Skip to content

Complex Entity

psengine.stix2.complex_entity

DetectionRuleEntity 

DetectionRuleEntity(
    name: str,
    type_: str,
    content: str,
    description: str = None,
    author: Identity = None,
)

Bases: BaseStixEntity

Represents a Yara or SNORT rule.

RAISES DESCRIPTION
STIX2TransformError

Description
PARAMETER DESCRIPTION
name

The name of the Detection Rule.

TYPE: str

type_

The detection rule type (YARA or Sigma).

TYPE: str

content

The hunting rule itself, typically YARA, Snort, or Sigma.

TYPE: str

description

A description of the Detection Rule.

TYPE: str DEFAULT: None

author

A Recorded Future author.

TYPE: Identity DEFAULT: None

Source code in psengine/stix2/complex_entity.py 
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
def __init__(
    self,
    name: Annotated[str, Doc('The name of the Detection Rule.')],
    type_: Annotated[str, Doc('The detection rule type (YARA or Sigma).')],
    content: Annotated[str, Doc('The hunting rule itself, typically YARA, Snort, or Sigma.')],
    description: Annotated[str, Doc('A description of the Detection Rule.')] = None,
    author: Annotated[stix2.Identity, Doc('A Recorded Future author.')] = None,
) -> None:
    """Detection Rule.

    Raises:
        STIX2TransformError: Description
    """
    self.name = name.split('.')[0]
    self.type = type_
    self.content = content
    self.description = description
    self.stix_obj = None

    if self.type not in SUPPORTED_HUNTING_RULES:
        msg = f'Detection rule of type {self.type} is not supported'
        raise STIX2TransformError(msg)
    super().__init__(name, author)

author instance-attribute 

author = author

content instance-attribute 

content = content

description instance-attribute 

description = description

name instance-attribute 

name = split('.')[0]

stix_obj instance-attribute 

stix_obj = None

type instance-attribute 

type = type_

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates STIX objects from object attributes.

Source code in psengine/stix2/complex_entity.py 
59
60
61
62
63
64
65
66
67
68
69
def create_stix_object(self) -> None:
    """Creates STIX objects from object attributes."""
    self.stix_obj = stix2.Indicator(
        id=self._generate_id(),
        name=self.name,
        description=self.description,
        pattern_type=self.type,
        pattern=self.content,
        valid_from=datetime.now(),
        created_by_ref=self.author.id,
    )

Grouping 

Grouping(
    name: str,
    description: str = None,
    is_malware: bool = False,
    is_suspicious: bool = False,
    object_refs: list = None,
    author: Identity = None,
)

Bases: BaseStixEntity

Explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context).

PARAMETER DESCRIPTION
name

The name of the event. Should be unique.

TYPE: str

description

A description, usually empty.

TYPE: str DEFAULT: None

is_malware

A flag to determine if malware-analysis context should be used.

TYPE: bool DEFAULT: False

is_suspicious

A flag to determine if suspicious-activity context should be used.

TYPE: bool DEFAULT: False

object_refs

A list of objects to group together.

TYPE: list DEFAULT: None

author

A Recorded Future Identity.

TYPE: Identity DEFAULT: None

Source code in psengine/stix2/complex_entity.py 
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
def __init__(
    self,
    name: Annotated[str, Doc('The name of the event. Should be unique.')],
    description: Annotated[str, Doc('A description, usually empty.')] = None,
    is_malware: Annotated[
        bool, Doc('A flag to determine if malware-analysis context should be used.')
    ] = False,
    is_suspicious: Annotated[
        bool, Doc('A flag to determine if suspicious-activity context should be used.')
    ] = False,
    object_refs: Annotated[list, Doc('A list of objects to group together.')] = None,
    author: Annotated[stix2.Identity, Doc('A Recorded Future Identity.')] = None,
):
    """Grouping of STIX2 objects. Usually as part of the same event."""
    self.name = name
    self.description = description
    if is_malware:
        self.context = 'malware-analysis'
    elif is_suspicious:
        self.context = 'suspicious-activity'
    else:
        self.context = 'unspecified'
    self.object_refs = object_refs or []
    self.stix_obj = None
    super().__init__(name, author)

author instance-attribute 

author = author

context instance-attribute 

context = 'malware-analysis'

description instance-attribute 

description = description

name instance-attribute 

name = name

object_refs instance-attribute 

object_refs = object_refs or []

stix_obj instance-attribute 

stix_obj = None

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates STIX objects from object attributes.

Source code in psengine/stix2/complex_entity.py 
108
109
110
111
112
113
114
115
116
117
def create_stix_object(self) -> None:
    """Creates STIX objects from object attributes."""
    self.stix_obj = stix2.Grouping(
        id=self._generate_id(),
        name=self.name,
        description=self.description,
        context=self.context,
        object_refs=self.object_refs,
        created_by_ref=self.author.id,
    )

IndicatorEntity 

IndicatorEntity(
    name: str,
    type_: str,
    description: str = None,
    author: Identity = None,
    create_indicator: bool = True,
    create_obs: bool = True,
    confidence: int = None,
    labels: list = None,
    tlp_marking: str = 'amber',
)

Bases: BaseStixEntity

Indicator SDO.

RAISES DESCRIPTION
STIX2TransformError

If indicator type is not supported.
PARAMETER DESCRIPTION
name

An indicator value.

TYPE: str

type_

A Recorded Future type of indicator. Options: 'IpAddress', 'InternetDomainName', 'URL', 'FileHash'.

TYPE: str

description

A description of the indicator, usually an AI Insight.

TYPE: str DEFAULT: None

author

A Recorded Future Identity.

TYPE: Identity DEFAULT: None

create_indicator

A flag that governs if the indicator should be created.

TYPE: bool DEFAULT: True

create_obs

A flag that governs if the observable should be created.

TYPE: bool DEFAULT: True

confidence

A confidence score of the indicator.

TYPE: int DEFAULT: None

labels

Labels applied to the indicator, often risk rules.

TYPE: list DEFAULT: None

tlp_marking

The TLP level. Defaults to amber.

TYPE: str DEFAULT: 'amber'

Source code in psengine/stix2/complex_entity.py 
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
def __init__(
    self,
    name: Annotated[str, Doc('An indicator value.')],
    type_: Annotated[
        str,
        Doc(
            """
            A Recorded Future type of indicator.
            Options: 'IpAddress', 'InternetDomainName', 'URL', 'FileHash'.
            """
        ),
    ],
    description: Annotated[
        str, Doc('A description of the indicator, usually an AI Insight.')
    ] = None,
    author: Annotated[stix2.Identity, Doc('A Recorded Future Identity.')] = None,
    create_indicator: Annotated[
        bool, Doc('A flag that governs if the indicator should be created.')
    ] = True,
    create_obs: Annotated[
        bool, Doc('A flag that governs if the observable should be created.')
    ] = True,
    confidence: Annotated[int, Doc('A confidence score of the indicator.')] = None,
    labels: Annotated[list, Doc('Labels applied to the indicator, often risk rules.')] = None,
    tlp_marking: Annotated[str, Doc('The TLP level. Defaults to amber.')] = 'amber',
):
    """Indicator container. Contains indicator, observable, and relationship between them.

    Raises:
        STIX2TransformError: If indicator type is not supported.
    """
    if not create_indicator and not create_obs:
        raise STIX2TransformError(
            'Inidcator must create at least one of "Observable" or "Indicator"',
        )

    type_ = CONVERTED_TYPES.get(type_, type_)

    if type_ not in INDICATOR_TYPES:
        raise STIX2TransformError(
            f'Indicator {name} of type {type_} not one of: {", ".join(INDICATOR_TYPES)}'
        )

    self.type = type_
    if not author:
        author = self._create_author()
    self.author = author
    self.name = name
    self.confidence = confidence
    self.description = description
    self.labels = labels
    self.tlp = tlp_marking
    self.indicator = None
    self.observable = None
    self.relationship = None
    self.stix_objects = []
    if create_indicator:
        self.indicator = self._generate_indicator()
        self.stix_objects.append(self.indicator)
    if create_obs:
        self.observable = self._generate_observable()
        self.stix_objects.append(self.observable)
    if self.indicator and self.observable:
        self.relationship = self._generate_relationship()
        self.stix_objects.append(self.relationship)

author instance-attribute 

author = author

confidence instance-attribute 

confidence = confidence

description instance-attribute 

description = description

indicator instance-attribute 

indicator = None

labels instance-attribute 

labels = labels

name instance-attribute 

name = name

observable instance-attribute 

observable = None

relationship instance-attribute 

relationship = None

stix_obj instance-attribute 

stix_obj = None

stix_objects instance-attribute 

stix_objects = []

tlp instance-attribute 

tlp = tlp_marking

type instance-attribute 

type = type_

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates STIX objects from object attributes.

Source code in psengine/stix2/base_stix_entity.py 
42
43
def create_stix_object(self) -> None:
    """Creates STIX objects from object attributes."""

NoteEntity 

NoteEntity(
    name: str,
    content: str,
    object_refs: list,
    author: Identity = None,
)

Bases: BaseStixEntity

Note SDO.

PARAMETER DESCRIPTION
name

The title of the note.

TYPE: str

content

The content or text of the note.

TYPE: str

object_refs

A list of SDO IDs the note should be attached to.

TYPE: list

author

A Recorded Future Identity.

TYPE: Identity DEFAULT: None

Source code in psengine/stix2/complex_entity.py 
164
165
166
167
168
169
170
171
172
173
174
175
def __init__(
    self,
    name: Annotated[str, Doc('The title of the note.')],
    content: Annotated[str, Doc('The content or text of the note.')],
    object_refs: Annotated[list, Doc('A list of SDO IDs the note should be attached to.')],
    author: Annotated[stix2.Identity, Doc('A Recorded Future Identity.')] = None,
) -> None:
    """Note Entity."""
    self.content = content
    self.object_refs = object_refs
    self.stix_obj = None
    super().__init__(name, author)

author instance-attribute 

author = author

content instance-attribute 

content = content

name instance-attribute 

name = name

object_refs instance-attribute 

object_refs = object_refs

stix_obj instance-attribute 

stix_obj = None

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates the Note object.

Source code in psengine/stix2/complex_entity.py 
177
178
179
180
181
182
183
184
185
def create_stix_object(self) -> None:
    """Creates the Note object."""
    self.stix_obj = stix2.Note(
        id=self._generate_id(),
        abstract=self.name,
        content=self.content,
        object_refs=self.object_refs,
        created_by_ref=self.author.id,
    )

Relationship 

Relationship(
    source: str,
    target: str,
    type_: str,
    author: Identity = None,
)

Bases: BaseStixEntity

Represents Relationship SDO.

PARAMETER DESCRIPTION
source

The source of the relationship.

TYPE: str

target

The target of the relationship.

TYPE: str

type_

How the source relates to the target.

TYPE: str

author

A Recorded Future Identity.

TYPE: Identity DEFAULT: None

Source code in psengine/stix2/complex_entity.py 
128
129
130
131
132
133
134
135
136
137
138
139
140
def __init__(
    self,
    source: Annotated[str, Doc('The source of the relationship.')],
    target: Annotated[str, Doc('The target of the relationship.')],
    type_: Annotated[str, Doc('How the source relates to the target.')],
    author: Annotated[stix2.Identity, Doc('A Recorded Future Identity.')] = None,
) -> None:
    """Relationship."""
    self.source = source
    self.target = target
    self.type_ = type_
    self.stix_obj = None
    super().__init__(None, author)

author instance-attribute 

author = author

name instance-attribute 

name = name

source instance-attribute 

source = source

stix_obj instance-attribute 

stix_obj = None

target instance-attribute 

target = target

type_ instance-attribute 

type_ = type_

__eq__ 

__eq__(other) -> bool

Verify if two STIX Objects are the same.

Source code in psengine/stix2/base_stix_entity.py 
49
50
51
def __eq__(self, other) -> bool:
    """Verify if two STIX Objects are the same."""
    return self._generate_id() == other._generate_id()

__hash__ 

__hash__() -> int

Hash for set function.

Source code in psengine/stix2/base_stix_entity.py 
53
54
55
def __hash__(self) -> int:
    """Hash for set function."""
    return hash(self._generate_id())

__str__ 

__str__() -> str

String representation of entity.

Source code in psengine/stix2/base_stix_entity.py 
38
39
40
def __str__(self) -> str:
    """String representation of entity."""
    return f'Base STIX Entity: {self.name}, Author Name: {self.author.name}'

create_stix_object 

create_stix_object() -> None

Creates the Relationship object.

Source code in psengine/stix2/complex_entity.py 
142
143
144
145
146
147
148
149
150
def create_stix_object(self) -> None:
    """Creates the Relationship object."""
    self.stix_obj = stix2.Relationship(
        id=self._generate_id(),
        relationship_type=self.type_,
        source_ref=self.source,
        target_ref=self.target,
        created_by_ref=self.author.id,
    )