func OptionSubmitted(s *Timestamp) STIXOption

OptionSubmitted sets the submitted attribute. This option is valid for the types:

  • MalwareAnalysis

func OptionSummary added in v0.7.0 

func OptionSummary(b bool) STIXOption

OptionSummary sets the summary attribute. This option is valid for the types:

  • Sighting

func OptionTo added in v0.7.0 

func OptionTo(s []Identifier) STIXOption

OptionTo sets the to attribute. This option is valid for the types:

  • EmailMessage

func OptionTypes added in v0.7.0 

func OptionTypes(s []string) STIXOption

OptionTypes sets the indicator types attribute. This option is valid for the types:

  • Indicator
  • Infrastructure
  • Malware
  • Report
  • ThreatActor
  • Tool

func OptionURL added in v0.7.0 

func OptionURL(s string) STIXOption

OptionURL sets the URL attribute. This option is valid for the types:

  • Artifact

func OptionUserID added in v0.7.0 

func OptionUserID(s string) STIXOption

OptionUserID sets the user id attribute. This option is valid for the types:

  • Software

func OptionV3Extensions added in v0.7.0 

func OptionV3Extensions(s X509v3Extension) STIXOption

OptionV3Extensions sets the x.509v3 extensions attribute. This option is valid for the types:

  • X509Certificate

func OptionValidUntil added in v0.7.0 

func OptionValidUntil(t *Timestamp) STIXOption

OptionValidUntil sets the valid until attribute. This option is valid for the types:

  • Indicator

func OptionValidityNotAfter added in v0.7.0 

func OptionValidityNotAfter(s *Timestamp) STIXOption

OptionValidityNotAfter sets the validity not after attribute. This option is valid for the types:

  • X509Certificate

func OptionValidityNotBefore added in v0.7.0 

func OptionValidityNotBefore(s *Timestamp) STIXOption

OptionValidityNotBefore sets the validity not before attribute. This option is valid for the types:

  • X509Certificate

func OptionValues added in v0.7.0 

func OptionValues(s []*RegistryValue) STIXOption

OptionValues sets the values attribute. This option is valid for the types:

  • RegistryKey

func OptionVendor added in v0.7.0 

func OptionVendor(s string) STIXOption

OptionVendor sets the vendor attribute. This option is valid for the types:

  • Software

func OptionVersion added in v0.7.0 

func OptionVersion(s string) STIXOption

OptionVersion sets the version attribute. This option is valid for the types:

  • MalwareAnalysis
  • Tool
  • Software
  • X509Certificate

func OptionWhereSighted added in v0.7.0 

func OptionWhereSighted(i []Identifier) STIXOption

OptionWhereSighted sets the WhereSighted attribute. This option is valid for the types:

  • Sighting

type STIXRelationshipObject 

type STIXRelationshipObject struct {
	// The type property identifies the type of STIX Object. The value of the
	// type property MUST be the name of one of the types of STIX Objects
	Type STIXType `json:"type"`
	// The id property uniquely identifies this object. For objects that
	// support versioning, all objects with the same id are considered
	// different versions of the same object and the version of the object is
	// identified by its modified property.
	ID Identifier `json:"id"`
	// The version of the STIX specification used to represent this object.
	SpecVersion string `json:"spec_version"`
	// The created_by_ref property specifies the id property of the identity
	// object that describes the entity that created this object. If this
	// attribute is omitted, the source of this information is undefined. This
	// may be used by object creators who wish to remain anonymous.
	CreatedBy Identifier `json:"created_by_ref,omitempty"`
	// The created property represents the time at which the object was
	// originally created. The object creator can use the time it deems most
	// appropriate as the time the object was created, but it MUST be precise
	// to the nearest millisecond (exactly three digits after the decimal place
	// in seconds). The created property MUST NOT be changed when creating a
	// new version of the object.
	Created *Timestamp `json:"created"`
	// The modified property is only used by STIX Objects that support
	// versioning and represents the time that this particular version of the
	// object was last modified. The object creator can use the time it deems
	// most appropriate as the time this version of the object was modified,
	// but it must be precise to the nearest millisecond (exactly three digits
	// after the decimal place in seconds). If the created property is defined,
	// then the value of the modified property for a given object version MUST
	// be later than or equal to the value of the created property. Object
	// creators MUST set the modified property when creating a new version of
	// an object if the created property was set.
	Modified *Timestamp `json:"modified"`
	// The revoked property is only used by STIX Objects that support
	// versioning and indicates whether the object has been revoked. Revoked
	// objects are no longer considered valid by the object creator. Revoking
	// an object is permanent; future versions of the object with this id MUST
	// NOT be created.
	Revoked bool `json:"revoked,omitempty"`
	// The labels property specifies a set of terms used to describe this
	// object. The terms are user-defined or trust-group defined and their
	// meaning is outside the scope of this specification and MAY be ignored.
	// Where an object has a specific property defined in the specification for
	// characterizing subtypes of that object, the labels property MUST NOT be
	// used for that purpose. For example, the Malware SDO has a property
	// malware_types that contains a list of Malware subtypes (dropper, RAT,
	// etc.). In this example, the labels property cannot be used to describe
	// these Malware subtypes.
	Labels []string `json:"labels,omitempty"`
	// The confidence property identifies the confidence that the creator has
	// in the correctness of their data. The confidence value MUST be a number
	// in the range of 0-100.
	Confidence int `json:"confidence,omitempty"`
	// The lang property identifies the language of the text content in this
	// object. When present, it MUST be a language code conformant to
	// [RFC5646]. If the property is not present, then the language of the
	// content is en (English). This property SHOULD be present if the object
	// type contains translatable text properties (e.g. name, description).
	Lang string `json:"lang,omitempty"`
	// The ExternalReferences property specifies a list of external references
	// which refers to non-STIX information. This property is used to provide
	// one or more URLs, descriptions, or IDs to records in other systems.
	ExternalReferences []*ExternalReference `json:"external_references,omitempty"`
	// The object_marking_refs property specifies a list of id properties of
	// marking-definition objects that apply to this object. In some cases,
	// though uncommon, marking definitions themselves may be marked with
	// sharing or handling guidance. In this case, this property MUST NOT
	// contain any references to the same Marking Definition object (i.e., it
	// cannot contain any circular references).
	ObjectMarking []Identifier `json:"object_marking_refs,omitempty"`
	// The granular_markings property specifies a list of granular markings
	// applied to this object. In some cases, though uncommon, marking
	// definitions themselves may be marked with sharing or handling guidance.
	// In this case, this property MUST NOT contain any references to the same
	// Marking Definition object (i.e., it cannot contain any circular
	// references).
	GranularMarking []*GranularMarking `json:"granular_markings,omitempty"`
	// Specifies any extensions of the object, as a dictionary.
	Extensions Extensions `json:"extensions,omitempty"`
	// contains filtered or unexported fields
}

STIXRelationshipObject is objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape.

func (*STIXRelationshipObject) GetCreated added in v0.4.0 

func (s *STIXRelationshipObject) GetCreated() *time.Time

GetCreated returns the created time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXRelationshipObject) GetExtendedTopLevelProperties added in v0.8.0 

func (s *STIXRelationshipObject) GetExtendedTopLevelProperties() *CustomObject

GetExtendedTopLevelProperties returns the extra top level properties or nil for the object.

func (*STIXRelationshipObject) GetID added in v0.2.0 

func (s *STIXRelationshipObject) GetID() Identifier

GetID returns the identifier for the object.

func (*STIXRelationshipObject) GetModified added in v0.4.0 

func (s *STIXRelationshipObject) GetModified() *time.Time

GetModified returns the modified time for the STIX object. If the object does not have a time defined, nil is returned.

func (*STIXRelationshipObject) GetType added in v0.2.0 

func (s *STIXRelationshipObject) GetType() STIXType

GetType returns the object's type.

type STIXType added in v0.7.0 

type STIXType string

STIXType is type strings used in STIX objects. 

const (
	// TypeAutonomousSystem is used for AS type.
	TypeAutonomousSystem STIXType = "autonomous-system"
	// TypeArtifact is used for artifact type.
	TypeArtifact STIXType = "artifact"
	// TypeAttackPattern is used for attack-pattern type.
	TypeAttackPattern STIXType = "attack-pattern"
	// TypeBundle is used for the bundle type.
	TypeBundle STIXType = "bundle"
	// TypeCampaign is used for campaign type.
	TypeCampaign STIXType = "campaign"
	// TypeCourseOfAction is used for course of action type.
	TypeCourseOfAction STIXType = "course-of-action"
	// TypeDirectory is used for directory type.
	TypeDirectory STIXType = "directory"
	// TypeDomainName is used for domain name types.
	TypeDomainName STIXType = "domain-name"
	// TypeEmailAddress is used for email address type.
	TypeEmailAddress STIXType = "email-addr"
	// TypeEmailMIME is used for email Mime type.
	TypeEmailMIME STIXType = "mime-part-type"
	// TypeEmailMessage is used for email message type.
	TypeEmailMessage STIXType = "email-message"
	// TypeExtensionDefinition is used for extension definition type.
	TypeExtensionDefinition STIXType = "extension-definition"
	// TypeFile is used for file types.
	TypeFile STIXType = "file"
	// TypeGrouping is used for grouping type.
	TypeGrouping STIXType = "grouping"
	// TypeIncident is used for incident type.
	TypeIncident STIXType = "incident"
	// TypeIPv4Addr is used for IPv4 address types.
	TypeIPv4Addr STIXType = "ipv4-addr"
	// TypeIPv6Addr is used for IPv6 address types.
	TypeIPv6Addr STIXType = "ipv6-addr"
	// TypeIdentity is used for identity types.
	TypeIdentity STIXType = "identity"
	// TypeIndicator is used for indicator types.
	TypeIndicator STIXType = "indicator"
	// TypeInfrastructure is used for infrastructure type.
	TypeInfrastructure STIXType = "infrastructure"
	// TypeIntrusionSet is used for intrusion set type.
	TypeIntrusionSet STIXType = "intrusion-set"
	// TypeLanguageContent is used for language content type.
	TypeLanguageContent STIXType = "language-content"
	// TypeLocation is used for location type.
	TypeLocation STIXType = "location"
	// TypeMACAddress is used for MAC address type.
	TypeMACAddress STIXType = "mac-addr"
	// TypeMalware is used for malware type.
	TypeMalware STIXType = "malware"
	// TypeMalwareAnalysis is used for file types.
	TypeMalwareAnalysis STIXType = "malware-analysis"
	// TypeMarkingDefinition is used for marking definition type.
	TypeMarkingDefinition STIXType = "marking-definition"
	// TypeMutex is used for mutex type.
	TypeMutex STIXType = "mutex"
	// TypeNetworkTraffic is used for network traffic type.
	TypeNetworkTraffic STIXType = "network-traffic"
	// TypeNote is used for the note type.
	TypeNote STIXType = "note"
	// TypeObservedData is used for observed data type.
	TypeObservedData STIXType = "observed-data"
	// TypeOpinion is used for the opinion type.
	TypeOpinion STIXType = "opinion"
	// TypeProcess is used for process type.
	TypeProcess STIXType = "process"
	// TypeRegistryKey is used for registry key type.
	TypeRegistryKey STIXType = "windows-registry-key"
	// TypeRelationship is used for relationship types.
	TypeRelationship STIXType = "relationship"
	// TypeReport is used for the report type.
	TypeReport STIXType = "report"
	// TypeSighting is used for sighting types.
	TypeSighting STIXType = "sighting"
	// TypeSoftware is used for software type.
	TypeSoftware STIXType = "software"
	// TypeThreatActor is used for threat actor type.
	TypeThreatActor STIXType = "threat-actor"
	// TypeTool is used for tool type.
	TypeTool STIXType = "tool"
	// TypeURL is used for URL types.
	TypeURL STIXType = "url"
	// TypeUserAccount is used for user account type.
	TypeUserAccount STIXType = "user-account"
	// TypeVulnerability is used for vulnerability type.
	TypeVulnerability STIXType = "vulnerability"
	// TypeX509Certificate is used for X.509 certificate type.
	TypeX509Certificate STIXType = "x509-certificate"
)

type Sighting 

type Sighting struct {
	STIXRelationshipObject
	// Description that provides more details and context about the Sighting.
	Description string `json:"description,omitempty"`
	// FirstSeen indicates the beginning the time window during which the SDO
	// referenced by the SightingOf property was sighted.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen indicates the end of the time window during which the SDO
	// referenced by the SightingOf property was sighted. If FirstSeen and
	// LastSeen are both defined, then LastSeen MUST be later than the
	// FirstSeen value.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
	// Count if present, this MUST be an integer between 0 and 999,999,999
	// inclusive and represents the number of times the SDO referenced by the
	// SightingOf property was sighted. Observed Data has a similar property
	// called NumberObserved, which refers to the number of times the data was
	// observed. These counts refer to different concepts and are distinct. For
	// example, a single sighting of a DDoS bot might have many millions of
	// observations of the network traffic that it generates. Thus, the
	// Sighting count would be 1 (the bot was observed once) but the Observed
	// Data NumberObserved would be much higher. As another example, a sighting
	// with a count of 0 can be used to express that an indicator was not seen
	// at all.
	Count int64 `json:"count,omitempty"`
	// SightingOf is an  ID reference to the SDO that was sighted (e.g.,
	// Indicator or Malware). For example, if this is a Sighting of an
	// Indicator, that Indicator’s ID would be the value of this property. This
	// property MUST reference only an SDO or a Custom Object.  ObservedData
	// (optional) list of type identifier. A list of ID references to the
	// Observed Data objects that contain the raw cyber data for this Sighting.
	// For example, a Sighting of an Indicator with an IP address could include
	// the Observed Data for the network connection that the Indicator was used
	// to detect. This property MUST reference only Observed Data SDOs.
	SightingOf Identifier `json:"sighting_of_ref"`
	// ObservedData is a list of ID references to the Observed Data objects
	// that contain the raw cyber data for this Sighting. For example, a
	// Sighting of an Indicator with an IP address could include the Observed
	// Data for the network connection that the Indicator was used to detect.
	// This property MUST reference only Observed Data SDOs.
	ObservedData []Identifier `json:"observed_data_refs,omitempty"`
	// WhereSighted is a list of ID references to the Identity or Location
	// objects describing the entities or types of entities that saw the
	// sighting. Omitting the WhereSighted property does not imply that the
	// sighting was seen by the object creator. To indicate that the sighting
	// was seen by the object creator, an Identity representing the object
	// creator should be listed in WhereSighted. This property MUST reference
	// only Identity or Location SDOs.
	WhereSighted []Identifier `json:"where_sighted_refs,omitempty"`
	// Summary indicates whether the Sighting should be considered summary
	// data. Summary data is an aggregation of previous Sightings reports and
	// should not be considered primary source data. Default value is false.
	Summary bool `json:"summary,omitempty"`
}

Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior.

The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted.

Sighting relationships relate three aspects of the sighting:

  • What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref)
  • Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs) and
  • What was actually seen on systems and networks, represented as Observed Data (observed_data_refs)

What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value.

Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious.

func NewSighting 

func NewSighting(s Identifier, opts ...STIXOption) (*Sighting, error)

NewSighting creates a new Sighting of seen (s) Identifier. Function returns a wrapped error if ErrInvalidProperty if an optional property's value is invalid according to the spec.

func (*Sighting) MarshalJSON added in v0.8.0 

func (o *Sighting) MarshalJSON() ([]byte, error)

type SocketAddressFamily 

type SocketAddressFamily byte

SocketAddressFamily is a network socket address family type. 

const (
	// SocketFamilyUnknownValue is an unknown socket family value.
	SocketFamilyUnknownValue SocketAddressFamily = iota
	// SocketFamilyUNSPEC specifies an unspecified address family.
	SocketFamilyUNSPEC
	// SocketFamilyINET specifies the IPv4 address family.
	SocketFamilyINET
	// SocketFamilyIPX specifies the IPX (Novell Internet Protocol) address
	// family.
	SocketFamilyIPX
	// SocketFamilyAPPLETALK specifies the APPLETALK DDP address family.
	SocketFamilyAPPLETALK
	// SocketFamilyNETBIOS specifies the NETBIOS address family.
	SocketFamilyNETBIOS
	// SocketFamilyINET6 specifies the IPv6 address family.
	SocketFamilyINET6
	// SocketFamilyIRDA specifies IRDA sockets.
	SocketFamilyIRDA
	// SocketFamilyBTH specifies BTH sockets.
	SocketFamilyBTH
)

func (SocketAddressFamily) MarshalJSON 

func (s SocketAddressFamily) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (SocketAddressFamily) String 

func (s SocketAddressFamily) String() string

String returns the string representation of the type.

func (*SocketAddressFamily) UnmarshalJSON 

func (s *SocketAddressFamily) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the Socket family from the json data.

type SocketExtension 

type SocketExtension struct {
	// AddressFamily specifies the address family (AF_*) that the socket is
	// configured for.
	AddressFamily SocketAddressFamily `json:"address_family"`
	// IsBlocking specifies whether the socket is in blocking mode.
	IsBlocking bool `json:"is_blocking,omitempty"`
	// IsListening specifies whether the socket is in listening mode.
	IsListening bool `json:"is_listening"`
	// Options specifies any options (SO_*) that may be used by the socket, as
	// a dictionary. Each key in the dictionary SHOULD be a case-preserved
	// version of the option name, e.g., SO_ACCEPTCONN. Each key value in the
	// dictionary MUST be the value for the corresponding options key.  Each
	// dictionary value MUST be an integer.  For SO_RCVTIMEO, SO_SNDTIMEO and
	// SO_LINGER the value represents the number of milliseconds.  If the
	// SO_LINGER key is present, it indicates that the SO_LINGER option is
	// active.
	Options map[string]int64 `json:"options,omitempty"`
	// SocketType specifies the type of the socket.
	SocketType SocketType `json:"socket_type,omitempty"`
	// SocketDescriptor specifies the socket file descriptor value associated
	// with the socket, as a non-negative integer.
	SocketDescriptor int64 `json:"socket_descriptor,omitempty"`
	// SocketHandle specifies the handle or inode value associated with the
	// socket.
	SocketHandle int64 `json:"socket_handle,omitempty"`
}

SocketExtension sp

type SocketType 

type SocketType byte

SocketType is a network socket type. 

const (
	// SocketTypeUnknown is an unknown socket type value.
	SocketTypeUnknown SocketType = iota
	// SocketTypeStream specifies a pipe-like socket which operates over a
	// connection with a particular remote socket and transmits data reliably
	// as a stream of bytes.
	SocketTypeStream
	// SocketTypeDgram specifies a socket in which individually-addressed
	// packets are sent (datagram).
	SocketTypeDgram
	// SocketTypeRaw specifies raw sockets which allow new IP protocols to be
	// implemented in user space. A raw socket receives or sends the raw
	// datagram not including link level headers.
	SocketTypeRaw
	// SocketTypeRdm specifies a socket indicating a reliably-delivered
	// message.
	SocketTypeRdm
	// SocketTypeSeqpacket specifies a datagram congestion control protocol
	// socket.
	SocketTypeSeqpacket
)

func (SocketType) MarshalJSON 

func (s SocketType) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (SocketType) String 

func (s SocketType) String() string

String returns the string representation of the type.

func (*SocketType) UnmarshalJSON 

func (s *SocketType) UnmarshalJSON(b []byte) error

UnmarshalJSON extracts the Socket type from the json data.

type Software 

type Software struct {
	STIXCyberObservableObject
	// Name specifies the name of the software.
	Name string `json:"name"`
	// CPE specifies the Common Platform Enumeration (CPE) entry for the
	// software, if available. The value for this property MUST be a CPE v2.3
	// entry from the official NVD CPE Dictionary.
	CPE string `json:"cpe,omitempty"`
	// SWID specifies the Software Identification (SWID) Tags entry for the
	// software, if available. The tag attribute, tagId, a globally unique
	// identifier, SHOULD be used as a proxy identifier of the tagged product.
	SWID string `json:"swid,omitempty"`
	// Languages specifies the languages supported by the software. The value
	// of each list member MUST be an ISO 639-2 language code.
	Languages []string `json:"languages,omitempty"`
	// Vendor specifies the name of the vendor of the software.
	Vendor string `json:"vendor,omitempty"`
	// Version specifies the version of the software.
	Version string `json:"version,omitempty"`
}

Software object represents high-level properties associated with software, including software products.

func NewSoftware 

func NewSoftware(name string, opts ...STIXOption) (*Software, error)

NewSoftware creates a new Software object. A Software object MUST contain at least one of hashes or name.

func (*Software) MarshalJSON added in v0.8.0 

func (o *Software) MarshalJSON() ([]byte, error)

type StatementMarking 

type StatementMarking struct {
	// Statement  (e.g., copyright, terms of use) applied to the content marked
	// by this marking definition.
	Statement string `json:"statement"`
}

StatementMarking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the DefinitionType property MUST be statement when using this marking type. Statement markings are generally not machine-readable, and this specification does not define any behavior or actions based on their values.

type TCPExtension 

type TCPExtension struct {
	// SrcFlags specifies the source TCP flags, as the union of all TCP flags
	// observed between the start of the traffic (as defined by the start
	// property) and the end of the traffic (as defined by the end property).
	SrcFlags Hex `json:"src_flags_hex,omitempty"`
	// DstFlags specifies the destination TCP flags, as the union of all TCP
	// flags observed between the start of the traffic (as defined by the start
	// property) and the end of the traffic (as defined by the end property).
	DstFlags Hex `json:"dst_flags_hex,omitempty"`
}

TCPExtension specifies a default extension for capturing network traffic properties specific to TCP.

type TLPMarking 

type TLPMarking struct {
	// TLP level of the content marked by this marking definition, as defined
	// in this section.
	TLP string `json:"tlp"`
}

TLPMarking marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the DefinitionType property MUST be tlp when using this marking type.

type ThreatActor 

type ThreatActor struct {
	STIXDomainObject
	// Name is used to identify this Threat Actor or Threat Actor group.
	Name string `json:"name"`
	// Description provides more details and context about the Threat Actor,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Types specifies the type(s) of this threat actor.
	Types []string `json:"threat_actor_types,omitempty"`
	// Aliases is a list of other names that this Threat Actor is believed to
	// use.
	Aliases []string `json:"aliases,omitempty"`
	// FirstSeen is the time that this Threat Actor was first seen.
	FirstSeen *Timestamp `json:"first_seen,omitempty"`
	// LastSeen is the time that this Threat Actor was last seen.
	LastSeen *Timestamp `json:"last_seen,omitempty"`
	// Roles is a list of roles the ThreatActor plays.
	Roles []string `json:"roles,omitempty"`
	// Goals are high-level goals of this ThreatActor, namely, what are they
	// trying to do. For example, they may be motivated by personal gain, but
	// their goal is to steal credit card numbers. To do this, they may execute
	// specific Campaigns that have detailed objectives like compromising point
	// of sale systems at a large retailer.
	Goals []string `json:"goals,omitempty"`
	// Sophistication is the skill, specific knowledge, special training, or
	// expertise a Threat Actor must have to perform the attack.
	Sophistication string `json:"sophistication,omitempty"`
	// ResourceLevel defines the organizational level at which this Threat
	// Actor typically works, which in turn determines the resources available
	// to this Threat Actor for use in an attack. This attribute is linked to
	// the sophistication property — a specific resource level implies that the
	// Threat Actor has access to at least a specific sophistication level.
	ResourceLevel string `json:"resource_level,omitempty"`
	// PrimaryMotivation is the primary reason, motivation, or purpose behind
	// this Threat Actor. The motivation is why the Threat Actor wishes to
	// achieve the goal (what they are trying to achieve).
	PrimaryMotivation string `json:"primary_motivation,omitempty"`
	// SecondaryMotivations are the secondary reasons, motivations, or purposes
	// behind this ThreatActor. These motivations can exist as an equal or
	// near-equal cause to the primary motivation. However, it does not replace
	// or necessarily magnify the primary motivation, but it might indicate
	// additional context. The position in the list has no significance.
	SecondaryMotivations []string `json:"secondary_motivations,omitempty"`
	// PersonalMotivations are the personal reasons, motivations, or purposes
	// of the ThreatActor regardless of organizational goals. Personal
	// motivation, which is independent of the organization’s goals, describes
	// what impels an individual to carry out an attack. Personal motivation
	// may align with the organization’s motivation—as is common with
	// activists—but more often it supports personal goals. For example, an
	// individual analyst may join a Data Miner corporation because his or her
	// skills may align with the corporation’s objectives. But the analyst most
	// likely performs his or her daily work toward those objectives for
	// personal reward in the form of a paycheck. The motivation of personal
	// reward may be even stronger for Threat Actors who commit illegal acts,
	// as it is more difficult for someone to cross that line purely for
	// altruistic reasons. The position in the list has no significance.
	PersonalMotivations []string `json:"personal_motivations,omitempty"`
}

ThreatActor is an actual individuals, groups, or organizations believed to be operating with malicious intent. A ThreatActor is not an IntrusionSet but may support or be affiliated with various IntrusionSets, groups, or organizations over time.

Threat actors leverage their resources, and possibly the resources of an IntrusionSet, to conduct attacks and run Campaigns against targets.

Threat actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization.

func NewThreatActor 

func NewThreatActor(name string, opts ...STIXOption) (*ThreatActor, error)

NewThreatActor creates a new ThreatActor object.

func (*ThreatActor) AddAttributedTo 

func (a *ThreatActor) AddAttributedTo(id Identifier, opts ...STIXOption) (*Relationship, error)

AddAttributedTo creates a relationship to the ThreatActor's real identity.

func (*ThreatActor) AddCompromises 

func (a *ThreatActor) AddCompromises(id Identifier, opts ...STIXOption) (*Relationship, error)

AddCompromises creates a relationship that describes that the Threat Actor compromises the related Infrastructure.

func (*ThreatActor) AddHosts 

func (a *ThreatActor) AddHosts(id Identifier, opts ...STIXOption) (*Relationship, error)

AddHosts creates a relationship that describes that the Threat Actor hosts the related Infrastructure (e.g. an actor that rents botnets to other threat actors).

func (*ThreatActor) AddImpersonates 

func (a *ThreatActor) AddImpersonates(id Identifier, opts ...STIXOption) (*Relationship, error)

AddImpersonates creates a relationship that describes that the Threat Actor impersonates the related Identity.

func (*ThreatActor) AddLocatedAt 

func (a *ThreatActor) AddLocatedAt(id Identifier, opts ...STIXOption) (*Relationship, error)

AddLocatedAt creates a relationship that describes that the Threat Actor is located at or in the related Location.

func (*ThreatActor) AddOwns 

func (a *ThreatActor) AddOwns(id Identifier, opts ...STIXOption) (*Relationship, error)

AddOwns creates a relationship that describes that the Threat Actor owns the related Infrastructure (e.g. an actor that rents botnets to other threat actors).

func (*ThreatActor) AddTargets 

func (a *ThreatActor) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets creates a relationship that describes that the Threat Actor uses exploits of the related Vulnerability or targets the type of victims described by the related Identity or Location.

func (*ThreatActor) AddUses 

func (a *ThreatActor) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses creates a relationship that describes that attacks carried out as part of the Threat Actor typically use the related Attack Pattern, Infrastructure, Malware, or Tool.

func (*ThreatActor) MarshalJSON added in v0.8.0 

func (o *ThreatActor) MarshalJSON() ([]byte, error)

type Timestamp 

type Timestamp struct {
	time.Time
}

Timestamp is a RFC 3339-formatted timestamp.

func (*Timestamp) MarshalJSON 

func (t *Timestamp) MarshalJSON() ([]byte, error)

MarshalJSON creates a RFC 3339-formatted timestamp.

func (*Timestamp) String 

func (t *Timestamp) String() string

String returns a string representation of the timestamp.

func (*Timestamp) UnmarshalJSON 

func (t *Timestamp) UnmarshalJSON(b []byte) error

UnmarshalJSON is extracting the timestamp form json.

type Tool 

type Tool struct {
	STIXDomainObject
	// Name is used to identify the Tool.
	Name string `json:"name"`
	// Description provides more details and context about the Tool,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
	// Types is the kind(s) of tool(s) being described.
	Types []string `json:"tool_types,omitempty"`
	// Aliases are alternative names used to identify this Tool.
	Aliases []string `json:"aliases,omitempty"`
	// KillChainPhase is the list of kill chain phases for which this Tool can
	// be used.
	KillChainPhase []*KillChainPhase `json:"kill_chain_phases,omitempty"`
	// Version is the version identifier associated with the Tool.
	Version string `json:"tool_version,omitempty"`
}

Tool is a legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.

This SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterise tools used as part of a course of action in response to an attack.

func NewTool 

func NewTool(name string, opts ...STIXOption) (*Tool, error)

NewTool creates a new Tool object.

func (*Tool) AddDelivers 

func (a *Tool) AddDelivers(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDelivers creates a relationship that describes that this Tool is used to deliver a malware instance (or family).

func (*Tool) AddDrops 

func (a *Tool) AddDrops(id Identifier, opts ...STIXOption) (*Relationship, error)

AddDrops creates a relationship that documents that this Tool drops a malware instance (or family).

func (*Tool) AddHas 

func (a *Tool) AddHas(id Identifier, opts ...STIXOption) (*Relationship, error)

AddHas creates a relationship that describes that this specific Tool has this specific Vulnerability.

func (*Tool) AddTargets 

func (a *Tool) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error)

AddTargets creates a relationship that documents that this Tool is being used to target this Identity, Infrastructure, Location, or exploit the Vulnerability.

func (*Tool) AddUses 

func (a *Tool) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error)

AddUses creates a relationship that describes that this Tool uses the related Infrastructure.

func (*Tool) MarshalJSON added in v0.8.0 

func (o *Tool) MarshalJSON() ([]byte, error)

type UNIXAccountExtension 

type UNIXAccountExtension struct {
	// GID specifies the primary group ID of the account.
	GID int64 `json:"gid,omitempty"`
	// Groups specifies a list of names of groups that the account is a member
	// of.
	Groups []string `json:"groups,omitempty"`
	// Home specifies the home directory of the account.
	Home string `json:"home_dir,omitempty"`
	// Shell specifies the account’s command shell.
	Shell string `json:"shell,omitempty"`
}

UNIXAccountExtension specifies a default extension for capturing the additional information for an account on a UNIX system.

type URL 

type URL struct {
	STIXCyberObservableObject
	// Value specifies the value of the URL. The value of this property MUST
	// conform to RFC3986, more specifically section 1.1.3 with reference to
	// the definition for "Uniform Resource Locator".
	Value string `json:"value"`
}

URL object represents the properties of a uniform resource locator (URL).

func NewURL 

func NewURL(value string, opts ...STIXOption) (*URL, error)

NewURL creates a new URL object.

func (*URL) MarshalJSON added in v0.8.0 

func (o *URL) MarshalJSON() ([]byte, error)

type UserAccount 

type UserAccount struct {
	STIXCyberObservableObject
	// UserID specifies the identifier of the account. The format of the
	// identifier depends on the system the user account is maintained in, and
	// may be a numeric ID, a GUID, an account name, an email address, etc. The
	// UserID property should be populated with whatever field is the unique
	// identifier for the system the account is a member of. For example, on
	// UNIX systems it would be populated with the UID.
	UserID string `json:"user_id,omitempty"`
	// Credential specifies a cleartext credential. This is only intended to be
	// used in capturing metadata from malware analysis (e.g., a hard-coded
	// domain administrator password that the malware attempts to use for
	// lateral movement) and SHOULD NOT be used for sharing of PII.
	Credential string `json:"credential,omitempty"`
	// AccountLogin specifies the account login string, used in cases where the
	// UserID property specifies something other than what a user would type
	// when they login.
	//
	// For example, in the case of a Unix account with UserID 0, the account_login
	// might be “root”.
	AccountLogin string `json:"account_login,omitempty"`
	// AccountType specifies the type of the account.
	AccountType string `json:"account_type,omitempty"`
	// DisplayName specifies the display name of the account, to be shown in
	// user interfaces, if applicable.
	DisplayName string `json:"display_name,omitempty"`
	// IsServiceAccount indicates that the account is associated with a network
	// service or system process (daemon), not a specific individual.
	IsServiceAccount bool `json:"is_service_account,omitempty"`
	// IsPrivileged specifies that the account has elevated privileges (i.e.,
	// in the case of root on Unix or the Windows Administrator account).
	IsPrivileged bool `json:"is_privileged,omitempty"`
	// CanEscalatePrivs specifies that the account has the ability to escalate
	// privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin
	// account)
	CanEscalatePrivs bool `json:"can_escalate_privs,omitempty"`
	// IsDisabled specifies if the account is disabled.
	IsDisabled bool `json:"is_disabled,omitempty"`
	// AccountCreated specifies when the account was created.
	AccountCreated *Timestamp `json:"account_created,omitempty"`
	// AccountExpires specifies the expiration date of the account.
	AccountExpires *Timestamp `json:"account_expires,omitempty"`
	// CredentialLastChanged specifies when the account credential was last
	// changed.
	CredentialLastChanged *Timestamp `json:"credential_last_changed,omitempty"`
	// AccountFirstLogin specifies when the account was first accessed.
	AccountFirstLogin *Timestamp `json:"account_first_login,omitempty"`
	// AccountLastLogin specifies when the account was last accessed.
	AccountLastLogin *Timestamp `json:"account_last_login,omitempty"`
}

UserAccount object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object.

func NewUserAccount 

func NewUserAccount(opts ...STIXOption) (*UserAccount, error)

NewUserAccount creates a new UserAccount object.

func (*UserAccount) MarshalJSON added in v0.8.0 

func (o *UserAccount) MarshalJSON() ([]byte, error)

func (*UserAccount) UNIXAccountExtension 

func (n *UserAccount) UNIXAccountExtension() *UNIXAccountExtension

UNIXAccountExtension returns the Unix account extension for the object or nil.

type Vulnerability 

type Vulnerability struct {
	STIXDomainObject
	// Name is used to identify the Vulnerability.
	Name string `json:"name"`
	// Description provides more details and context about the Vulnerability,
	// potentially including its purpose and its key characteristics.
	Description string `json:"description,omitempty"`
}

Vulnerability is "a mistake in software that can be directly used by a hacker to gain access to a system or network". For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. CVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems.

The Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process.

func NewVulnerability 

func NewVulnerability(name string, opts ...STIXOption) (*Vulnerability, error)

NewVulnerability creates a new Vulnerability object.

func (*Vulnerability) MarshalJSON added in v0.8.0 

func (o *Vulnerability) MarshalJSON() ([]byte, error)

type WindowsIntegrityLevel 

type WindowsIntegrityLevel byte

WindowsIntegrityLevel is a security feature and represent the trustworthiness of an object. 

const (
	// IntegrityLevelUnknown is an unknown integrity value
	IntegrityLevelUnknown WindowsIntegrityLevel = iota
	// IntegrityLevelLow represents a low level of integrity.
	IntegrityLevelLow
	// IntegrityLevelMedium represents a medium level of integrity.
	IntegrityLevelMedium
	// IntegrityLevelHigh represents a high level of integrity.
	IntegrityLevelHigh
	// IntegrityLevelSystem represents a system level of integrity.
	IntegrityLevelSystem
)

func (WindowsIntegrityLevel) MarshalJSON 

func (s WindowsIntegrityLevel) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (WindowsIntegrityLevel) String 

func (s WindowsIntegrityLevel) String() string

String returns the string representation of the type.

func (*WindowsIntegrityLevel) UnmarshalJSON 

func (s *WindowsIntegrityLevel) UnmarshalJSON(b []byte) error

UnmarshalJSON deserializes the type from the json data.

type WindowsPEBinaryExtension 

type WindowsPEBinaryExtension struct {
	// PEType specifies the type of the PE binary.
	PEType WindowsPEBinaryType `json:"pe_type"`
	// ImpHash specifies the special import hash, or ‘imphash’, calculated for
	// the PE Binary based on its imported libraries and functions.
	ImpHash string `json:"imphash,omitempty"`
	// Machine specifies the type of target machine.
	Machine Hex `json:"machine_hex,omitempty"`
	// NumberOfSections specifies the number of sections in the PE binary, as a
	// non-negative integer.
	NumberOfSections int64 `json:"number_of_sections,omitempty"`
	// TimeDateStamp specifies the time when the PE binary was created. The
	// timestamp value MUST be precise to the second.
	TimeDateStamp *Timestamp `json:"time_date_stamp,omitempty"`
	// PointerToSymbolTable specifies the file offset of the COFF symbol table.
	PointerToSymbolTable Hex `json:"pointer_to_symbol_table_hex,omitempty"`
	// NumberOfSymbols specifies the number of entries in the symbol table of
	// the PE binary, as a non-negative integer.
	NumberOfSymbols int64 `json:"number_of_symbols,omitempty"`
	// SizeOfOptionalHeader specifies the size of the optional header of the PE
	// binary. The value of this property MUST NOT be negative.
	SizeOfOptionalHeader int64 `json:"size_of_optional_header,omitempty"`
	// Characteristics specifies the flags that indicate the file’s
	// characteristics.
	Characteristics Hex `json:"characteristics_hex,omitempty"`
	// FileHeaderHash specifies any hashes that were computed for the file
	// header.
	FileHeaderHash Hashes `json:"file_header_hashes,omitempty"`
	// OptionalHeader specifies the PE optional header of the PE binary.
	OptionalHeader WindowsPEOptionalHeader `json:"optional_header,omitempty"`
	// Sections specifies metadata about the sections in the PE file.
	Sections []WindowsPESection `json:"sections,omitempty"`
}

WindowsPEBinaryExtension specifies a default extension for capturing properties specific to Windows portable executable (PE) files. The key for this extension when used in the extensions dictionary MUST be windows-pebinary-ext. An object using the Windows™ PE Binary File Extension MUST contain at least one property other than the required PEType property from this extension.

type WindowsPEBinaryType 

type WindowsPEBinaryType string

WindowsPEBinaryType is a PE binary type. 

const (
	// WindowsPEDLL specifies that the PE binary is a dynamically linked
	// library (DLL).
	WindowsPEDLL WindowsPEBinaryType = "dll"
	// WindowsPEExe specifies that the PE binary is an executable image (i.e.,
	// not an OBJ or DLL).
	WindowsPEExe WindowsPEBinaryType = "exe"
	// WindowsPESys specifies that the PE binary is a device driver (SYS).
	WindowsPESys WindowsPEBinaryType = "sys"
)

type WindowsPEOptionalHeader 

type WindowsPEOptionalHeader struct {
	// Magic specifies the hex value that indicates the type of the PE binary.
	Magic Hex `json:"magic_hex,omitempty"`
	// MajorLinkerVersion specifies the linker major version number.
	MajorLinkerVersion int64 `json:"major_linker_version,omitempty"`
	// MinorLinkerVersion specifies the linker minor version number.
	MinorLinkerVersion int64 `json:"minor_linker_version,omitempty"`
	// SizeOfCode specifies the size of the code (text) section. If there are
	// multiple such sections, this refers to the sum of the sizes of each
	// section. The value of this property MUST NOT be negative.
	SizeOfCode int64 `json:"size_of_code,omitempty"`
	// SizeOfInitializedData specifies the size of the initialized data section.
	// If there are multiple such sections, this refers to the sum of the sizes
	// of each section. The value of this property MUST NOT be negative.
	SizeOfInitializedData int64 `json:"size_of_initialized_data,omitempty"`
	// SizeOfUninitializedData specifies the size of the uninitialized data
	// section. If there are multiple such sections, this refers to the sum of
	// the sizes of each section. The value of this property MUST NOT be
	// negative.
	SizeOfUninitializedData int64 `json:"size_of_uninitialized_data,omitempty"`
	// AddressOfEntryPoint specifies the address of the entry point relative to
	// the image base when the executable is loaded into memory.
	AddressOfEntryPoint int64 `json:"address_of_entry_point,omitempty"`
	// BaseOfCode specifies the address that is relative to the image base of
	// the beginning-of-code section when it is loaded into memory.
	BaseOfCode int64 `json:"base_of_code,omitempty"`
	// BaseOfData specifies the address that is relative to the image base of
	// the beginning-of-data section when it is loaded into memory.
	BaseOfData int64 `json:"base_of_data,omitempty"`
	// ImageBase specifies the preferred address of the first byte of the image
	// when loaded into memory.
	ImageBase int64 `json:"image_base,omitempty"`
	// SectionAlignment specifies the alignment (in bytes) of PE sections when
	// they are loaded into memory.
	SectionAlignment int64 `json:"section_alignment,omitempty"`
	// FileAlignment specifies the factor (in bytes) that is used to align the
	// raw data of sections in the image file.
	FileAlignment int64 `json:"file_alignment,omitempty"`
	// MajorOSVersion specifies the major version number of the required
	// operating system.
	MajorOSVersion int64 `json:"major_os_version,omitempty"`
	// MinorOSVersion specifies the minor version number of the required
	// operating system.
	MinorOSVersion int64 `json:"minor_os_version,omitempty"`
	// MajorImageVersion specifies the major version number of the image.
	MajorImageVersion int64 `json:"major_image_version,omitempty"`
	// MinorImageVersion specifies the minor version number of the image.
	MinorImageVersion int64 `json:"minor_image_version,omitempty"`
	// MajorSubsystemVersion specifies the major version number of the
	// subsystem.
	MajorSubsystemVersion int64 `json:"major_subsystem_version,omitempty"`
	// MinorSubsystemVersion specifies the minor version number of the
	// subsystem.
	MinorSubsystemVersion int64 `json:"minor_subsystem_version,omitempty"`
	// Win32VersionValue specifies the reserved win32 version value.
	Win32VersionValue Hex `json:"win32_version_value_hex,omitempty"`
	// SizeOfImage specifies the size of the image in bytes, including all
	// headers, as the image is loaded in memory. The value of this property
	// MUST NOT be negative.
	SizeOfImage int64 `json:"size_of_image,omitempty"`
	// SizeOfHeaders specifies the combined size of the MS-DOS, PE header, and
	// section headers, rounded up to a multiple of the value specified in the
	// file_alignment header. The value of this property MUST NOT be negative.
	SizeOfHeaders int64 `json:"size_of_headers"`
	// Checksum specifies the checksum of the PE binary.
	Checksum Hex `json:"checksum_hex,omitempty"`
	// Subsystem specifies the subsystem (e.g., GUI, device driver, etc.) that
	// is required to run this image.
	Subsystem Hex `json:"subsystem_hex,omitempty"`
	// DLLCharacteristics specifies the flags that characterize the PE binary.
	DLLCharacteristics Hex `json:"dll_characteristics_hex,omitempty"`
	// SizeOfStackReserve specifies the size of the stack to reserve, in bytes.
	// The value of this property MUST NOT be negative.
	SizeOfStackReserve int64 `json:"size_of_stack_reserve,omitempty"`
	// SizeOfStackCommit specifies the size of the stack to commit, in bytes.
	// The value of this property MUST NOT be negative.
	SizeOfStackCommit int64 `json:"size_of_stack_commit,omitempty"`
	// SizeOfHeapReserve specifies the size of the local heap space to reserve,
	// in bytes. The value of this property MUST NOT be negative.
	SizeOfHeapReserve int64 `json:"size_of_heap_reserve,omitempty"`
	// SizeOfHeapCommit specifies the size of the local heap space to commit,
	// in bytes. The value of this property MUST NOT be negative.
	SizeOfHeapCommit int64 `json:"size_of_heap_commit,omitempty"`
	// LoaderFlags specifies the reserved loader flags.
	LoaderFlags Hex `json:"loader_flags_hex,omitempty"`
	// NumberOfRVAAndSizes specifies the number of data-directory entries in
	// the remainder of the optional header.
	NumberOfRVAAndSizes int64 `json:"number_of_rva_and_sizes,omitempty"`
	// Hashes specifies any hashes that were computed for the optional header.
	Hashes Hashes `json:"hashes,omitempty"`
}

WindowsPEOptionalHeader represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type.

type WindowsPESection 

type WindowsPESection struct {
	// Name specifies the name of the section.
	Name string `json:"name"`
	// Size specifies the size of the section, in bytes. The value of this
	// property MUST NOT be negative.
	Size int64 `json:"size,omitempty"`
	// Entropy specifies the calculated entropy for the section, as calculated
	// using the Shannon algorithm
	// (https://en.wiktionary.org/wiki/Shannon_entropy). The size of each input
	// character is defined as a byte, resulting in a possible range of 0
	// through 8.
	Entropy float64 `json:"entropy,omitempty"`
	// Hashes specifies any hashes computed over the section.
	Hashes Hashes `json:"hashes,omitempty"`
}

WindowsPESection specifies metadata about a PE file section.

type WindowsProcessExtension 

type WindowsProcessExtension struct {
	// ASLR specifies whether Address Space Layout Randomization (ASLR) is
	// enabled for the process.
	ASLR bool `json:"aslr_enabled,omitempty"`
	// DEP specifies whether Data Execution Prevention (DEP) is enabled for the
	// process.
	DEP bool `json:"dep_enabled,omitempty"`
	// Priority specifies the current priority class of the process in Windows.
	// This value SHOULD be a string that ends in _CLASS.
	Priority string `json:"priority,omitempty"`
	// OwnerSID specifies the Security ID (SID) value of the owner of the
	// process.
	OwnerSID string `json:"owner_sid,omitempty"`
	// WindowTitle specifies the title of the main window of the process.
	WindowTitle string `json:"window_title,omitempty"`
	// StartupInfo specifies the STARTUP_INFO struct used by the process, as a
	// dictionary. Each name/value pair in the struct MUST be represented as a
	// key/value pair in the dictionary, where each key MUST be a
	// case-preserved version of the original name. For example, given a name
	// of "lpDesktop" the corresponding key would be lpDesktop.
	StartupInfo map[string]interface{} `json:"startup_info,omitempty"`
	// IntegrityLevel specifies the Windows integrity level, or trustworthiness,
	// of the process.
	IntegrityLevel WindowsIntegrityLevel `json:"integrity_level,omitempty"`
}

WindowsProcessExtension specifies a default extension for capturing properties specific to Windows processes.

type WindowsServiceExtension 

type WindowsServiceExtension struct {
	// Name specifies the name of the service.
	Name string `json:"service_name,omitempty"`
	// Descriptions specifies the descriptions defined for the service.
	Descriptions []string `json:"descriptions,omitempty"`
	// DisplayName specifies the display name of the service in Windows GUI
	// controls.
	DisplayName string `json:"display_name,omitempty"`
	// GroupName specifies the name of the load ordering group of which the
	// service is a member.
	GroupName string `json:"group_name,omitempty"`
	// StartType specifies the start options defined for the service.
	StartType WindowsServiceStartType `json:"start_type,omitempty"`
	// ServiceDLL specifies the DLLs loaded by the service, as a reference to
	// one or more File objects.
	ServiceDLL []Identifier `json:"service_dll_refs,omitempty"`
	// ServiceType specifies the type of the service.
	ServiceType WindowsServiceType `json:"service_type,omitempty"`
	// ServiceStatus specifies the current status of the service.
	ServiceStatus WindowsServiceStatusType `json:"service_status,omitempty"`
}

WindowsServiceExtension specifies a default extension for capturing properties specific to Windows services.

type WindowsServiceStartType 

type WindowsServiceStartType byte

WindowsServiceStartType is a Windows service start type. 

const (
	// ServiceStartUnknown is an unknown service start value.
	ServiceStartUnknown WindowsServiceStartType = iota
	// ServiceStartAuto is a service started automatically by the service
	// control manager during system startup.
	ServiceStartAuto
	// ServiceStartBoot is a device driver started by the system loader. This
	// value is valid only for driver services.
	ServiceStartBoot
	// ServiceStartDemand is a service started by the service control manager
	// when a process calls the StartService function.
	ServiceStartDemand
	// ServiceStartDisabled is a service that cannot be started. Attempts to
	// start the service result in the error code ERROR_SERVICE_DISABLED.
	ServiceStartDisabled
	// ServiceStartSystem is a device driver started by the IoInitSystem
	// function. This value is valid only for driver services.
	ServiceStartSystem
)

func (WindowsServiceStartType) MarshalJSON 

func (s WindowsServiceStartType) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (WindowsServiceStartType) String 

func (s WindowsServiceStartType) String() string

String returns the string representation of the type.

func (*WindowsServiceStartType) UnmarshalJSON 

func (s *WindowsServiceStartType) UnmarshalJSON(b []byte) error

UnmarshalJSON deserializes the type from the json data.

type WindowsServiceStatusType 

type WindowsServiceStatusType byte

WindowsServiceStatusType is a Windows service status type. 

const (
	// ServiceStatusUnknown is an unknown service status value.
	ServiceStatusUnknown WindowsServiceStatusType = iota
	// ServiceStatusContinuePending represents service continue is pending.
	ServiceStatusContinuePending
	// ServiceStatusPausePending represents service pause is pending.
	ServiceStatusPausePending
	// ServiceStatusPaused represents service is paused.
	ServiceStatusPaused
	// ServiceStatusRunning represents service is running.
	ServiceStatusRunning
	// ServiceStatusStartPending represents service is starting.
	ServiceStatusStartPending
	// ServiceStatusStopPending represents service is stopping.
	ServiceStatusStopPending
	// ServiceStatusStopped represents service is not running.
	ServiceStatusStopped
)

func (WindowsServiceStatusType) MarshalJSON 

func (s WindowsServiceStatusType) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (WindowsServiceStatusType) String 

func (s WindowsServiceStatusType) String() string

String returns the string representation of the type.

func (*WindowsServiceStatusType) UnmarshalJSON 

func (s *WindowsServiceStatusType) UnmarshalJSON(b []byte) error

UnmarshalJSON deserializes the type from the json data.

type WindowsServiceType 

type WindowsServiceType byte

WindowsServiceType is a Windows service type. 

const (
	// ServiceUnknown is an unknown service value.
	ServiceUnknown WindowsServiceType = iota
	// ServiceKernelDriver is a device driver.
	ServiceKernelDriver
	// ServiceFileSystemDriver is a file system driver.
	ServiceFileSystemDriver
	// ServiceWin32OwnProcess runs in its own process.
	ServiceWin32OwnProcess
	// ServiceWin32ShareProcess shares a process with other services.
	ServiceWin32ShareProcess
)

func (WindowsServiceType) MarshalJSON 

func (s WindowsServiceType) MarshalJSON() ([]byte, error)

MarshalJSON serializes the value to JSON.

func (WindowsServiceType) String 

func (s WindowsServiceType) String() string

String returns the string representation of the type.

func (*WindowsServiceType) UnmarshalJSON 

func (s *WindowsServiceType) UnmarshalJSON(b []byte) error

UnmarshalJSON deserializes the type from the json data.

type X509Certificate 

type X509Certificate struct {
	STIXCyberObservableObject
	// SelfSigned specifies whether the certificate is self-signed, i.e.,
	// whether it is signed by the same entity whose identity it certifies.
	SelfSigned bool `json:"is_self_signed,omitempty"`
	// Hashes specifies any hashes that were calculated for the entire contents
	// of the certificate.
	Hashes Hashes `json:"hashes,omitempty"`
	// Version specifies the version of the encoded certificate.
	Version string `json:"version,omitempty"`
	// SerialNumber specifies the unique identifier for the certificate, as
	// issued by a specific Certificate Authority.
	SerialNumber string `json:"serial_number,omitempty"`
	// SignatureAlgorithm specifies the name of the algorithm used to sign the
	// certificate.
	SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
	// Issuer specifies the name of the Certificate Authority that issued the
	// certificate.
	Issuer string `json:"issuer,omitempty"`
	// ValidityNotBefore specifies the date on which the certificate validity
	// period begins.
	ValidityNotBefore *Timestamp `json:"validity_not_before,omitempty"`
	// ValidityNotAfter specifies the date on which the certificate validity
	// period ends.
	ValidityNotAfter *Timestamp `json:"validity_not_after,omitempty"`
	// Subject specifies the name of the entity associated with the public key
	// stored in the subject public key field of the certificate.
	Subject string `json:"subject,omitempty"`
	// SubjectPublicKeyAlgorithm specifies the name of the algorithm with
	// which to encrypt data being sent to the subject.
	SubjectPublicKeyAlgorithm string `json:"subject_public_key_algorithm,omitempty"`
	// SubjectPublicKeyModulus specifies the modulus portion of the subject’s
	// public RSA key.
	SubjectPublicKeyModulus string `json:"subject_public_key_modulus,omitempty"`
	// SubjectPublicKeyExponent specifies the exponent portion of the subject’s
	// public RSA key, as an integer.
	SubjectPublicKeyExponent int64 `json:"subject_public_key_exponent,omitempty"`
	// X509v3Extensions specifies any standard X.509 v3 extensions that may be
	// used in the certificate.
	X509v3Extensions X509v3Extension `json:"x509_v3_extensions,omitempty"`
}

X509Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate object MUST contain at least one object specific property (other than type) from this object.

func NewX509Certificate 

func NewX509Certificate(opts ...STIXOption) (*X509Certificate, error)

NewX509Certificate creates a new X509Certificate object.

func (*X509Certificate) MarshalJSON added in v0.8.0 

func (o *X509Certificate) MarshalJSON() ([]byte, error)

type X509v3Extension 

type X509v3Extension struct {
	// BasicConstraints specifies a multi-valued extension which indicates
	// whether a certificate is a CA certificate. The first (mandatory) name is
	// CA followed by TRUE or FALSE. If CA is TRUE, then an optional pathlen
	// name followed by a non-negative value can be included. Also equivalent
	// to the object ID (OID) value of 2.5.29.19.
	BasicConstraints string `json:"basic_constraints,omitempty"`
	// NameConstraints specifies a namespace within which all subject names in
	// subsequent certificates in a certification path MUST be located. Also
	// equivalent to the object ID (OID) value of 2.5.29.30.
	NameConstraints string `json:"name_constraints,omitempty"`
	// PolicyConstraints specifies any constraints on path validation for
	// certificates issued to CAs. Also equivalent to the object ID (OID) value
	// of 2.5.29.36.
	PolicyConstraints string `json:"policy_constraints,omitempty"`
	// KeyUsage specifies a multi-valued extension consisting of a list of
	// names of the permitted key usages. Also equivalent to the object ID
	// (OID) value of 2.5.29.15.
	KeyUsage string `json:"key_usage,omitempty"`
	// ExtendedKeyUsage specifies a list of usages indicating purposes for
	// which the certificate public key can be used for. Also equivalent to the
	// object ID (OID) value of 2.5.29.37.
	ExtendedKeyUsage string `json:"extended_key_usage,omitempty"`
	// SubjectKeyIdentifier specifies the identifier that provides a means of
	// identifying certificates that contain a particular public key. Also
	// equivalent to the object ID (OID) value of 2.5.29.14.
	SubjectKeyIdentifier string `json:"subject_key_identifier,omitempty"`
	// AuthorityKeyIdentifier specifies the identifier that provides a means of
	// identifying the public key corresponding to the private key used to sign
	// a certificate. Also equivalent to the object ID (OID) value of
	// 2.5.29.35.
	AuthorityKeyIdentifier string `json:"authority_key_identifier,omitempty"`
	// SubjectAltName specifies the additional identities to be bound to the
	// subject of the certificate. Also equivalent to the object ID (OID) value
	// of 2.5.29.17.
	SubjectAltName string `json:"subject_alternative_name,omitempty"`
	// IssuerAltName specifies the additional identities to be bound to the
	// issuer of the certificate. Also equivalent to the object ID (OID) value
	// of 2.5.29.18.
	IssuerAltName string `json:"issuer_alternative_name,omitempty"`
	// SubjectDirectoryAttributes specifies the identification attributes
	// (e.g., nationality) of the subject. Also equivalent to the object ID
	// (OID) value of 2.5.29.9.
	SubjectDirectoryAttributes string `json:"subject_directory_attributes,omitempty"`
	// CRLDistributionPoints specifies how CRL information is obtained. Also
	// equivalent to the object ID (OID) value of 2.5.29.31.
	CRLDistributionPoints string `json:"crl_distribution_points,omitempty"`
	// InhibitAnyPolicy specifies the number of additional certificates that
	// may appear in the path before anyPolicy is no longer permitted. Also
	// equivalent to the object ID (OID) value of 2.5.29.54.
	InhibitAnyPolicy string `json:"inhibit_any_policy,omitempty"`
	// PrivateKeyUsagePeriodNotBefore specifies the date on which the validity
	// period begins for the private key, if it is different from the validity
	// period of the certificate.
	PrivateKeyUsagePeriodNotBefore *Timestamp `json:"private_key_usage_period_not_before,omitempty"`
	// PrivateKeyUsagePeriodNotAfter specifies the date on which the validity
	// period ends for the private key, if it is different from the validity
	// period of the certificate.
	PrivateKeyUsagePeriodNotAfter *Timestamp `json:"private_key_usage_period_not_after,omitempty"`
	// CertificatePolicies specifies a sequence of one or more policy
	// information terms, each of which consists of an object identifier (OID)
	// and optional qualifiers. Also equivalent to the object ID (OID) value of
	// 2.5.29.32.
	CertificatePolicies string `json:"certificate_policies,omitempty"`
	// PolicyMappings specifies one or more pairs of OIDs; each pair includes
	// an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates
	// whether the issuing CA considers its issuerDomainPolicy equivalent to
	// the subject CA's subjectDomainPolicy. Also equivalent to the object ID
	// (OID) value of 2.5.29.33.
	PolicyMappings string `json:"policy_mappings,omitempty"`
}

X509v3Extension captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.