STIX2

Warning

This converter provides limited STIX2 support with the following constraints:

Unsupported features:

  • STIX2 patterns are not parsed

  • Only a subset of STIX2 object types are supported

Supported STIX2 object types:

  • file

  • identity

  • indicator

  • infrastructure

  • malware

  • threat-actor

We welcome contributions to expand STIX2 support! Don’t hesitate to submit pull requests on GitHub ❤️

Actors

Attributes conversion

Conversion from STIX2 to Colander:

  • created: created_at

  • modified: updated_at

  • name: name

  • description: description

  • identity_class: attributes.identity_class

Conversion from Colander to STIX2:

  • name: name

  • description: description

  • attributes.identity_class: identity_class

Types conversion

  • colanderNGO mapped on stix2identity

  • colanderCOMPANY mapped on stix2identity

  • colanderAPT mapped on stix2threat-actor

  • colanderTHREAT_ACTOR mapped on stix2threat-actor

  • colanderINDIVIDUAL mapped on stix2identity

  • colanderPUB_INST mapped on stix2identity

  • colanderGENERIC mapped on stix2identity

  • colanderHACKTIVIST mapped on stix2identity

  • colanderCYBER_CRIMINAL mapped on stix2threat-actor

  • colanderINSIDER mapped on stix2threat-actor

  • colanderNATION_STATE mapped on stix2identity

Artifacts

Attributes conversion

Conversion from STIX2 to Colander:

  • created: created_at

  • modified: updated_at

  • name: name

  • description: description

  • hashes.MD5: md5

  • hashes.SHA-1: sha1

  • hashes.SHA-256: sha256

  • mime_type: mime_type

  • size: size_in_bytes

Conversion from Colander to STIX2:

  • name: name

  • description: description

  • md5: hashes.MD5

  • sha1: hashes.SHA-1

  • sha256: hashes.SHA-256

  • mime_type: mime_type

  • size_in_bytes: size

Types conversion

  • colanderARCHIVE mapped on stix2file

  • colanderEMAIL mapped on stix2file

  • colanderBACKUP mapped on stix2file

  • colanderANDROID_BACKUP mapped on stix2file

  • colanderIOS_BACKUP mapped on stix2file

  • colanderSAMPLE mapped on stix2file

  • colanderANDROID_SAMPLE mapped on stix2file

  • colanderIOS_SAMPLE mapped on stix2file

  • colanderF_DUMP mapped on stix2file

  • colanderPCAP mapped on stix2file

  • colanderHAR mapped on stix2file

  • colanderSOCKET_T mapped on stix2file

  • colanderCRYPTO_T mapped on stix2file

  • colanderSSLKEYLOG mapped on stix2file

  • colanderDOCUMENT mapped on stix2file

  • colanderIMAGE mapped on stix2file

  • colanderVIDEO mapped on stix2file

  • colanderAUDIO mapped on stix2file

  • colanderWEBPAGE mapped on stix2file

  • colanderSOCIAL_POST mapped on stix2file

  • colanderREPORT mapped on stix2file

  • colanderJSON mapped on stix2file

  • colanderTEXT mapped on stix2file

  • colanderBINARY mapped on stix2file

  • colanderGENERIC mapped on stix2file

Devices

Attributes conversion

Conversion from STIX2 to Colander:

  • created: created_at

  • modified: updated_at

  • name: name

  • description: description

  • infrastructure_types: attributes.infrastructure_types

Conversion from Colander to STIX2:

  • name: name

  • description: description

  • attributes.infrastructure_types: infrastructure_types

Types conversion

  • colanderSERVER mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['server']

  • colanderLAPTOP mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['workstation', 'laptop']

  • colanderDESKTOP mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['workstation', 'desktop']

  • colanderMOBILE mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['workstation', 'mobile']

  • colanderIOT mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['unknown', 'iot']

  • colanderROUTER mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['routers-switches', 'router']

  • colanderGENERIC mapped on stix2infrastructure

    • STIX2 infrastructure types attribute: ['unknown', 'generic']

Observables

Attributes conversion

Conversion from STIX2 to Colander:

  • created: created_at

  • modified: updated_at

  • name: name

  • description: description

  • pattern: attributes.pattern

Conversion from Colander to STIX2:

  • name: name

  • description: description

Types conversion

  • colanderIPV4 mapped on stix2indicator

    • STIX2 pattern: [ipv4-addr:value = '{value}']

  • colanderIPV6 mapped on stix2indicator

    • STIX2 pattern: [ipv6-addr:value = '{value}']

  • colanderMAC mapped on stix2indicator

    • STIX2 pattern: [mac-addr:value = '{value}']

  • colanderDOMAIN mapped on stix2indicator

    • STIX2 pattern: [domain-name:value = '{value}']

  • colanderEMAIL mapped on stix2indicator

    • STIX2 pattern: [email-addr:value = '{value}']

  • colanderSOCIAL_ACCOUNT mapped on stix2indicator

    • STIX2 pattern: [user-account:user_id = '{value}']

  • colanderURL mapped on stix2indicator

    • STIX2 pattern: [url:value = '{value}']

  • colanderMD5 mapped on stix2indicator

    • STIX2 pattern: [file:hashes.'MD5' = '{value}']

  • colanderSHA1 mapped on stix2indicator

    • STIX2 pattern: [file:hashes.'SHA-1' = '{value}']

  • colanderSHA256 mapped on stix2indicator

    • STIX2 pattern: [file:hashes.'SHA-256' = '{value}']

  • colanderPEHASH mapped on stix2indicator

    • STIX2 pattern: [file:hashes.PEHASH = '{value}']

  • colanderPATH mapped on stix2indicator

    • STIX2 pattern: [directory:path = '{value}']

  • colanderMUTEX mapped on stix2indicator

    • STIX2 pattern: [mutex:name = '{value}']

  • colanderASN mapped on stix2indicator

    • STIX2 pattern: [autonomous-system:number = {value}]

  • colanderPROCESS mapped on stix2indicator

    • STIX2 pattern: [process:name = '{value}']

Threats

Attributes conversion

Conversion from STIX2 to Colander:

  • name: name

  • created: created_at

  • modified: updated_at

  • description: description

Conversion from Colander to STIX2:

  • name: name

  • description: description

Types conversion

  • colanderADWARE mapped on stix2malware

    • STIX2 malware types attribute: ['adware']

  • colanderBACKDOOR mapped on stix2malware

    • STIX2 malware types attribute: ['backdoor']

  • colanderBOTNET mapped on stix2malware

    • STIX2 malware types attribute: ['bot']

  • colanderBROWSER_HIJACKER mapped on stix2malware

    • STIX2 malware types attribute: ['unknown']

  • colanderCRYPTOJACKING mapped on stix2malware

    • STIX2 malware types attribute: ['unknown']

  • colanderDROPPER mapped on stix2malware

    • STIX2 malware types attribute: ['dropper']

  • colanderEXPLOIT_KIT mapped on stix2malware

    • STIX2 malware types attribute: ['exploit-kit']

  • colanderMALVERTISING mapped on stix2malware

    • STIX2 malware types attribute: ['adware']

  • colanderMOBILE_MALWARE mapped on stix2malware

    • STIX2 malware types attribute: ['trojan']

  • colanderRANSOMWARE mapped on stix2malware

    • STIX2 malware types attribute: ['ransomware']

  • colanderPHISHING mapped on stix2malware

    • STIX2 malware types attribute: ['unknown']

  • colanderSTALKERWARE mapped on stix2malware

    • STIX2 malware types attribute: ['spyware']

  • colanderINFO_STEALER mapped on stix2malware

    • STIX2 malware types attribute: ['spyware']

  • colanderMALWARE mapped on stix2malware

    • STIX2 malware types attribute: ['virus']

  • colanderRAT mapped on stix2malware

    • STIX2 malware types attribute: ['remote-access-trojan']

  • colanderROOTKIT mapped on stix2malware

    • STIX2 malware types attribute: ['rootkit']

  • colanderGENERIC mapped on stix2malware

    • STIX2 malware types attribute: ['unknown']

  • colanderSPYWARE mapped on stix2malware

    • STIX2 malware types attribute: ['spyware']

  • colanderTROJAN mapped on stix2malware

    • STIX2 malware types attribute: ['trojan']