mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-10 21:24:56 +03:00
mukul975
2.0 KiB
2.0 KiB
API Reference: Security Information Sharing with STIX 2.1
stix2 Python Library
pip install stix2 taxii2-client
Create Objects
from stix2 import Indicator, Malware, Relationship, Bundle, Identity
identity = Identity(name="My SOC", identity_class="organization")
indicator = Indicator(
name="Malicious IP",
pattern="[ipv4-addr:value = '198.51.100.42']",
pattern_type="stix",
valid_from="2025-01-01T00:00:00Z",
created_by_ref=identity.id,
)
malware = Malware(name="EvilRAT", malware_types=["trojan"], is_family=True)
rel = Relationship(source_ref=indicator.id, target_ref=malware.id,
relationship_type="indicates")
bundle = Bundle(objects=[identity, indicator, malware, rel])
print(bundle.serialize(pretty=True))
Validate and Parse
import stix2
parsed = stix2.parse(json_string, allow_custom=True)
print(parsed.type, len(parsed.objects))
STIX 2.1 Object Types
| Type | Description |
|---|---|
| indicator | IOC with STIX pattern |
| malware | Malware family/sample |
| campaign | Named threat campaign |
| threat-actor | Threat group |
| attack-pattern | TTP (ATT&CK technique) |
| relationship | Link between objects |
| sighting | Observation of indicator |
| identity | Organization/individual |
TAXII 2.1 Publishing
from taxii2client.v21 import Collection
collection = Collection(
"https://taxii.server.com/taxii2/collections/abc-123/",
user="api_user", password="api_pass"
)
collection.add_objects(bundle.serialize())
TLP Marking Definitions
| TLP | stix2 Constant |
|---|---|
| TLP:CLEAR | stix2.TLP_WHITE |
| TLP:GREEN | stix2.TLP_GREEN |
| TLP:AMBER | stix2.TLP_AMBER |
| TLP:RED | stix2.TLP_RED |
STIX Pattern Examples
| Type | Pattern |
|---|---|
| IPv4 | [ipv4-addr:value = '1.2.3.4'] |
| Domain | [domain-name:value = 'evil.com'] |
| SHA-256 | [file:hashes.'SHA-256' = 'abc...'] |
| URL | [url:value = 'https://evil.com/mal'] |
[email-addr:value = 'bad@evil.com'] |