/ 
STIX-1.01
/ STIX

NAME

STIX - Structured Threat Information Expression (STIX)

SYNOPSIS

# Object-Oriented interface

use STIX::Indicator;
use STIX::Common::Timestamp;
use STIX::Common::Bundle;

my $bundle = STIX::Common::Bundle->new;

push @{ $bundle->objects }, STIX::Indicator->new(
    pattern_type    => 'stix',
    created         => STIX::Common::Timestamp->new('2014-05-08T09:00:00'),
    name            => 'IP Address for known C2 channel',
    description     => 'Test description C2 channel.',
    indicator_types => ['malicious-activity'],
    pattern         => "[ipv4-addr:value = '10.0.0.0']",
    valid_from      => STIX::Common::Timestamp->new('2014-05-08T09:00:00'),
);

# Functional interface

use STIX qw(:all);

my $bundle = bundle(
    objects => [
      indicator(
        pattern_type    => 'stix',
        created         => '2014-05-08T09:00:00',
        name            => 'IP Address for known C2 channel',
        description     => 'Test description C2 channel.',
        indicator_types => ['malicious-activity'],
        pattern         => "[ipv4-addr:value = '10.0.0.0']",
        valid_from      => '2014-05-08T09:00:00',
      )
    ]
);

DESCRIPTION

Structured Threat Information Expression (STIX) is a language for expressing cyber threat and observable information.

https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html

Tags

:all

Import all STIX objects

:common

Import all common objects

:sco

Import all STIX Cyber-observable Objects

:sdo

Import all STIX Domain Objects

:sro

Import all STIX Relationship Objects

:tlp

Import TLP (Traffic Light Protocol) statement marking

STIX Domain Objects

STIX defines a set of STIX Domain Objects (SDOs): Attack Pattern, Campaign, Course of Action, Grouping, Identity, Indicator, Infrastructure, Intrusion Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion, Report, Threat Actor, Tool, and Vulnerability. Each of these objects corresponds to a concept commonly used in CTI.

attack_pattern

Return STIX::AttackPattern object.

campaign

Return STIX::Campaign object.

course_of_action

Return STIX::CourseOfAction object.

grouping

Return STIX::Grouping object.

identity

Return STIX::Identity object.

incident

Return STIX::Incident object.

indicator

Return STIX::Indicator object.

infrastructure

Return STIX::Infrastructure object.

intrusion_set

Return STIX::IntrusionSet object.

location

Return STIX::Location object.

malware

Return STIX::Malware object.

malware_analysis

Return STIX::MalwareAnalysis object.

note

Return STIX::Note object.

observed_data

Return STIX::ObservedData object.

opinion

Return STIX::Opinion object.

report

Return STIX::Report object.

threat_actor

Return STIX::ThreatActor object.

tool

Return STIX::Tool object.

vulnerability

Return STIX::Vulnerability object.

STIX Cyber-observable Objects

STIX defines a set of STIX Cyber-observable Objects (SCOs) for characterizing host-based and network-based information. SCOs are used by various STIX Domain Objects (SDOs) to provide supporting context. The Observed Data SDO, for example, indicates that the raw data was observed at a particular time.

STIX Cyber-observable Objects (SCOs) document the facts concerning what happened on a network or host, and do not capture the who, when, or why. By associating SCOs with STIX Domain Objects (SDOs), it is possible to convey a higher-level understanding of the threat landscape, and to potentially provide insight as to the who and the why particular intelligence may be relevant to an organization. For example, information about a file that existed, a process that was observed running, or that network traffic occurred between two IPs can all be captured as SCOs.

artifact

Return STIX::Observable::Artifact object.

autonomous_system

Return STIX::Observable::AutonomousSystem object.

directory

Return STIX::Observable::Directory object.

domain_name

Return STIX::Observable::DomainName object.

email_addr

Return STIX::Observable::EmailAddr object.

email_message

Return STIX::Observable::EmailMessage object.

file

Return STIX::Observable::File object.

ipv4_addr

Return STIX::Observable::IPv4Addr object.

ipv6_addr

Return STIX::Observable::IPv6Addr object.

mac_addr

Return STIX::Observable::MACAddr object.

mutex

Return STIX::Observable::Mutex object.

network_traffic

Return STIX::Observable::NetworkTraffic object.

process

Return STIX::Observable::Process object.

software

Return STIX::Observable::Software object.

url

Return STIX::Observable::URL object.

user_account

Return STIX::Observable::UserAccount object.

windows_registry_key

Return STIX::Observable::WindowsRegistryKey object.

x509_certificate

Return STIX::Observable::X509Certificate object.

Types

alternate_data_stream_type

Return STIX::Observable::Type::AlternateDataStream object.

email_mime_part_type

Return STIX::Observable::Type::EmailMIMEPart object.

windows_registry_value_type

Return STIX::Observable::Type::WindowsRegistryValue object.

x509_v3_extensions_type

Return STIX::Observable::Type::X509V3Extensions object.

Extensions

archive_ext

Return STIX::Observable::Extension::Archive object.

http_request_ext

Return STIX::Observable::Extension::HTTPRequest object.

icmp_ext

Return STIX::Observable::Extension::ICMP object.

ntfs_ext

Return STIX::Observable::Extension::NTFS object.

pdf_ext

Return STIX::Observable::Extension::PDF object.

raster_image_ext

Return STIX::Observable::Extension::RasterImage object.

socket_ext

Return STIX::Observable::Extension::Socket object.

tcp_ext

Return STIX::Observable::Extension::TCP object.

unix_account_ext

Return STIX::Observable::Extension::UnixAccount object.

windows_process_ext

Return STIX::Observable::Extension::WindowsProcess object.

windows_service_ext

Return STIX::Observable::Extension::WindowsService object.

STIX Relationship Objects

A relationship is a link between STIX Domain Objects (SDOs), STIX Cyber-observable Objects (SCOs), or between an SDO and a SCO that describes the way in which the objects are related. Relationships can be represented using an external STIX Relationship Object (SRO) or, in some cases, through certain properties which store an identifier reference that comprises an embedded relationship.

relationship

Return STIX::Relationship object.

sighting

Return STIX::Sighting object.

Common Objects

STIX Domain Objects (SDOs) and Relationship Objects (SROs) all share a common set of properties which provide core capabilities such as versioning and data markings (representing how data can be shared and used). All STIX Cyber-observable Objects (SCOs) likewise share a common set of properties that are applicable for all SCOs. Similarly, STIX Meta Objects (SMOs) use some but not all of the common properties.

bundle

Return STIX::Common::Bundle object.

extension_definition

Return STIX::Common::ExtensionDefinition object.

external_reference

Return STIX::Common::ExternalReference object.

granular_marking

Return STIX::Common::GranularMarking object.

kill_chain_phase

Return STIX::Common::KillChainPhase object.

marking_definition

Return STIX::Common::MarkingDefinition object.

TLP

tlp_white

Return STIX::Marking::TLP::White object.

tlp_green

Return STIX::Marking::TLP::Green object.

tlp_amber

Return STIX::Marking::TLP::Amber object.

tlp_red

Return STIX::Marking::TLP::Red object.

SUPPORT

Bugs / Feature Requests

Please report any bugs or feature requests through the issue tracker at https://github.com/giterlizzi/perl-STIX/issues. You will be notified automatically of any progress on your issue.

Source Code

This is open source software. The code repository is available for public review and contribution under the terms of the license.

https://github.com/giterlizzi/perl-STIX

git clone https://github.com/giterlizzi/perl-STIX.git

AUTHOR

  • Giuseppe Di Terlizzi <gdt@cpan.org>

LICENSE AND COPYRIGHT

This software is copyright (c) 2024 by Giuseppe Di Terlizzi.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.