creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-security-information-sharing-with-stix2/references/api-reference.md
T

78 lines
2.0 KiB
Markdown
Raw Blame History

# API Reference: Security Information Sharing with STIX 2.1
## stix2 Python Library
```bash
pip install stix2 taxii2-client
```
### Create Objects
```python
from stix2 import Indicator, Malware, Relationship, Bundle, Identity
identity = Identity(name="My SOC", identity_class="organization")
indicator = Indicator(
name="Malicious IP",
pattern="[ipv4-addr:value = '198.51.100.42']",
pattern_type="stix",
valid_from="2025-01-01T00:00:00Z",
created_by_ref=identity.id,
)
malware = Malware(name="EvilRAT", malware_types=["trojan"], is_family=True)
rel = Relationship(source_ref=indicator.id, target_ref=malware.id,
relationship_type="indicates")
bundle = Bundle(objects=[identity, indicator, malware, rel])
print(bundle.serialize(pretty=True))
```
### Validate and Parse
```python
import stix2
parsed = stix2.parse(json_string, allow_custom=True)
print(parsed.type, len(parsed.objects))
```
## STIX 2.1 Object Types
| Type | Description |
|------|------------|
| indicator | IOC with STIX pattern |
| malware | Malware family/sample |
| campaign | Named threat campaign |
| threat-actor | Threat group |
| attack-pattern | TTP (ATT&CK technique) |
| relationship | Link between objects |
| sighting | Observation of indicator |
| identity | Organization/individual |
## TAXII 2.1 Publishing
```python
from taxii2client.v21 import Collection
collection = Collection(
"https://taxii.server.com/taxii2/collections/abc-123/",
user="api_user", password="api_pass"
)
collection.add_objects(bundle.serialize())
```
## TLP Marking Definitions
| TLP | stix2 Constant |
|-----|---------------|
| TLP:CLEAR | stix2.TLP_WHITE |
| TLP:GREEN | stix2.TLP_GREEN |
| TLP:AMBER | stix2.TLP_AMBER |
| TLP:RED | stix2.TLP_RED |
## STIX Pattern Examples
| Type | Pattern |
|------|---------|
| IPv4 | `[ipv4-addr:value = '1.2.3.4']` |
| Domain | `[domain-name:value = 'evil.com']` |
| SHA-256 | `[file:hashes.'SHA-256' = 'abc...']` |
| URL | `[url:value = 'https://evil.com/mal']` |
| Email | `[email-addr:value = 'bad@evil.com']` |
Reference in New Issue View Git Blame Copy Permalink