objects

Documentation

Overview

Package objects implements the STIX 2.1 object model.

The following information comes directly from the STIX 2.1 specification.

This specification defines the set of STIX Domain Objects (SDOs), each of which corresponds to a unique concept commonly represented in CTI. Using SDOs, STIX Cyber-observable Objects (SCOs), and STIX Relationship Objects (SROs) as building blocks, individuals can create and share broad and comprehensive cyber threat intelligence.

Property information, relationship information, and examples are provided for each SDO defined below. Property information includes common properties as well as properties that are specific to each SDO. Relationship information includes embedded relationships (e.g., created_by_ref), common relationships (e.g., related-to), and SDO-specific relationships. Forward relationships (i.e., relationships from the SDO to other SDOs or SCOs) are fully defined, while reverse relationships (i.e., relationships to the SDO from other SDOs or SCOs) are duplicated for convenience.

Some SDOs are similar and can be grouped together into categories. Attack Pattern, Malware, and Tool can all be considered types of tactics, techniques, and procedures (TTPs): they describe behaviors and resources that attackers use to carry out their attacks. Similarly, Campaign, Intrusion Set, and Threat Actor all describe information about why adversaries carry out attacks and how they organize themselves.

Index

• func Compare(obj1, obj2 *CommonObjectProperties) (bool, int, []string)
• func DecodeType(data []byte) (string, error)
• func ValidObjectType(t string) bool
• type CommonObjectProperties
  • func Decode(data []byte) (*CommonObjectProperties, error)
  • func (o *CommonObjectProperties) Compare(obj2 *CommonObjectProperties) (bool, int, []string)
  • func (o *CommonObjectProperties) FindCustomProperties(b []byte, p []string) error
  • func (o *CommonObjectProperties) GetCommonProperties() *CommonObjectProperties
  • func (o *CommonObjectProperties) GetCommonPropertyList() []string
  • func (o *CommonObjectProperties) InitBundle() error
  • func (o *CommonObjectProperties) InitSCO(objectType string) error
  • func (o *CommonObjectProperties) InitSDO(objectType string) error
  • func (o *CommonObjectProperties) InitSRO(objectType string) error
  • func (o *CommonObjectProperties) ValidSDO() (bool, int, []string)
• type STIXObject

Functions

func Compare

func Compare(obj1, obj2 *CommonObjectProperties) (bool, int, []string)

Compare - This function will compare two objects to make sure they are the

same and will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

func DecodeType

func DecodeType(data []byte) (string, error)

DecodeType - This function will take in a slice of bytes representing a

random STIX object encoded as JSON and return the STIX object type as a string. This is called from the Bundle Decode() to determine which type of STIX object the data represents, so that the data can be dispatched to the right object decoder.

func ValidObjectType

func ValidObjectType(t string) bool

ValidObjectType - This function will take in a STIX object type and return

true if the string represents an actual STIX object type. This is used for determining if input from an outside source is actually a defined STIX object or not.

Types

type CommonObjectProperties

type CommonObjectProperties struct {
	properties.DatastoreIDProperty
	properties.TypeProperty
	properties.SpecVersionProperty
	properties.IDProperty
	properties.CreatedByRefProperty
	properties.CreatedProperty
	properties.ModifiedProperty
	properties.RevokedProperty
	properties.LabelsProperty
	properties.ConfidenceProperty
	properties.LangProperty
	properties.ExternalReferencesProperty
	properties.MarkingProperties
	properties.CustomProperties
	properties.RawProperty
}

CommonObjectProperties - This type defines the properties that are common to

most STIX objects. If an object does not use all of these properties, then the Encode() function for that object will clean up and remove the properties that might get populated by mistake. Also, there will be Init() functions for each type of STIX object to help with populating the right properties for that type of object. This was done so that we would only need one type that could be used by all objects, to simplify the code.

func Decode

func Decode(data []byte) (*CommonObjectProperties, error)

Decode - This function is a simple wrapper for decoding JSON data. It will

decode a slice of bytes into an actual struct and return a pointer to that object along with any errors. This is called from the Bundle Decode() if the object type can not be determined. So for custom objects, it will at least decode any of the common object properties that might be found.

func (*CommonObjectProperties) Compare

func (o *CommonObjectProperties) Compare(obj2 *CommonObjectProperties) (bool, int, []string)

Compare - This method will compare the common properties from two objects to make sure they are the same. The common properties receiver is object 1 and the common properties passed in is object 2. This method will return an integer that tracks the number of problems and a slice of strings that contain the detailed results, whether good or bad.

func (*CommonObjectProperties) FindCustomProperties

func (o *CommonObjectProperties) FindCustomProperties(b []byte, p []string) error

func (*CommonObjectProperties) GetCommonProperties

func (o *CommonObjectProperties) GetCommonProperties() *CommonObjectProperties

GetCommonProperties - This method will return a pointer to the common

properties of this object.

func (*CommonObjectProperties) GetCommonPropertyList

func (o *CommonObjectProperties) GetCommonPropertyList() []string

GetCommonPropertyList - This method will return a list of all of the

properties that are common to all objects. This is used by the FindCustomProperties method. It is defined here in this file to make it easy to keep in sync as new properties are added.

func (*CommonObjectProperties) InitBundle

func (o *CommonObjectProperties) InitBundle() error

InitBundle - This method will initialize a STIX Bundle by setting all of the

basic properties and is called by the New() function from that object.

func (*CommonObjectProperties) InitSCO

func (o *CommonObjectProperties) InitSCO(objectType string) error

InitSCO - This method will initialize a STIX Cyber Observable Object by

setting all of the basic properties and is called by the New() function from each object.

func (*CommonObjectProperties) InitSDO

func (o *CommonObjectProperties) InitSDO(objectType string) error

InitSDO - This method will initialize a STIX Domain Object by setting all

of the basic properties and is called by the New() function from each object.

func (*CommonObjectProperties) InitSRO

func (o *CommonObjectProperties) InitSRO(objectType string) error

InitSRO - This method will initialize a STIX Relationship Object by setting

all of the basic properties and is called by the New() function from each object.

func (*CommonObjectProperties) ValidSDO

func (o *CommonObjectProperties) ValidSDO() (bool, int, []string)

ValidSDO - This method will verify and test all of the properties on a STIX

Domain Object to make sure they are valid per the specification. It will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.

type STIXObject

type STIXObject interface {
	GetCommonProperties() *CommonObjectProperties
}

STIXObject - This interface defines what methods an object must have to be

considered a STIX Object. So any new object that is created that inherits the CommonObjectProperties is considered a STIX Object by this code. This interface is currently used by the Bundle object to add objects to the Bundle.