How to use the stix2.StringConstant function in stix2
To help you get started, we’ve selected a few stix2 examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
oasis-open / cti-stix-elevator / stix2elevator / convert_pattern.py View on Github 
def make_constant(obj):
# TODO: handle other Markable objects?
if isinstance(obj, bool):
return stix2.BooleanConstant(obj)
elif isinstance(obj, int) or isinstance(obj, long):
return stix2.IntegerConstant(obj)
elif isinstance(obj, float):
return stix2.FloatConstant(obj)
elif isinstance(obj, string_types) or isinstance(obj, stixmarx.api.types.MarkableText):
return stix2.StringConstant(obj.strip())
elif isinstance(obj, list):
return stix2.ListConstant([make_constant(x) for x in obj])
elif isinstance(obj, datetime.datetime) or isinstance(obj, stixmarx.api.types.MarkableDateTime):
return stix2.TimestampConstant(obj.strftime("%Y-%m-%dT%H:%M:%S.%fZ"))
else:
raise ValueError("Can't make a constant from %s" % obj)object_path = prop_spec[1]
if hasattr(process, prop_1x) and getattr(process, prop_1x):
term = add_comparison_expression(getattr(process, prop_1x), object_path)
if term:
expressions.append(term)
if process.image_info:
process_info = convert_image_info_to_pattern(process.image_info)
if process_info:
expressions.append(process_info)
if hasattr(process, "argument_list") and process.argument_list:
argument_expressions = []
if get_option_value("spec_version") == "2.0":
for a in process.argument_list:
argument_expressions.append(create_term("process:arguments[*]",
a.condition,
stix2.StringConstant(a.value)))
if argument_expressions:
expressions.append(create_boolean_expression("AND", argument_expressions))
else:
warn("The argument_list property of ProcessObj is not part of STIX 2.1", 418)
if get_option_value("missing_policy") == "use-custom-properties":
for a in process.argument_list:
argument_expressions.append(create_term("process:" + convert_to_custom_name("argument_list[*]"),
a.condition,
stix2.StringConstant(a.value)))
warn("Used custom property for %s", 308, "argument_list")
if argument_expressions:
expressions.append(create_boolean_expression("AND", argument_expressions))
else:
if not get_option_value("missing_policy") == "ignore":
expressions.append(UnconvertedTerm("ProcessObj.argument_list", "process"))
if hasattr(process, "environment_variable_list") and process.environment_variable_list:if hasattr(account, "disabled") and account.disabled:
expressions.append(create_term("user-account:is_disabled",
"Equals",
stix2.BooleanConstant(account.disabled)))
for prop_spec in _ACCOUNT_PROPERTIES:
prop_1x = prop_spec[0]
object_path = prop_spec[1]
if hasattr(account, prop_1x) and getattr(account, prop_1x):
term = add_comparison_expression(getattr(account, prop_1x), object_path)
if term:
expressions.append(term)
if account.authentication and get_option_value("spec_version") == "2.1":
if account.authentication.authentication_data:
expressions.append(create_term("user-account:credential",
"Equals",
stix2.StringConstant(account.authentication.authentication_data)))
if isinstance(account, UnixUserAccount):
win_process_expression = convert_unix_user_to_pattern(account)
if win_process_expression:
expressions.append(win_process_expression)
else:
warn("No UnixUserAccount properties found in %s", 615, text_type(account))
elif isinstance(account, WinComputerAccount):
expressions.append(create_term("user-account:account_type",
"Equals",
stix2.StringConstant("windows-domain" if account.domain else "windows-local")))
if expressions:
return create_boolean_expression("AND", expressions)if get_option_value("missing_policy") == "use-custom-properties":
expressions.append(
create_term("network-traffic:extensions.'socket-ext'." +
convert_to_custom_name("local_address"),
socket.local_address.ip_address.condition,
stix2.StringConstant(socket.local_address.ip_address.address_value.value)))
warn("Used custom property for %s", 308, "local_address")
else:
warn("Network_Socket.local_address content not supported in STIX 2.x", 424)
if socket.remote_address:
if get_option_value("missing_policy") == "use-custom-properties":
expressions.append(
create_term("network-traffic:extensions.'socket-ext'." +
convert_to_custom_name("remote_address"),
socket.remote_address.ip_address.condition,
stix2.StringConstant(socket.remote_address.ip_address.address_value.value)))
warn("Used custom property for %s", 308, "remote_address")
else:
warn("Network_Socket.remote_address content not supported in STIX 2.x", 424)
if socket.protocol:
expressions.append(add_comparison_expression(socket.protocol,
"network-traffic:protocols[*]"))
return create_boolean_expression("AND", expressions)expressions.append(term)
if account.authentication and get_option_value("spec_version") == "2.1":
if account.authentication.authentication_data:
expressions.append(create_term("user-account:credential",
"Equals",
stix2.StringConstant(account.authentication.authentication_data)))
if isinstance(account, UnixUserAccount):
win_process_expression = convert_unix_user_to_pattern(account)
if win_process_expression:
expressions.append(win_process_expression)
else:
warn("No UnixUserAccount properties found in %s", 615, text_type(account))
elif isinstance(account, WinComputerAccount):
expressions.append(create_term("user-account:account_type",
"Equals",
stix2.StringConstant("windows-domain" if account.domain else "windows-local")))
if expressions:
return create_boolean_expression("AND", expressions)section_expressions.append(convert_hashes_to_pattern(s.header_hashes))
if section_expressions:
sections_expressions.append(create_boolean_expression("AND", section_expressions))
if sections_expressions:
expressions.append(create_boolean_expression("AND", sections_expressions))
if f.exports:
warn("The exports property of WinExecutableFileObj is not part of STIX 2.x", 418)
if get_option_value("missing_policy") == "use-custom-properties":
export_expressions = list()
if hasattr(f.exports, "exported_functions"):
for export_func in f.exports.exported_functions:
export_expressions.append(
create_term(
"file:extensions.'windows-pebinary-ext'." + convert_to_custom_name("exports[*]"),
export_func.function_name.condition,
stix2.StringConstant(export_func.function_name.value)))
warn("Used custom property for %s", 308, "exports")
if export_expressions:
expressions.append(create_boolean_expression("AND", export_expressions))
else:
if not get_option_value("missing_policy") == "ignore":
expressions.append(UnconvertedTerm("WinExecutableFileObj.exports", "file"))
if f.imports:
warn("The imports property of WinExecutableFileObj is not part of STIX 2.x", 418)
if get_option_value("missing_policy") == "use-custom-properties":
import_expressions = list()
for i in f.imports:
if hasattr(i, "imported_functions"):
file_name = i.file_name + ":" if hasattr(i, "file_name") and i.file_name else ""
for imported_func in i.imported_functions:
import_expressions.append(
create_term("file:extensions.'windows-pebinary-ext'." + convert_to_custom_name("imports[*]"),def convert_unix_user_to_pattern(account):
expressions = []
expressions.append(create_term("user-account:account_type",
"Equals",
stix2.StringConstant("unix")))
if hasattr(account, "user_id") and account.user_id:
expressions.append(create_term("user-account:user_id",
account.user_id.condition,
stix2.StringConstant(text_type(account.user_id.value))))
for prop_spec in _UNIX_ACCOUNT_PROPERTIES:
prop_1x = prop_spec[0]
object_path = prop_spec[1]
if hasattr(account, prop_1x) and getattr(account, prop_1x):
term = add_comparison_expression(getattr(account, prop_1x), object_path)
if term:
expressions.append(term)
if expressions:
return create_boolean_expression("AND", expressions)
Popular stix2 functions
- stix2.base._Extension
- stix2.base._Observable
- stix2.base._STIXBase
- stix2.core.parse
- stix2.datastore.filters.Filter
- stix2.datastore.filters.FilterSet
- stix2.Filter
- stix2.Indicator
- stix2.MemoryStore
- stix2.properties.IDProperty
- stix2.properties.ListProperty
- stix2.properties.Property
- stix2.properties.ReferenceProperty
- stix2.properties.StringProperty
- stix2.properties.TypeProperty
- stix2.Relationship
- stix2.StringConstant
- stix2.TAXIICollectionSource
- stix2.v20.Bundle
- stix2.v21.properties.Property