# Stix 2 version 2.1 Notebook
Date: May 13 2020. Our Lady of Fatima

In order for the examples in this notebook to work, you are to install stix2 module:

```shellscript
# pip3 install stix2
```

In [114]:
from stix2.v21 import (AttackPattern, Campaign, CourseOfAction, Grouping,
                       Identity, Indicator, Infrastructure, IntrusionSet,
                       Location, Malware, MalwareAnalysis, Note, ObservedData,
                       Opinion, Report, ThreatActor, Tool, Vulnerability)

# A total of 2 STIX Relationship Objects or SROs
from stix2.v21 import (Relationship, Sighting)

# a total of 18 STIX Cyber-observable Objects or SCOs
from stix2.v21 import (Artifact, AutonomousSystem, Directory, DomainName,
                       EmailAddress, EmailMessage, File, IPv4Address,
                       IPv6Address, MACAddress, Mutex, NetworkTraffic,
                       Process, Software, URL, UserAccount,
                       WindowsRegistryKey, X509Certificate)

# a total of 2 Meta Object or SMOs
from stix2.v21 import (LanguageContent, MarkingDefinition)

# a total of 1 STIX Bundle Object or SBO
from stix2.v21 import (Bundle)

# a total of 2 common data types.
from stix2.v21 import(ExternalReference, KillChainPhase)

## Threat Actor
Example website: `https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile`
        

### Producer:

In [115]:
threat_actor = ThreatActor(
    id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
    created="2014-11-19T23:39:03.893Z",
    modified="2014-11-19T23:39:03.893Z",
    name="Disco Team Threat Actor Group",
    description="This organized threat actor group operates to create profit from all types of crime.",
    threat_actor_types=["crime-syndicate"],
    aliases=["Equipo del Discoteca"],
    roles=["agent"],
    goals=["Steal Credit Card Information"],
    sophistication="expert",
    resource_level="organization",
    primary_motivation="personal-gain"
)

identity = Identity(
    id="identity--733c5838-34d9-4fbf-949c-62aba761184c",
    created="2016-08-23T18:05:49.307Z",
    modified="2016-08-23T18:05:49.307Z",
    name="Disco Team",
    description="Disco Team is the name of an organized threat actor crime-syndicate.",
    identity_class="organization",
    contact_information="disco-team@stealthemail.com"
)

relationship = Relationship(threat_actor, 'attributed-to', identity)

bundle = Bundle(objects=[threat_actor, identity, relationship])

In [116]:
print(bundle)

{
    "type": "bundle",
    "id": "bundle--d48f09f9-6f1c-4d36-91c5-35ff5f583c7a",
    "objects": [
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
            "created": "2014-11-19T23:39:03.893Z",
            "modified": "2014-11-19T23:39:03.893Z",
            "name": "Disco Team Threat Actor Group",
            "description": "This organized threat actor group operates to create profit from all types of crime.",
            "threat_actor_types": [
                "crime-syndicate"
            ],
            "aliases": [
                "Equipo del Discoteca"
            ],
            "roles": [
                "agent"
            ],
            "goals": [
                "Steal Credit Card Information"
            ],
            "sophistication": "expert",
            "resource_level": "organization",
            "primary_motivation": "personal-gain"
        },
        {
        

### Consumer:

In [117]:
for obj in bundle.objects:
    if obj == threat_actor:
        print("------------------")
        print("== THREAT ACTOR ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Threat Actor Types: " + str(obj.threat_actor_types))
        print("Aliases: " + str(obj.aliases))
        print("Roles: " + str(obj.roles))
        print("Goals: " + str(obj.goals))
        print("Sophistication: " + obj.sophistication)
        print("Resource Level: " + obj.resource_level)
        print("Primary Motivation: " + obj.primary_motivation)

    elif obj == identity:
        print("------------------")
        print("== IDENTITY ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Identity Class: " + obj.identity_class)
        print("Contact Information: " + obj.contact_information)

    elif obj == relationship:
        print("------------------")
        print("== RELATIONSHIP ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Type: " + obj.type)
        print("Relationship Type: " + obj.relationship_type)
        print("Source Ref: " + obj.source_ref)
        print("Target Ref: " + obj.target_ref)

------------------
== THREAT ACTOR ==
------------------
ID: threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428
Created: 2014-11-19 23:39:03.893000+00:00
Modified: 2014-11-19 23:39:03.893000+00:00
Name: Disco Team Threat Actor Group
Description: This organized threat actor group operates to create profit from all types of crime.
Threat Actor Types: ['crime-syndicate']
Aliases: ['Equipo del Discoteca']
Roles: ['agent']
Goals: ['Steal Credit Card Information']
Sophistication: expert
Resource Level: organization
Primary Motivation: personal-gain
------------------
== IDENTITY ==
------------------
ID: identity--733c5838-34d9-4fbf-949c-62aba761184c
Created: 2016-08-23 18:05:49.307000+00:00
Modified: 2016-08-23 18:05:49.307000+00:00
Name: Disco Team
Description: Disco Team is the name of an organized threat actor crime-syndicate.
Identity Class: organization
Contact Information: disco-team@stealthemail.com
------------------
== RELATIONSHIP ==
------------------
ID: relationship--56c4c5e4-3

In [122]:
indicator = Indicator(name="File hash for malware variant",
                      labels=["malicious-activity"],
                      pattern_type='stix',
                      valid_from='2016-08-23 18:05:49.307000+00:00',
                      pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")
print(indicator)

{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--07fd87d2-0382-4408-b26b-b87d75fc3fa1",
    "created": "2020-05-15T11:01:13.166484Z",
    "modified": "2020-05-15T11:01:13.166484Z",
    "name": "File hash for malware variant",
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2016-08-23T18:05:49.307Z",
    "labels": [
        "malicious-activity"
    ]
}


In [123]:
malware = Malware(name="Poison Ivy",
                  is_family=True,
                  labels=['remote-access-trojan'])
print(malware)

{
    "type": "malware",
    "spec_version": "2.1",
    "id": "malware--3918689a-19d8-4091-ae04-5e944707c7f1",
    "created": "2020-05-15T11:01:19.345905Z",
    "modified": "2020-05-15T11:01:19.345905Z",
    "name": "Poison Ivy",
    "is_family": true,
    "labels": [
        "remote-access-trojan"
    ]
}


In [124]:
dir(Malware)

['__abstractmethods__', '__class__', '__contains__', '__deepcopy__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__reversed__', '__setattr__', '__sizeof__', '__slots__', '__str__', '__subclasshook__', '__weakref__', '_abc_cache', '_abc_negative_cache', '_abc_negative_cache_version', '_abc_registry', '_check_at_least_one_property', '_check_mutually_exclusive_properties', '_check_object_constraints', '_check_properties_dependency', '_check_property', '_properties', '_type', 'add_markings', 'clear_markings', 'get', 'get_markings', 'is_marked', 'items', 'keys', 'new_version', 'object_properties', 'properties_populated', 'remove_markings', 'revoke', 'serialize', 'set_markings', 'values']

In [125]:
relationship = Relationship(relationship_type='indicates',
                            source_ref=indicator.id,
                            target_ref=malware.id)
print(relationship)

{
    "type": "relationship",
    "spec_version": "2.1",
    "id": "relationship--65d6c173-644d-4cf3-9709-8539ab767403",
    "created": "2020-05-15T11:01:20.949398Z",
    "modified": "2020-05-15T11:01:20.949398Z",
    "relationship_type": "indicates",
    "source_ref": "indicator--07fd87d2-0382-4408-b26b-b87d75fc3fa1",
    "target_ref": "malware--3918689a-19d8-4091-ae04-5e944707c7f1"
}


In [126]:
dir(Relationship)

['__abstractmethods__', '__class__', '__contains__', '__deepcopy__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__reversed__', '__setattr__', '__sizeof__', '__slots__', '__str__', '__subclasshook__', '__weakref__', '_abc_cache', '_abc_negative_cache', '_abc_negative_cache_version', '_abc_registry', '_check_at_least_one_property', '_check_mutually_exclusive_properties', '_check_object_constraints', '_check_properties_dependency', '_check_property', '_invalid_source_target_types', '_properties', '_type', 'add_markings', 'clear_markings', 'get', 'get_markings', 'is_marked', 'items', 'keys', 'new_version', 'object_properties', 'properties_populated', 'remove_markings', 'revoke', 'serialize', 'set_markings', 'values']

In [127]:
attack_pattern = AttackPattern(name='test-attack-pattern')
print(attack_pattern)
dir(AttackPattern)

{
    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--1ef08ba8-9c93-4f48-b5f6-d5e7fe98f980",
    "created": "2020-05-15T11:01:22.695429Z",
    "modified": "2020-05-15T11:01:22.695429Z",
    "name": "test-attack-pattern"
}


['__abstractmethods__', '__class__', '__contains__', '__deepcopy__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__reversed__', '__setattr__', '__sizeof__', '__slots__', '__str__', '__subclasshook__', '__weakref__', '_abc_cache', '_abc_negative_cache', '_abc_negative_cache_version', '_abc_registry', '_check_at_least_one_property', '_check_mutually_exclusive_properties', '_check_object_constraints', '_check_properties_dependency', '_check_property', '_properties', '_type', 'add_markings', 'clear_markings', 'get', 'get_markings', 'is_marked', 'items', 'keys', 'new_version', 'object_properties', 'properties_populated', 'remove_markings', 'revoke', 'serialize', 'set_markings', 'values']

## Campaign

Example website: https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is

### Producer

In [128]:
threat_actor = ThreatActor(
    type="threat-actor",
    spec_version="2.1",
    id="threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="Fake BPP (Branistan Peoples Party)",
    threat_actor_types=["nation-state"],
    roles=["director"],
    goals=["Influence the election in Branistan"],
    resource_level="government",
    primary_motivation="ideology",
    secondary_motivations=["dominance"],
    sophistication="strategic"
)

identity1 = Identity(
    type="identity",
    spec_version="2.1",
    id="identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="Franistan Intelligence",
    identity_class="organization"
)

ref_bpp = ExternalReference(
    source_name="website",
    url="http://www.bpp.bn"
)

identity2 = Identity(
    type="identity",
    spec_version="2.1",
    id="identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="Branistan Peoples Party",
    identity_class="organization",
    external_references= [ref_bpp]
)

ref_capec1 = ExternalReference(
    source_name="capec",
    url="https://capec.mitre.org/data/definitions/148.html",
    external_id="CAPEC-148"
)

ref_capec2 = ExternalReference(
    source_name="capec",
    url="https://capec.mitre.org/data/definitions/488.html",
    external_id="CAPEC-488"
)

attack_pattern1 = AttackPattern(
    type="attack-pattern",
    spec_version="2.1",
    id="attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
    created="2016-08-08T15:50:10.983Z",
    modified="2017-01-30T21:15:04.127Z",
    name="Content Spoofing",
    external_references=[ref_capec1]
)

attack_pattern2 = AttackPattern(
    type="attack-pattern",
    spec_version="2.1",
    id="attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
    created="2016-08-08T15:50:10.983Z",
    modified="2017-01-30T21:15:04.127Z",
    name="HTTP Flood",
    external_references=[ref_capec2]
)

campaign1 = Campaign(
    type="campaign",
    spec_version="2.1",
    id="campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="Operation Bran Flakes",
    description="A concerted effort to insert false information into the BPP's web pages.",
    aliases=["OBF"],
    first_seen="2016-01-08T12:50:40.123Z",
    objective="Hack www.bpp.bn"
)

campaign2 = Campaign(
    type="campaign",
    spec_version="2.1",
    id="campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="Operation Raisin Bran",
    description="A DDOS campaign to flood BPP web servers.",
    aliases=["ORB"],
    first_seen="2016-02-07T19:45:32.126Z",
    objective="Flood www.bpp.bn"
)

intrusionset = IntrusionSet(
    type="intrusion-set",
    spec_version="2.1",
    id="intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
    created="2016-08-08T15:50:10.983Z",
    modified="2016-08-08T15:50:10.983Z",
    name="APT BPP",
    description="An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks.",
    first_seen="2016-01-08T12:50:40.123Z",
    resource_level="government",
    primary_motivation="ideology",
    goals=["Influence the Branistan election", "Disrupt the BPP"],
    secondary_motivations=["dominance"],
    aliases=["Bran-teaser"]
)

relationship1 = Relationship(campaign1, 'attributed-to', threat_actor)
relationship2 = Relationship(campaign2, 'attributed-to', threat_actor)
relationship3 = Relationship(campaign1, 'attributed-to', intrusionset)
relationship4 = Relationship(campaign2, 'attributed-to', intrusionset)
relationship5 = Relationship(intrusionset, 'attributed-to', threat_actor)
relationship6 = Relationship(intrusionset, 'targets', identity2)
relationship7 = Relationship(intrusionset, 'uses', attack_pattern1)
relationship8 = Relationship(intrusionset, 'uses', attack_pattern2)
relationship9 = Relationship(campaign1, 'targets', identity2)
relationship10 = Relationship(campaign2, 'targets', identity2)
relationship11 = Relationship(campaign1, 'uses', attack_pattern1)
relationship12 = Relationship(campaign2, 'uses', attack_pattern2)
relationship13 = Relationship(threat_actor, 'impersonates', identity2)
relationship14 = Relationship(threat_actor, 'targets', identity2)
relationship15 = Relationship(threat_actor, 'attributed-to', identity1)
relationship16 = Relationship(campaign2, 'targets', identity2)
relationship17 = Relationship(threat_actor, 'uses', attack_pattern1)
relationship18 = Relationship(threat_actor, 'uses', attack_pattern2)

bundle = Bundle(objects=[threat_actor, identity1, identity2, attack_pattern1, 
                         attack_pattern2, campaign1, campaign2, intrusionset, 
                         relationship1, relationship2, relationship3, 
                         relationship4, relationship5, relationship6, 
                         relationship7, relationship8, relationship9, 
                         relationship10, relationship11, relationship12, 
                         relationship13, relationship14, relationship15, 
                         relationship16, relationship17, relationship18])


In [129]:
print(bundle)

{
    "type": "bundle",
    "id": "bundle--fe6c1eab-2935-448e-9b20-f5819314a27a",
    "objects": [
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
            "created": "2016-08-08T15:50:10.983Z",
            "modified": "2016-08-08T15:50:10.983Z",
            "name": "Fake BPP (Branistan Peoples Party)",
            "threat_actor_types": [
                "nation-state"
            ],
            "roles": [
                "director"
            ],
            "goals": [
                "Influence the election in Branistan"
            ],
            "sophistication": "strategic",
            "resource_level": "government",
            "primary_motivation": "ideology",
            "secondary_motivations": [
                "dominance"
            ]
        },
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--8c6af861-7b20-41e

### Consumer


In [130]:
import re

for obj in bundle.objects:
    if obj == threat_actor:
        print("------------------")
        print("== THREAT ACTOR ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Threat Actor Types: " + str(obj.threat_actor_types))
        print("Roles: " + str(obj.roles))
        print("Goals: " + str(obj.goals))
        print("Sophistication: " + obj.sophistication)
        print("Resource Level: " + obj.resource_level)
        print("Primary Motivation: " + obj.primary_motivation)
        print("Secondary Motivations: " + str(obj.secondary_motivations))

    elif obj == identity1:
        print("------------------")
        print("== IDENTITY ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Identity Class: " + obj.identity_class)

    elif obj == identity2:
        print("------------------")
        print("== IDENTITY ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Identity Class: " + obj.identity_class)

    elif obj == attack_pattern1:
        print("------------------")
        print("== ATTACK PATTERN ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Type: " + obj.type)
        print("External References: " + str(obj.external_references))

    elif obj == attack_pattern2:
        print("------------------")
        print("== ATTACK PATTERN ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Type: " + obj.type)
        print("External References: " + str(obj.external_references))


    elif obj == campaign1:
        print("------------------")
        print("== CAMPAIGN ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Type: " + obj.type)
        print("Aliases: " + str(obj.aliases))
        print("First Seen: " + str(obj.first_seen))
        print("Objective: " + obj.objective)

    elif obj == campaign2:
        print("------------------")
        print("== CAMPAIGN ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Type: " + obj.type)
        print("Aliases: " + str(obj.aliases))
        print("First Seen: " + str(obj.first_seen))
        print("Objective: " + obj.objective)

    elif obj == intrusionset:
        print("------------------")
        print("== INTRUSION SET ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.name)
        print("Type: " + obj.type)
        print("Aliases: " + str(obj.aliases))
        print("First Seen: " + str(obj.first_seen))
        print("Goals: " + str(obj.goals))
        print("Resource Level: " + obj.resource_level)
        print("Primary Motivation: " + obj.primary_motivation)
        print("Secondary Motivations: " + str(obj.secondary_motivations))

    elif re.search('relationship*', str(obj)):
        print("------------------")
        print("== RELATIONSHIP ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Type: " + obj.type)
        print("Relationship Type: " + obj.relationship_type)
        print("Source Ref: " + obj.source_ref)
        print("Target Ref: " + obj.target_ref)

------------------
== THREAT ACTOR ==
------------------
ID: threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500
Created: 2016-08-08 15:50:10.983000+00:00
Modified: 2016-08-08 15:50:10.983000+00:00
Name: Fake BPP (Branistan Peoples Party)
Threat Actor Types: ['nation-state']
Roles: ['director']
Goals: ['Influence the election in Branistan']
Sophistication: strategic
Resource Level: government
Primary Motivation: ideology
Secondary Motivations: ['dominance']
------------------
== IDENTITY ==
------------------
ID: identity--8c6af861-7b20-41ef-9b59-6344fd872a8f
Created: 2016-08-08 15:50:10.983000+00:00
Modified: 2016-08-08 15:50:10.983000+00:00
Name: Franistan Intelligence
Identity Class: organization
------------------
== IDENTITY ==
------------------
ID: identity--ddfe7140-2ba4-48e4-b19a-df069432103b
Created: 2016-08-08 15:50:10.983000+00:00
Modified: 2016-08-08 15:50:10.983000+00:00
Name: Branistan Peoples Party
Identity Class: organization
------------------
== ATTACK PATTERN ==
----

### Malware

Example Website: `https://oasis-open.github.io/cti-documentation/examples/indicator-for-malicious-url`
    

### Producer

In [131]:
indicator = Indicator(
    id="indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
    created="2014-06-29T13:49:37.079Z",
    modified="2014-06-29T13:49:37.079Z",
    name="Malicious site hosting downloader",
    description="This organized threat actor group operates to create profit from all types of crime.",
    indicator_types=["malicious-activity"],
    pattern="[url:value = 'http://x4z9arb.cn/4712/']",
    pattern_type="stix",
    valid_from="2014-06-29T13:49:37.079000Z"
)

foothold = KillChainPhase(
    kill_chain_name="mandiant-attack-lifecycle-model",
    phase_name="establish-foothold"
)

malware = Malware(
    id="malware--162d917e-766f-4611-b5d6-652791454fca",
    created="2014-06-30T09:15:17.182Z",
    modified="2014-06-30T09:15:17.182Z",
    name="x4z9arb backdoor",
    malware_types=["backdoor", "remote-access-trojan"],
    description="This malware attempts to download remote files after establishing a foothold as a backdoor.",
    kill_chain_phases=[foothold],
    is_family="false"
)

relationship = Relationship(indicator, 'indicates', malware)

bundle = Bundle(objects=[indicator, malware, relationship])

In [132]:
print(bundle)

{
    "type": "bundle",
    "id": "bundle--5dc01d0d-ac0f-48e0-b1b4-5c8d2047d335",
    "objects": [
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
            "created": "2014-06-29T13:49:37.079Z",
            "modified": "2014-06-29T13:49:37.079Z",
            "name": "Malicious site hosting downloader",
            "description": "This organized threat actor group operates to create profit from all types of crime.",
            "indicator_types": [
                "malicious-activity"
            ],
            "pattern": "[url:value = 'http://x4z9arb.cn/4712/']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2014-06-29T13:49:37.079Z"
        },
        {
            "type": "malware",
            "spec_version": "2.1",
            "id": "malware--162d917e-766f-4611-b5d6-652791454fca",
            "created": "2014-06-30T09:15:17.182

### Consumer

In [133]:
for obj in bundle.objects:
    if obj == malware:
        print("------------------")
        print("== MALWARE ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Type: " + obj.type)
        print("Malware Types: " + str(obj.malware_types))
        print("Is Family:" + str(obj.is_family))
        print("Kill Chain: " + str(obj.kill_chain_phases))

    elif obj == indicator:
        print("------------------")
        print("== INDICATOR ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Name: " + obj.name)
        print("Description: " + obj.description)
        print("Type: " + obj.type)
        print("Indicator Types: " + str(obj.indicator_types))
        print("Pattern: " + obj.pattern)
        print("Pattern Type: " + obj.pattern_type)
        print("Valid From: " + str(obj.valid_from))

    elif obj == relationship:
        print("------------------")
        print("== RELATIONSHIP ==")
        print("------------------")
        print("ID: " + obj.id)
        print("Created: " + str(obj.created))
        print("Modified: " + str(obj.modified))
        print("Type: " + obj.type)
        print("Relationship Type: " + obj.relationship_type)
        print("Source Ref: " + obj.source_ref)
        print("Target Ref: " + obj.target_ref)

------------------
== INDICATOR ==
------------------
ID: indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f
Created: 2014-06-29 13:49:37.079000+00:00
Modified: 2014-06-29 13:49:37.079000+00:00
Name: Malicious site hosting downloader
Description: This organized threat actor group operates to create profit from all types of crime.
Type: indicator
Indicator Types: ['malicious-activity']
Pattern: [url:value = 'http://x4z9arb.cn/4712/']
Pattern Type: stix
Valid From: 2014-06-29 13:49:37.079000+00:00
------------------
== MALWARE ==
------------------
ID: malware--162d917e-766f-4611-b5d6-652791454fca
Created: 2014-06-30 09:15:17.182000+00:00
Modified: 2014-06-30 09:15:17.182000+00:00
Name: x4z9arb backdoor
Description: This malware attempts to download remote files after establishing a foothold as a backdoor.
Type: malware
Malware Types: ['backdoor', 'remote-access-trojan']
Is Family:False
Kill Chain: [KillChainPhase(kill_chain_name='mandiant-attack-lifecycle-model', phase_name='establish-foot