-
Notifications
You must be signed in to change notification settings - Fork 0
/
forensicstore_stix_schemas.py
77 lines (76 loc) · 132 KB
/
forensicstore_stix_schemas.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Copyright (c) 2020 Siemens AG
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Author(s): Demian Kellermann
observed_data = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/observed-data.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'observed-data', 'description': 'Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `observed-data`.', 'enum': ['observed-data']}, 'id': {'title': 'id', 'pattern': '^observed-data--'}, 'first_observed': {'$ref': '../common/timestamp.json', 'description': 'The beginning of the time window that the data was observed during.'}, 'last_observed': {'$ref': '../common/timestamp.json', 'description': 'The end of the time window that the data was observed during.'}, 'number_observed': {'type': 'integer', 'description': 'The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.', 'minimum': 1, 'maximum': 999999999}, 'objects': {'type': 'object', 'description': "A dictionary of Cyber Observable Objects that describes the single 'fact' that was observed.", 'minProperties': 1, 'patternProperties': {'^.*$': {'type': 'object', 'oneOf': [{'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'not': {'properties': {'type': {'type': 'string', 'pattern': '^artifact|directory|file|mutex|process|software|user-account|windows-registry-key|x509-certificate|autonomous-system|domain-name|email-addr|email-message|ipv4-addr|ipv6-addr|mac-addr|network-traffic|url$', 'description': 'Indicates that this object is a custom Observable Object.'}}}}]}, {'$ref': '../observables/artifact.json'}, {'$ref': '../observables/autonomous-system.json'}, {'$ref': '../observables/directory.json'}, {'$ref': '../observables/domain-name.json'}, {'$ref': '../observables/email-addr.json'}, {'$ref': '../observables/email-message.json'}, {'$ref': '../observables/file.json'}, {'$ref': '../observables/ipv4-addr.json'}, {'$ref': '../observables/ipv6-addr.json'}, {'$ref': '../observables/mac-addr.json'}, {'$ref': '../observables/mutex.json'}, {'$ref': '../observables/network-traffic.json'}, {'$ref': '../observables/process.json'}, {'$ref': '../observables/software.json'}, {'$ref': '../observables/url.json'}, {'$ref': '../observables/user-account.json'}, {'$ref': '../observables/windows-registry-key.json'}, {'$ref': '../observables/x509-certificate.json'}]}}}, 'object_refs': {'type': 'array', 'description': 'A list of SCOs and SROs representing the observation.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}}}], 'required': ['first_observed', 'last_observed', 'number_observed'], 'oneOf': [{'required': ['objects']}, {'required': ['object_refs']}]}
course_of_action = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/course-of-action.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'course-of-action', 'description': 'A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. ', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `course-of-action`.', 'enum': ['course-of-action']}, 'id': {'title': 'id', 'pattern': '^course-of-action--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Course of Action.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about this object, potentially including its purpose and its key characteristics.'}}}], 'required': ['name']}
malware = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/malware.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'malware', 'description': "Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.", 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `malware`.', 'enum': ['malware']}, 'id': {'title': 'id', 'pattern': '^malware--'}, 'aliases': {'type': 'array', 'description': 'Alternative names used to identify this Malware or Malware family.', 'items': {'type': 'string'}, 'minItems': 1}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that the malware instance or family was first seen.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that the malware family or malware instance was last seen.'}, 'operating_system_refs': {'type': 'array', 'description': 'The operating systems that the malware family or malware instance is executable on.', 'items': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^software--'}]}, 'minItems': 1}, 'architecture_execution_envs': {'type': 'array', 'description': 'The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. Open Vocab - processor-architecture-os.', 'items': {'type': 'string'}, 'minItems': 1}, 'implementation_languages': {'type': 'array', 'description': 'The programming language(s) used to implement the malware instance or family. Open Vocab - implementation-language-ov.', 'items': {'type': 'string'}, 'minItems': 1}, 'capabilities': {'type': 'array', 'description': 'Specifies any capabilities identified for the malware instance or family. Open Vocab - malware-capabilities-ov.', 'items': {'type': 'string'}, 'minItems': 1}, 'sample_refs': {'type': 'array', 'description': 'The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family.', 'items': {'type': 'string'}, 'minItems': 1}, 'malware_types': {'type': 'array', 'description': 'The type of malware being described. Open Vocab - malware-type-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'The name used to identify the Malware.'}, 'description': {'type': 'string', 'description': 'Provides more context and details about the Malware object.'}, 'kill_chain_phases': {'type': 'array', 'description': 'The list of kill chain phases for which this Malware instance can be used.', 'items': {'$ref': '../common/kill-chain-phase.json'}, 'minItems': 1}}}], 'required': ['is_family'], 'oneOf': [{'properties': {'is_family': {'type': 'boolean', 'enum': [False], 'description': 'Whether the object represents a malware family (if true) or a malware instance (if false).'}}}, {'properties': {'is_family': {'type': 'boolean', 'enum': [True], 'description': 'Whether the object represents a malware family (if true) or a malware instance (if false).'}}, 'required': ['name']}], 'definitions': {'malware-type-ov': {'type': 'string', 'enum': ['adware', 'backdoor', 'bot', 'bootkit', 'ddos', 'downloader', 'dropper', 'exploit-kit', 'keylogger', 'ransomware', 'remote-access-trojan', 'resource-exploitation', 'rogue-security-software', 'rootkit', 'screen-capture', 'spyware', 'trojan', 'unknown', 'virus', 'webshell', 'wiper', 'worm']}, 'implementation-language-ov': {'type': 'string', 'enum': ['applescript', 'bash', 'c', 'c++', 'c#', 'go', 'java', 'javascript', 'lua', 'objective-c', 'perl', 'php', 'powershell', 'python', 'ruby', 'scala', 'swift', 'typescript', 'visual-basic', 'x86-32', 'x86-64']}, 'malware-capabilities-ov': {'type': 'string', 'enum': ['accesses-remote-machines', 'anti-debugging', 'anti-disassembly', 'anti-emulation', 'anti-memory-forensics', 'anti-sandbox', 'anti-vm', 'captures-input-peripherals', 'captures-output-peripherals', 'captures-system-state-data', 'cleans-traces-of-infection', 'commits-fraud', 'communicates-with-c2', 'compromises-data-availability', 'compromises-data-integrity', 'compromises-system-availability', 'controls-local-machine', 'degrades-security-software', 'degrades-system-updates', 'determines-c2-server', 'emails-spam', 'escalates-privileges', 'evades-av', 'exfiltrates-data', 'fingerprints-host', 'hides-artifacts', 'hides-executing-code', 'infects-files', 'infects-remote-machines', 'installs-other-components', 'persists-after-system-reboot', 'prevents-artifact-access', 'prevents-artifact-deletion', 'probes-network-environment', 'self-modifies', 'steals-authentication-credentials', 'violates-system-operational-integrity']}, 'processor-architecture-ov': {'type': 'string', 'enum': ['alpha', 'arm', 'ia-64', 'mips', 'powerpc', 'sparc', 'x86', 'x86-64']}}}
indicator = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/indicator.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'indicator', 'description': 'Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `indicator`.', 'enum': ['indicator']}, 'id': {'title': 'id', 'pattern': '^indicator--'}, 'indicator_types': {'type': 'array', 'description': 'This field is an Open Vocabulary that specifies the type of indicator. Open vocab - indicator-type-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'The name used to identify the Indicator.'}, 'description': {'type': 'string', 'description': 'A description that provides the recipient with context about this Indicator potentially including its purpose and its key characteristics.'}, 'pattern': {'type': 'string', 'description': 'The detection pattern for this indicator.'}, 'pattern_type': {'type': 'string', 'description': 'The type of pattern used in this indicator.'}, 'pattern_version': {'type': 'string', 'description': 'The version of the pattern that is used.'}, 'valid_from': {'$ref': '../common/timestamp.json', 'description': 'The time from which this indicator should be considered valuable intelligence.'}, 'valid_until': {'$ref': '../common/timestamp.json', 'description': 'The time at which this indicator should no longer be considered valuable intelligence.'}, 'kill_chain_phases': {'type': 'array', 'description': 'The phases of the kill chain that this indicator detects.', 'items': {'$ref': '../common/kill-chain-phase.json'}, 'minItems': 1}}}], 'required': ['pattern', 'pattern_type', 'valid_from'], 'definitions': {'indicator-type-ov': {'type': 'string', 'enum': ['anomalous-activity', 'anonymization', 'benign', 'compromised', 'malicious-activity', 'attribution', 'unknown']}, 'pattern-type-ov': {'type': 'string', 'enum': ['stix', 'pcre', 'sigma', 'snort', 'suricata', 'yara']}}}
opinion = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/opinion.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'opinion', 'description': 'An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity and captures the level of agreement or disagreement using a fixed scale.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `opinion`.', 'enum': ['opinion']}, 'id': {'title': 'id', 'pattern': '^opinion--'}, 'explanation': {'type': 'string', 'description': 'An explanation of why the producer has this Opinion.'}, 'authors': {'type': 'array', 'description': 'The name of the author(s) of this opinion (e.g., the analyst(s) that created it).', 'items': {'type': 'string'}, 'minItems': 1}, 'object_refs': {'type': 'array', 'description': 'The STIX Objects (SDOs and SROs) that the opinion is being applied to.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}, 'opinion': {'type': 'string', 'description': 'The opinion that the producer has about about all of the STIX Object(s) listed in the object_refs property.', 'enum': ['strongly-disagree', 'disagree', 'neutral', 'agree', 'strongly-agree']}}}], 'required': ['object_refs', 'opinion']}
vulnerability = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/vulnerability.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'vulnerability', 'description': 'A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `vulnerability`.', 'enum': ['vulnerability']}, 'id': {'title': 'id', 'pattern': '^vulnerability--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Vulnerability.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Vulnerability.'}}}], 'required': ['name']}
grouping = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/grouping.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'grouping', 'description': 'A Grouping object explicitly asserts that the referenced STIX Objects have a shared content.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `grouping`.', 'enum': ['grouping']}, 'id': {'title': 'id', 'pattern': '^grouping--'}, 'name': {'type': 'string', 'description': 'A name used to identify the Grouping.'}, 'description': {'type': 'string', 'description': 'A description which provides more details and context about the Grouping, potentially including the purpose and key characteristics.'}, 'context': {'type': 'string', 'description': 'A short description of the particular context shared by the content referenced by the Grouping.'}, 'object_refs': {'type': 'array', 'description': 'The STIX Objects (SDOs and SROs) that are referred to by this Grouping.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}}}], 'required': ['context', 'object_refs'], 'definitions': {'grouping-context-ov': {'type': 'string', 'enum': ['suspicious-activity', 'malware-analysis', 'unspecified']}}}
identity = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/identity.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'identity', 'description': 'Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `identity`.', 'enum': ['identity']}, 'id': {'title': 'id', 'pattern': '^identity--'}, 'roles': {'type': 'array', 'description': 'The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property.', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'The name of this Identity.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Identity.'}, 'identity_class': {'type': 'string', 'description': 'The type of entity that this Identity describes, e.g., an individual or organization. Open Vocab - identity-class-ov'}, 'sectors': {'type': 'array', 'description': 'The list of sectors that this Identity belongs to. Open Vocab - industry-sector-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'contact_information': {'type': 'string', 'description': 'The contact information (e-mail, phone number, etc.) for this Identity.'}}}], 'required': ['name'], 'definitions': {'identity-class-ov': {'type': 'string', 'enum': ['individual', 'group', 'system', 'organization', 'class', 'unknown']}, 'industry-sector-ov': {'type': 'string', 'enum': ['agriculture', 'aerospace', 'automotive', 'chemical', 'commercial', 'communications', 'construction', 'defense', 'education', 'energy', 'engineering', 'entertainment', 'financial-services', 'government', 'emergency-services', 'government-local', 'government-national', 'government-public-services', 'government-regional', 'healthcare', 'hospitality-leisure', 'infrastructure', 'dams', 'nuclear', 'water', 'insurance', 'manufacturing', 'mining', 'non-profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']}}}
location = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/location.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'location', 'description': 'A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `location`.', 'enum': ['location']}, 'id': {'title': 'id', 'pattern': '^location--'}, 'description': {'type': 'string', 'description': 'A textual description of the Location.'}, 'name': {'type': 'string', 'description': 'A name used to identify the Location.'}, 'latitude': {'type': 'number', 'description': 'The latitude of the Location in decimal degrees.', 'minimum': -90, 'maximum': 90}, 'longitude': {'type': 'number', 'description': 'The longitude of the Location in decimal degrees.', 'minimum': -180, 'maximum': 180}, 'precision': {'type': 'number', 'description': 'Defines the precision of the coordinates specified by the latitude and longitude properties, measured in meters.'}, 'region': {'type': 'string', 'description': 'The region that this Location describes.'}, 'country': {'type': 'string', 'description': 'The country that this Location describes.'}, 'administrative_area': {'type': 'string', 'description': 'The state, province, or other sub-national administrative area that this Location describes.'}, 'city': {'type': 'string', 'description': 'The city that this Location describes.'}, 'street_address': {'type': 'string', 'description': 'The street address that this Location describes.'}, 'postal_code': {'type': 'string', 'description': 'The postal code for this Location.'}}}, {'anyOf': [{'required': ['region']}, {'required': ['country']}, {'required': ['latitude', 'longitude']}]}, {'oneOf': [{'required': ['latitude', 'longitude']}, {'allOf': [{'not': {'required': ['latitude']}}, {'not': {'required': ['longitude']}}]}]}, {'oneOf': [{'required': ['precision', 'latitude', 'longitude']}, {'not': {'required': ['precision']}}]}], 'definitions': {'region-ov': {'type': 'string', 'enum': ['africa', 'eastern-africa', 'middle-africa', 'northern-africa', 'southern-africa', 'western-africa', 'americas', 'latin-america-caribbean', 'south-america', 'caribbean', 'central-america northern-america', 'asia', 'central-asia', 'eastern-asia', 'southern-asia', 'western-asia', 'europe eastern-europe', 'northern-europe', 'southern-europe', 'western-europe', 'oceania', 'australia-new-zealand', 'melanesia', 'micronesia', 'polynesia', 'antarctica']}}}
report = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/report.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'report', 'description': 'Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `report`.', 'enum': ['report']}, 'id': {'title': 'id', 'pattern': '^report--'}, 'report_types': {'type': 'array', 'description': 'This field is an Open Vocabulary that specifies the primary subject of this report. The suggested values for this field are in report-type-ov.', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'The name used to identify the Report.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about Report.'}, 'published': {'$ref': '../common/timestamp.json', 'description': 'The date that this report object was officially published by the creator of this report.'}, 'object_refs': {'type': 'array', 'description': 'Specifies the STIX Objects that are referred to by this Report.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}}}], 'required': ['name', 'object_refs', 'published'], 'definitions': {'report-type-ov': {'type': 'string', 'enum': ['threat-report', 'attack-pattern', 'campaign', 'identity', 'indicator', 'malware', 'observed-data', 'threat-actor', 'tool', 'vulnerability']}}}
intrusion_set = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/intrusion-set.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'intrusion-set', 'description': 'An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `intrusion-set`.', 'enum': ['intrusion-set']}, 'id': {'title': 'id', 'pattern': '^intrusion-set--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Intrusion Set.'}, 'description': {'type': 'string', 'description': 'Provides more context and details about the Intrusion Set object.'}, 'aliases': {'type': 'array', 'description': 'Alternative names used to identify this Intrusion Set.', 'items': {'type': 'string'}, 'minItems': 1}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Intrusion Set was first seen.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Intrusion Set was last seen.'}, 'goals': {'type': 'array', 'description': 'The high level goals of this Intrusion Set, namely, what are they trying to do.', 'items': {'type': 'string'}, 'minItems': 1}, 'resource_level': {'type': 'string', 'description': 'This defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov'}, 'primary_motivation': {'type': 'string', 'description': 'The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov'}, 'secondary_motivations': {'type': 'array', 'description': 'The secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov', 'items': {'type': 'string'}, 'minItems': 1}}}], 'required': ['name'], 'definitions': {'attack-resource-level-ov': {'type': 'string', 'enum': ['individual', 'club', 'contest', 'team', 'organization', 'government']}, 'attack-motivation-ov': {'type': 'string', 'enum': ['accidental', 'coercion', 'dominance', 'ideology', 'notoriety', 'organizational-gain', 'personal-gain', 'personal-satisfaction', 'revenge', 'unpredictable']}}}
incident = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/incident.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'incident', 'description': 'The Incident object in STIX 2.1 is a stub, to be expanded in future STIX 2 releases.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `incident`.', 'enum': ['incident']}, 'id': {'title': 'id', 'pattern': '^incident--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Incident.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Incident.'}}}], 'required': ['name']}
campaign = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/campaign.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'campaign', 'description': 'A Campaign is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `campaign`.', 'enum': ['campaign']}, 'id': {'title': 'id', 'pattern': '^campaign--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Campaign.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Campaign, potentially including its purpose and its key characteristics.'}, 'aliases': {'type': 'array', 'description': 'Alternative names used to identify this campaign.', 'items': {'type': 'string'}, 'minItems': 1}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Campaign was first seen.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Campaign was last seen.'}, 'objective': {'type': 'string', 'description': 'This field defines the Campaign’s primary goal, objective, desired outcome, or intended effect.'}}}], 'required': ['name']}
infrastructure = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/infrastructure.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'infrastructure', 'description': 'Infrastructure objects describe systems, software services, and associated physical or virtual resources.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `infrastructure`.', 'enum': ['infrastructure']}, 'id': {'title': 'id', 'pattern': '^infrastructure--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Infrastructure.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about this Infrastructure potentially including its purpose and its key characteristics.'}, 'infrastructure_types': {'type': 'array', 'description': 'This field is an Open Vocabulary that specifies the type of infrastructure. Open vocab - infrastructure-type-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'aliases': {'type': 'array', 'description': 'Alternative names used to identify this Infrastructure.', 'items': {'type': 'string'}, 'minItems': 1}, 'kill_chain_phases': {'type': 'array', 'description': 'The list of kill chain phases for which this infrastructure is used.', 'items': {'$ref': '../common/kill-chain-phase.json'}, 'minItems': 1}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this infrastructure was first seen performing malicious activities.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this infrastructure was last seen performing malicious activities.'}}}], 'required': ['name'], 'definitions': {'infrastructure-type-ov': {'type': 'string', 'enum': ['amplification', 'anonymization', 'botnet', 'command-and-control', 'exfiltration', 'hosting-malware', 'hosting-target-lists', 'phishing', 'reconnaissance', 'staging', 'unknown']}}}
threat_actor = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/threat-actor.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'threat-actor', 'description': 'Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `threat-actor`.', 'enum': ['threat-actor']}, 'id': {'title': 'id', 'pattern': '^threat-actor--'}, 'threat_actor_types': {'type': 'array', 'description': 'This field specifies the type of threat actor. Open Vocab - threat-actor-type-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'A name used to identify this Threat Actor or Threat Actor group.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Threat Actor.'}, 'aliases': {'type': 'array', 'description': 'A list of other names that this Threat Actor is believed to use.', 'items': {'type': 'string'}, 'minItems': 1}, 'roles': {'type': 'array', 'description': 'This is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'goals': {'type': 'array', 'description': 'The high level goals of this Threat Actor, namely, what are they trying to do.', 'items': {'type': 'string'}, 'minItems': 1}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Threat Actor was first seen.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The time that this Threat Actor was last seen.'}, 'sophistication': {'type': 'string', 'description': 'The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov'}, 'resource_level': {'type': 'string', 'description': 'This defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov'}, 'primary_motivation': {'type': 'string', 'description': 'The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov'}, 'secondary_motivations': {'type': 'array', 'description': 'The secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'personal_motivations': {'type': 'array', 'description': 'The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov', 'items': {'type': 'string'}, 'minItems': 1}}}], 'required': ['name'], 'definitions': {'threat-actor-type-ov': {'type': 'string', 'enum': ['activist', 'competitor', 'crime-syndicate', 'criminal', 'hacker', 'insider-accidental', 'insider-disgruntled', 'nation-state', 'sensationalist', 'spy', 'terrorist', 'unknown']}, 'threat-actor-role-ov': {'type': 'string', 'enum': ['agent', 'director', 'independent', 'sponsor', 'infrastructure-operator', 'infrastructure-architect', 'malware-author']}, 'threat-actor-sophistication-ov': {'type': 'string', 'enum': ['none', 'minimal', 'intermediate', 'advanced', 'strategic', 'expert', 'innovator']}, 'attack-resource-level-ov': {'type': 'string', 'enum': ['individual', 'club', 'contest', 'team', 'organization', 'government']}, 'attack-motivation-ov': {'type': 'string', 'enum': ['accidental', 'coercion', 'dominance', 'ideology', 'notoriety', 'organizational-gain', 'personal-gain', 'personal-satisfaction', 'revenge', 'unpredictable']}}}
malware_analysis = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/malware-analysis.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'malware-analysis', 'description': 'Malware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `malware-analysis`.', 'enum': ['malware-analysis']}, 'id': {'title': 'id', 'pattern': '^malware-analysis--'}, 'product': {'type': 'string', 'description': 'The name of the analysis engine or product that was used for this analysis.'}, 'version': {'type': 'string', 'description': 'The version of the analysis product that was used to perform this analysis.'}, 'configuration_version': {'type': 'string', 'description': 'The version of the analysis product configuration that was used to perform this analysis.'}, 'modules': {'type': 'array', 'items': {'type': 'string'}, 'description': 'The particular analysis product modules that were used to perform the analysis.', 'minItems': 1}, 'analysis_engine_version': {'type': 'string', 'description': 'The version of the analysis engine or product that was used to perform this analysis.'}, 'analysis_definition_version': {'type': 'string', 'description': 'The version of the analysis definitions used by the analysis tool.'}, 'submitted': {'$ref': '../common/timestamp.json', 'description': 'The date and time that this malware was first submitted for scanning or analysis.'}, 'analysis_started': {'$ref': '../common/timestamp.json', 'description': 'The date and time that the malware analysis was initiated.'}, 'analysis_ended': {'$ref': '../common/timestamp.json', 'description': 'The date and time that the malware analysis ended.'}, 'result_name': {'type': 'string', 'description': 'The classification result or name assigned to the malware instance by the scanner tool.'}, 'result': {'type': 'string', 'description': 'The classification result as determined by the scanner or tool analysis process.'}, 'host_vm_ref': {'description': 'A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.', 'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^software--'}]}, 'operating_system_ref': {'description': 'The operating system that was used to perform the dynamic analysis.', 'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^software--'}]}, 'installed_software_refs': {'type': 'array', 'description': 'Any non-standard software installed on the operating system used for the dynamic analysis of the malware instance or family.', 'items': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^software--'}]}, 'minItems': 1}, 'analysis_sco_refs': {'type': 'array', 'description': 'The list of STIX objects that were captured during the analysis process.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}, 'sample_ref': {'description': 'Refers to the object this analysis was performed against.', 'allOf': [{'$ref': '../common/identifier.json'}, {'oneOf': [{'pattern': '^artifact--'}, {'pattern': '^file--'}, {'pattern': '^network-traffic--'}]}]}}}], 'required': ['product'], 'anyOf': [{'required': ['result']}, {'required': ['analysis_sco_refs']}], 'definitions': {'malware-av-result-ov': {'type': 'string', 'enum': ['malicious', 'suspicious', 'benign', 'unknown']}}}
attack_pattern = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/attack-pattern.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'attack-pattern', 'description': 'Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. ', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `attack-pattern`.', 'enum': ['attack-pattern']}, 'aliases': {'type': 'array', 'items': {'type': 'string'}, 'description': 'Alternative names used to identify this Attack Pattern.'}, 'id': {'title': 'id', 'pattern': '^attack-pattern--'}, 'name': {'type': 'string', 'description': 'The name used to identify the Attack Pattern.'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.'}, 'kill_chain_phases': {'type': 'array', 'description': 'The list of kill chain phases for which this attack pattern is used.', 'items': {'$ref': '../common/kill-chain-phase.json'}, 'minItems': 1}}}], 'required': ['name']}
note = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/note.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'note', 'description': 'A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `note`.', 'enum': ['note']}, 'id': {'title': 'id', 'pattern': '^note--'}, 'abstract': {'type': 'string', 'description': 'A brief summary of the note.'}, 'content': {'type': 'string', 'description': 'The content of the note.'}, 'authors': {'type': 'array', 'description': 'The name of the author(s) of this note (e.g., the analyst(s) that created it).', 'items': {'type': 'string'}, 'minItems': 1}, 'object_refs': {'type': 'array', 'description': 'The STIX Objects (SDOs and SROs) that the note is being applied to.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}}}], 'required': ['content', 'object_refs']}
tool = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sdos/tool.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'tool', 'description': 'Tools are legitimate software that can be used by threat actors to perform attacks.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `tool`.', 'enum': ['tool']}, 'id': {'title': 'id', 'pattern': '^tool--'}, 'aliases': {'type': 'array', 'description': 'Alternative names used to identify this Tool.', 'items': {'type': 'string'}, 'minItems': 1}, 'tool_types': {'type': 'array', 'description': 'The kind(s) of tool(s) being described. Open Vocab - tool-type-ov', 'items': {'type': 'string'}, 'minItems': 1}, 'name': {'type': 'string', 'description': 'The name used to identify the Tool.'}, 'description': {'type': 'string', 'description': 'Provides more context and details about the Tool object.'}, 'tool_version': {'type': 'string', 'description': 'The version identifier associated with the tool.'}, 'kill_chain_phases': {'type': 'array', 'description': 'The list of kill chain phases for which this Tool instance can be used.', 'items': {'$ref': '../common/kill-chain-phase.json'}, 'minItems': 1}}}], 'required': ['name'], 'definitions': {'tool-type-ov': {'type': 'string', 'enum': ['denial-of-service', 'exploitation', 'information-gathering', 'network-capture', 'credential-exploitation', 'remote-access', 'vulnerability-scanning', 'unknown']}}}
relationship = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sros/relationship.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'relationship', 'description': 'The Relationship object is used to link together two SDOs in order to describe how they are related to each other.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `relationship`.', 'enum': ['relationship']}, 'id': {'title': 'id', 'pattern': '^relationship--'}, 'relationship_type': {'title': 'relationship_type', 'type': 'string', 'description': 'The name used to identify the type of relationship.', 'pattern': '^[a-z0-9\\-]+$'}, 'description': {'type': 'string', 'description': 'A description that helps provide context about the relationship.'}, 'source_ref': {'description': 'The ID of the source (from) object.', 'allOf': [{'$ref': '../common/identifier.json'}, {'not': {'pattern': '^(relationship|sighting|bundle|marking-definition|language-content)--.+$'}}]}, 'target_ref': {'description': 'The ID of the target (to) object.', 'allOf': [{'$ref': '../common/identifier.json'}, {'not': {'pattern': '^(relationship|sighting|bundle|marking-definition|language-content)--.+$'}}]}, 'start_time': {'$ref': '../common/timestamp.json', 'description': 'This optional timestamp represents the earliest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the updated property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true.'}, 'stop_time': {'$ref': '../common/timestamp.json', 'description': 'The latest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the updated property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true.'}}}], 'required': ['relationship_type', 'source_ref', 'target_ref']}
sighting = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/sros/sighting.json', '$schema': 'https://json-schema.org/draft/2020-12/schema', 'title': 'sighting', 'description': 'A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `sighting`.', 'enum': ['sighting']}, 'id': {'title': 'id', 'pattern': '^sighting--'}, 'description': {'type': 'string', 'description': 'A description that provides more details and context about the Sighting.'}, 'first_seen': {'$ref': '../common/timestamp.json', 'description': 'The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted.'}, 'last_seen': {'$ref': '../common/timestamp.json', 'description': 'The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted.'}, 'count': {'type': 'integer', 'description': 'This is an integer between 0 and 999,999,999 inclusive and represents the number of times the object was sighted.', 'minimum': 0, 'maximum': 999999999}, 'sighting_of_ref': {'allOf': [{'$ref': '../common/identifier.json'}, {'not': {'pattern': '^sighting--'}}, {'not': {'pattern': '^relationship--'}}, {'not': {'pattern': '^bundle--'}}, {'not': {'pattern': '^marking-definition--'}}, {'not': {'pattern': '^language-content--'}}], 'description': 'An ID reference to the object that has been sighted.'}, 'observed_data_refs': {'type': 'array', 'description': 'A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting.', 'items': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^observed-data--'}]}, 'minItems': 1}, 'where_sighted_refs': {'type': 'array', 'description': 'A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting.', 'items': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^(identity|location)--'}]}, 'minItems': 1}, 'summary': {'type': 'boolean', 'description': 'The summary property indicates whether the Sighting should be considered summary data. '}}}], 'required': ['sighting_of_ref']}
software = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/software.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'software', 'description': 'The Software Object represents high-level properties associated with software, including software products.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `software`.', 'enum': ['software']}, 'id': {'title': 'id', 'pattern': '^software--'}, 'name': {'type': 'string', 'description': 'Specifies the name of the software.'}, 'cpe': {'type': 'string', 'pattern': 'cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#$$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|}~]))+(\\?*|\\*?))|[\\*\\-])){4}', 'description': 'Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary.'}, 'swid': {'type': 'string', 'description': 'Specifies the Software Identification (SWID) Tags entry for the software, if available.'}, 'languages': {'type': 'array', 'description': 'Specifies the languages supported by the software. The value of each list member MUST be an ISO 639-2 language code.', 'items': {'type': 'string', 'pattern': '^[a-z]{3}$'}, 'minItems': 1}, 'vendor': {'type': 'string', 'description': 'Specifies the name of the vendor of the software.'}, 'version': {'type': 'string', 'description': 'Specifies the version of the software.'}}}], 'required': ['name']}
email_addr = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/email-addr.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'email-addr', 'description': 'The Email Address Object represents a single email address.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `email-addr`.', 'enum': ['email-addr']}, 'id': {'title': 'id', 'pattern': '^email-addr--'}, 'value': {'type': 'string', 'format': 'email', 'description': 'Specifies a single email address. This MUST not include the display name.'}, 'display_name': {'type': 'string', 'description': 'Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application.'}, 'belongs_to_ref': {'description': 'Specifies the user account that the email address belongs to, as a reference to a User Account Object.', 'type': 'string'}}, 'required': ['value']}]}
windows_registry_key = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/windows-registry-key.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'windows-registry-key', 'description': 'The Registry Key Object represents the properties of a Windows registry key.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `windows-registry-key`.', 'enum': ['windows-registry-key']}, 'id': {'title': 'id', 'pattern': '^windows-registry-key--'}, 'key': {'type': 'string', 'not': {'pattern': '^HKLM|HKCC|HKCR|HKCU|HKU|hklm|hkcc|hkcr|hkcu|hku'}, 'description': 'Specifies the full registry key including the hive.'}, 'values': {'type': 'array', 'items': {'$ref': '#/definitions/windows-registry-value-type'}, 'description': 'Specifies the values found under the registry key.'}, 'modified_time': {'$ref': '../common/timestamp.json', 'description': 'Specifies the last date/time that the registry key was modified.'}, 'creator_user_ref': {'description': 'Specifies a reference to a user account, represented as a User Account Object, that created the registry key.', 'type': 'string'}, 'number_of_subkeys': {'type': 'integer', 'description': 'Specifies the number of subkeys contained under the registry key.'}}}], 'anyOf': [{'required': ['key']}, {'required': ['values']}, {'required': ['modified']}, {'required': ['creator_user_ref']}, {'required': ['number_of_subkeys']}], 'definitions': {'windows-registry-value-type': {'type': 'object', 'properties': {'name': {'type': 'string', 'description': 'Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used.'}, 'data': {'type': 'string', 'description': 'Specifies the data contained in the registry value.'}, 'data_type': {'type': 'string', 'description': 'Specifies the registry (REG_*) data type used in the registry value.', 'enum': ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_BIG_ENDIAN', 'REG_DWORD_LITTLE_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTION', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_INVALID_TYPE']}}, 'anyOf': [{'required': ['name']}, {'required': ['data']}, {'required': ['data_type']}]}}}
email_message = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/email-message.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'email-message', 'description': 'The Email Message Object represents an instance of an email message.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `email-message`.', 'enum': ['email-message']}, 'id': {'title': 'id', 'pattern': '^email-message--'}, 'date': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time that the email message was sent.'}, 'content_type': {'type': 'string', 'description': "Specifies the value of the 'Content-Type' header of the email message."}, 'from_ref': {'description': "Specifies the value of the 'From:' header of the email message.", 'type': 'string'}, 'sender_ref': {'description': "Specifies the value of the 'From' field of the email message.", 'type': 'string'}, 'to_refs': {'type': 'array', 'description': "Specifies the mailboxes that are 'To:' recipients of the email message.", 'items': {'type': 'string'}, 'minItems': 1}, 'cc_refs': {'type': 'array', 'description': "Specifies the mailboxes that are 'CC:' recipients of the email message.", 'items': {'type': 'string'}, 'minItems': 1}, 'bcc_refs': {'type': 'array', 'description': "Specifies the mailboxes that are 'BCC:' recipients of the email message.", 'items': {'type': 'string'}, 'minItems': 1}, 'message_id': {'type': 'string', 'description': 'Specifies the Message-ID field of the email message.'}, 'subject': {'type': 'string', 'description': 'Specifies the subject of the email message.'}, 'received_lines': {'type': 'array', 'description': 'Specifies one or more Received header fields that may be included in the email headers.', 'items': {'type': 'string'}}, 'additional_header_fields': {'$ref': '#/definitions/email-additional-header-fields', 'description': 'Specifies any other header fields found in the email message, as a dictionary.'}, 'raw_email_ref': {'description': 'Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact Object.', 'type': 'string'}}}], 'oneOf': [{'properties': {'is_multipart': {'type': 'boolean', 'enum': [False], 'description': 'Indicates whether the email body contains multiple MIME parts.'}, 'body': {'type': 'string', 'description': 'Specifies a string containing the email body. This field MAY only be used if is_multipart is false.'}}, 'required': ['is_multipart'], 'not': {'required': ['body_multipart']}}, {'properties': {'is_multipart': {'type': 'boolean', 'enum': [True], 'description': 'Indicates whether the email body contains multiple MIME parts.'}, 'body_multipart': {'type': 'array', 'description': 'Specifies a list of the MIME parts that make up the email body. This property MAY only be used if is_multipart is true.', 'items': {'$ref': '#/definitions/mime-part-type'}}}, 'required': ['is_multipart'], 'not': {'required': ['body']}}], 'definitions': {'mime-part-type': {'type': 'object', 'description': 'Specifies a component of a multi-part email body.', 'properties': {'body': {'type': 'string', 'description': 'Specifies the contents of the MIME part if the content_type is not provided OR starts with text/'}, 'body_raw_ref': {'type': 'string', 'description': 'Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact Object or File Object.'}, 'content_type': {'type': 'string', 'description': "Specifies the value of the 'Content-Type' header field of the MIME part."}, 'content_disposition': {'type': 'string', 'description': "Specifies the value of the 'Content-Disposition' header field of the MIME part."}}, 'oneOf': [{'required': ['body']}, {'required': ['body_raw_ref']}]}, 'email-additional-header-fields': {'allOf': [{'$ref': '../common/dictionary.json'}], 'description': 'Specifies any other header fields (except for date, received_lines, content_type, from_ref, sender_ref, to_refs, cc_refs, bcc_refs, and subject) found in the email message, as a dictionary.', 'not': {'patternProperties': {'^date|received_lines|content_type|from_ref|sender_ref|to_refs|cc_refs|bcc_refs|subject$': {'description': 'Invalid additional header field types'}}, 'additionalProperties': False}, 'patternProperties': {'^[a-zA-Z0-9_-]{0,250}$': {'oneOf': [{'type': 'array', 'items': {'type': 'string'}, 'minItems': 2}, {'type': 'string'}]}}}}}
autonomous_system = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/autonomous-system.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'autonomous-system', 'description': 'The AS object represents the properties of an Autonomous Systems (AS).', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `autonomous-system`.', 'enum': ['autonomous-system']}, 'id': {'title': 'id', 'pattern': '^autonomous-system--'}, 'number': {'type': 'integer', 'description': 'Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registries (RIR).'}, 'name': {'type': 'string', 'description': 'Specifies the name of the AS.'}, 'rir': {'type': 'string', 'description': 'Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS.'}}, 'required': ['number']}]}
mac_addr = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/mac-addr.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'mac-addr', 'description': 'The MAC Address Object represents a single Media Access Control (MAC) address.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `mac-addr`.', 'enum': ['mac-addr']}, 'id': {'title': 'id', 'pattern': '^mac-addr--'}, 'value': {'type': 'string', 'pattern': '^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$', 'description': 'Specifies one or more mac addresses expressed using CIDR notation.'}}, 'required': ['value']}]}
directory = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/directory.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'directory', 'description': 'The Directory Object represents the properties common to a file system directory.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `directory`.', 'enum': ['directory']}, 'id': {'title': 'id', 'pattern': '^directory--'}, 'path': {'type': 'string', 'description': 'Specifies the path, as originally observed, to the directory on the file system.'}, 'path_enc': {'type': 'string', 'pattern': '^[a-zA-Z0-9/\\.+_:-]{2,250}$', 'description': 'Specifies the observed encoding for the path.'}, 'ctime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the directory was created.'}, 'mtime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the directory was last written to/modified.'}, 'atime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the directory was last accessed.'}, 'contains_refs': {'type': 'array', 'description': 'Specifies a list of references to other File and/or Directory Objects contained within the directory.', 'items': {'type': 'string'}, 'minItems': 1}}, 'required': ['path']}]}
domain_name = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/domain-name.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'domain-name', 'description': 'The Domain Name represents the properties of a network domain name.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `domain-name`.', 'enum': ['domain-name']}, 'id': {'title': 'id', 'pattern': '^domain-name--'}, 'value': {'type': 'string', 'description': 'Specifies the value of the domain name.', 'format': 'idn-hostname'}, 'resolves_to_refs': {'type': 'array', 'description': 'Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.', 'items': {'type': 'string'}, 'minItems': 1}}, 'required': ['value']}]}
x509_certificate = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/x509-certificate.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'x509-certificate', 'description': 'The X509 Certificate Object represents the properties of an X.509 certificate.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `x509-certificate`.', 'enum': ['x509-certificate']}, 'id': {'title': 'id', 'pattern': '^x509-certificate--'}, 'is_self_signed': {'type': 'boolean', 'description': 'Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies.'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies any hashes that were calculated for the entire contents of the certificate.'}, 'version': {'type': 'string', 'description': 'Specifies the version of the encoded certificate.'}, 'serial_number': {'type': 'string', 'description': 'Specifies the unique identifier for the certificate, as issued by a specific Certificate Authority.'}, 'signature_algorithm': {'type': 'string', 'description': 'Specifies the name of the algorithm used to sign the certificate.'}, 'issuer': {'type': 'string', 'description': 'Specifies the name of the Certificate Authority that issued the certificate.'}, 'validity_not_before': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date on which the certificate validity period begins.'}, 'validity_not_after': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date on which the certificate validity period ends.'}, 'subject': {'type': 'string', 'description': 'Specifies the name of the entity associated with the public key stored in the subject public key field of the certificate.'}, 'subject_public_key_algorithm': {'type': 'string', 'description': 'Specifies the name of the algorithm with which to encrypt data being sent to the subject.'}, 'subject_public_key_modulus': {'type': 'string', 'description': 'Specifies the modulus portion of the subject’s public RSA key.'}, 'subject_public_key_exponent': {'type': 'integer', 'description': 'Specifies the exponent portion of the subject’s public RSA key, as an integer.'}, 'x509_v3_extensions': {'$ref': '#/definitions/x509-v3-extensions-type', 'description': 'Specifies any standard X.509 v3 extensions that may be used in the certificate.'}}}, {'anyOf': [{'required': ['is_self_signed']}, {'required': ['hashes']}, {'required': ['version']}, {'required': ['serial_number']}, {'required': ['signature_algorithm']}, {'required': ['issuer']}, {'required': ['validity_not_before']}, {'required': ['validity_not_after']}, {'required': ['subject']}, {'required': ['subject_public_key_algorithm']}, {'required': ['subject_public_key_modulus']}, {'required': ['subject_public_key_exponent']}, {'required': ['x509_v3_extensions']}]}], 'definitions': {'x509-v3-extensions-type': {'type': 'object', 'allOf': [{'properties': {'basic_constraints': {'type': 'string', 'description': 'Specifies a multi-valued extension which indicates whether a certificate is a CA certificate.'}, 'name_constraints': {'type': 'string', 'description': 'Specifies a namespace within which all subject names in subsequent certificates in a certification path MUST be located.'}, 'policy_constraints': {'type': 'string', 'description': 'Specifies any constraints on path validation for certificates issued to CAs.'}, 'key_usage': {'type': 'string', 'description': 'Specifies a multi-valued extension consisting of a list of names of the permitted key usages.'}, 'extended_key_usage': {'type': 'string', 'description': 'Specifies a list of usages indicating purposes for which the certificate public key can be used for.'}, 'subject_key_identifier': {'type': 'string', 'description': 'Specifies the identifier that provides a means of identifying certificates that contain a particular public key.'}, 'authority_key_identifier': {'type': 'string', 'description': 'Specifies the identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate.'}, 'subject_alternative_name': {'type': 'string', 'description': 'Specifies the additional identities to be bound to the subject of the certificate.'}, 'issuer_alternative_name': {'type': 'string', 'description': 'Specifies the additional identities to be bound to the issuer of the certificate.'}, 'subject_directory_attributes': {'type': 'string', 'description': 'Specifies the identification attributes (e.g., nationality) of the subject.'}, 'crl_distribution_points': {'type': 'string', 'description': 'Specifies how CRL information is obtained.'}, 'inhibit_any_policy': {'type': 'string', 'description': 'Specifies the number of additional certificates that may appear in the path before anyPolicy is no longer permitted.'}, 'private_key_usage_period_not_before': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date on which the validity period begins for the private key, if it is different from the validity period of the certificate.'}, 'private_key_usage_period_not_after': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date on which the validity period ends for the private key, if it is different from the validity period of the certificate.'}, 'certificate_policies': {'type': 'string', 'description': 'Specifies a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.'}, 'policy_mappings': {'type': 'string', 'description': 'Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy'}}}, {'anyOf': [{'required': ['basic_constraints']}, {'required': ['name_constraints']}, {'required': ['policy_constraints']}, {'required': ['key_usage']}, {'required': ['extended_key_usage']}, {'required': ['subject_key_identifier']}, {'required': ['authority_key_identifier']}, {'required': ['subject_alternative_name']}, {'required': ['issuer_alternative_name']}, {'required': ['subject_directory_attributes']}, {'required': ['crl_distribution_points']}, {'required': ['inhibit_any_policy']}, {'required': ['private_key_usage_period_not_before']}, {'required': ['private_key_usage_period_not_after']}, {'required': ['certificate_policies']}, {'required': ['policy_mappings']}]}]}}}
file = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/file.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'file', 'description': 'The File Object represents the properties of a file.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `file`.', 'enum': ['file']}, 'id': {'title': 'id', 'pattern': '^file--'}, 'extensions': {'$ref': '#/definitions/file-extensions-dictionary', 'description': 'The File Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: ntfs-ext, raster-image-ext, pdf-ext, archive-ext, windows-pebinary-ext'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies a dictionary of hashes for the file.'}, 'size': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the file, in bytes, as a non-negative integer.'}, 'name': {'type': 'string', 'description': 'Specifies the name of the file.'}, 'name_enc': {'type': 'string', 'pattern': '^[a-zA-Z0-9/\\.+_:-]{2,250}$', 'description': 'Specifies the observed encoding for the name of the file.'}, 'magic_number_hex': {'$ref': '../common/hex.json', 'description': "Specifies the hexadecimal constant ('magic number') associated with a specific file format that corresponds to the file, if applicable."}, 'mime_type': {'type': 'string', 'description': "Specifies the MIME type name specified for the file, e.g., 'application/msword'."}, 'ctime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the file was created.'}, 'mtime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the file was last written to/modified.'}, 'atime': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the file was last accessed.'}, 'parent_directory_ref': {'description': 'Specifies the parent directory of the file, as a reference to a Directory Object.', 'type': 'string'}, 'contains_refs': {'type': 'array', 'description': 'Specifies a list of references to other Observable Objects contained within the file.', 'items': {'type': 'string'}, 'minItems': 1}, 'content_ref': {'description': 'Specifies the content of the file, represented as an Artifact Object.', 'type': 'string'}}}], 'anyOf': [{'required': ['hashes']}, {'required': ['name']}], 'definitions': {'file-extensions-dictionary': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^ntfs-ext$': {'type': 'object', 'description': 'The NTFS file extension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system.', 'allOf': [{'properties': {'sid': {'type': 'string', 'description': 'Specifies the security ID (SID) value assigned to the file.'}, 'alternate_data_streams': {'type': 'array', 'description': 'Specifies a list of NTFS alternate data streams that exist for the file.', 'items': {'properties': {'name': {'type': 'string', 'description': 'Specifies the name of the alternate data stream.'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies a dictionary of hashes for the data contained in the alternate data stream.'}, 'size': {'type': 'integer', 'description': 'Specifies the size of the alternate data stream, in bytes, as a non-negative integer.', 'minimum': 0}}, 'required': ['name']}}}}, {'anyOf': [{'required': ['sid']}, {'required': ['alternate_data_streams']}]}]}, '^raster-image-ext$': {'type': 'object', 'description': 'The Raster Image file extension specifies a default extension for capturing properties specific to image files.', 'allOf': [{'properties': {'image_height': {'type': 'integer', 'description': 'Specifies the height of the image in the image file, in pixels.'}, 'image_width': {'type': 'integer', 'description': 'Specifies the width of the image in the image file, in pixels.'}, 'bits_per_pixel': {'type': 'integer', 'description': 'Specifies the sum of bits used for each color channel in the image in the image file, and thus the total number of pixels used for expressing the color depth of the image.'}, 'exif_tags': {'allOf': [{'$ref': '../common/dictionary.json'}], 'description': 'Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag.', 'patternProperties': {'^[A-Z][a-zA-Z0-9_-]+$': {'oneOf': [{'type': 'string'}, {'type': 'integer'}]}}, 'additionalProperties': False}}}, {'anyOf': [{'required': ['image_height']}, {'required': ['image_width']}, {'required': ['bits_per_pixel']}, {'required': ['image_compression_algorithm']}, {'required': ['exif_tags']}]}]}, '^pdf-ext$': {'type': 'object', 'description': 'The PDF file extension specifies a default extension for capturing properties specific to PDF files.', 'allOf': [{'properties': {'version': {'type': 'string', 'description': "Specifies the decimal version number of the string from the PDF header that specifies the version of the PDF specification to which the PDF file conforms. E.g., '1.4'."}, 'is_optimized': {'type': 'boolean', 'description': 'Specifies whether the PDF file has been optimized.'}, 'document_info_dict': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^[a-zA-Z0-9_-]{0,250}$': {'type': 'string'}}, 'description': 'Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary.'}, 'pdfid0': {'type': 'string', 'description': 'Specifies the first file identifier found for the PDF file.'}, 'pdfid1': {'type': 'string', 'description': 'Specifies the second file identifier found for the PDF file.'}}}, {'anyOf': [{'required': ['version']}, {'required': ['is_optimized']}, {'required': ['document_info_dict']}, {'required': ['pdfid0']}, {'required': ['pdfid1']}]}]}, '^archive-ext$': {'type': 'object', 'description': 'The Archive File extension specifies a default extension for capturing properties specific to archive files.', 'properties': {'contains_refs': {'type': 'array', 'description': 'Specifies the files contained in the archive, as a reference to one or more other File Objects. The objects referenced in this list MUST be of type file-object.', 'items': {'type': 'string'}, 'minItems': 1}, 'comment': {'type': 'string', 'description': 'Specifies a comment included as part of the archive file.'}}, 'required': ['contains_refs']}, '^windows-pebinary-ext$': {'type': 'object', 'description': 'The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files.', 'properties': {'pe_type': {'type': 'string', 'description': 'Specifies the type of the PE binary. Open Vocabulary - windows-pebinary-type-ov'}, 'imphash': {'type': 'string', 'description': "Specifies the special import hash, or 'imphash', calculated for the PE Binary based on its imported libraries and functions."}, 'machine_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the type of target machine.'}, 'number_of_sections': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the number of sections in the PE binary, as a non-negative integer.'}, 'time_date_stamp': {'type': 'string', 'description': 'Specifies the time when the PE binary was created. The timestamp value MUST BE precise to the second.', 'allOf': [{'$ref': '../common/timestamp.json'}, {'pattern': 'T\\d{2}:\\d{2}:\\d{2}Z$'}]}, 'pointer_to_symbol_table_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the file offset of the COFF symbol table.'}, 'number_of_symbols': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer.'}, 'size_of_optional_header': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the optional header of the PE binary.'}, 'characteristics_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the flags that indicate the file’s characteristics.'}, 'file_header_hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies any hashes that were computed for the file header.'}, 'optional_header': {'$ref': '#/definitions/windows-pe-optional-header-type', 'description': 'Specifies the PE optional header of the PE binary.'}, 'sections': {'type': 'array', 'description': 'Specifies metadata about the sections in the PE file.', 'items': {'$ref': '#/definitions/windows-pe-section'}, 'minItems': 1}}, 'anyOf': [{'required': ['imphash']}, {'required': ['machine_hex']}, {'required': ['number_of_sections']}, {'required': ['time_date_stamp']}, {'required': ['pointer_to_symbol_table_hex']}, {'required': ['number_of_symbols']}, {'required': ['size_of_optional_header']}, {'required': ['characteristics_hex']}, {'required': ['file_header_hashes']}, {'required': ['optional_header']}, {'required': ['sections']}], 'required': ['pe_type']}}, 'additionalProperties': {'$ref': '../common/dictionary.json', 'description': 'Custom file extension'}}, 'windows-pe-optional-header-type': {'type': 'object', 'minProperties': 1, 'additionalProperties': False, 'description': 'The Windows PE Optional Header type represents the properties of the PE optional header.', 'properties': {'magic_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the unsigned integer that indicates the type of the PE binary.'}, 'major_linker_version': {'type': 'integer', 'description': 'Specifies the linker major version number.'}, 'minor_linker_version': {'type': 'integer', 'description': 'Specifies the linker minor version number.'}, 'size_of_code': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section.'}, 'size_of_initialized_data': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section.'}, 'size_of_uninitialized_data': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section.'}, 'address_of_entry_point': {'type': 'integer', 'description': 'Specifies the address of the entry point relative to the image base when the executable is loaded into memory.'}, 'base_of_code': {'type': 'integer', 'description': 'Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory.'}, 'base_of_data': {'type': 'integer', 'description': 'Specifies the address that is relative to the image base of the beginning-of-data section when it is loaded into memory.'}, 'image_base': {'type': 'integer', 'description': 'Specifies the preferred address of the first byte of the image when loaded into memory.'}, 'section_alignment': {'type': 'integer', 'description': 'Specifies the alignment (in bytes) of PE sections when they are loaded into memory.'}, 'file_alignment': {'type': 'integer', 'description': 'Specifies the factor (in bytes) that is used to align the raw data of sections in the image file.'}, 'major_os_version': {'type': 'integer', 'description': 'Specifies the major version number of the required operating system.'}, 'minor_os_version': {'type': 'integer', 'description': 'Specifies the minor version number of the required operating system.'}, 'major_image_version': {'type': 'integer', 'description': 'Specifies the major version number of the image.'}, 'minor_image_version': {'type': 'integer', 'description': 'Specifies the minor version number of the image.'}, 'major_subsystem_version': {'type': 'integer', 'description': 'Specifies the major version number of the subsystem.'}, 'minor_subsystem_version': {'type': 'integer', 'description': 'Specifies the minor version number of the subsystem.'}, 'win32_version_value_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the reserved win32 version value.'}, 'size_of_image': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size, in bytes, of the image, including all headers, as the image is loaded in memory.'}, 'size_of_headers': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up a multiple of the value specified in the file_alignment header.'}, 'checksum_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the checksum of the PE binary.'}, 'subsystem_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image.'}, 'dll_characteristics_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the flags that characterize the PE binary.'}, 'size_of_stack_reserve': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the stack to reserve'}, 'size_of_stack_commit': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the stack to commit.'}, 'size_of_heap_reserve': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the local heap space to reserve.'}, 'size_of_heap_commit': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the local heap space to commit.'}, 'loader_flags_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the reserved loader flags.'}, 'number_of_rva_and_sizes': {'type': 'integer', 'description': 'Specifies the number of data-directory entries in the remainder of the optional header.'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies any hashes that were computed for the optional header.'}}}, 'windows-pe-section': {'type': 'object', 'description': 'The PE Section type specifies metadata about a PE file section.', 'properties': {'name': {'type': 'string', 'description': 'Specifies the name of the section.'}, 'size': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the size of the section, in bytes.'}, 'entropy': {'type': 'number', 'description': 'Specifies the calculated entropy for the section, as calculated using the Shannon algorithm.'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies any hashes computed over the section.'}}, 'required': ['name']}, 'windows-pebinary-type-ov': {'type': 'string', 'enum': ['exe', 'dll', 'sys']}}}
ipv4_addr = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/ipv4-addr.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'ipv4-addr', 'description': 'The IPv4 Address Object represents one or more IPv4 addresses expressed using CIDR notation.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `ipv4-addr`.', 'enum': ['ipv4-addr']}, 'id': {'title': 'id', 'pattern': '^ipv4-addr--'}, 'value': {'type': 'string', 'description': 'Specifies one or more IPv4 addresses expressed using CIDR notation.', 'pattern': '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(3[0-2]|[1-2][0-9]|[0-9]))?$'}, 'resolves_to_refs': {'type': 'array', 'description': 'Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to.', 'items': {'type': 'string'}, 'minItems': 1}, 'belongs_to_refs': {'type': 'array', 'description': 'Specifies a reference to one or more autonomous systems (AS) that the IPv4 address belongs to.', 'items': {'type': 'string'}, 'minItems': 1}}, 'required': ['value']}]}
mutex = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/mutex.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'mutex', 'description': 'The Mutex Object represents the properties of a mutual exclusion (mutex) object.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `mutex`.', 'enum': ['mutex']}, 'id': {'title': 'id', 'pattern': '^mutex--'}, 'name': {'type': 'string', 'description': 'Specifies the name of the mutex object.'}}}], 'required': ['name']}
artifact = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/artifact.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'artifact', 'description': 'The Artifact Object permits capturing an array of bytes (8-bits), as a base64-encoded string string, or linking to a file-like payload.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `artifact`.', 'enum': ['artifact']}, 'id': {'title': 'id', 'pattern': '^artifact--'}, 'mime_type': {'type': 'string', 'pattern': '^(application|audio|font|image|message|model|multipart|text|video)/[a-zA-Z0-9.+_-]+', 'description': 'The value of this property MUST be a valid MIME type as specified in the IANA Media Types registry.'}, 'payload_bin': {'$ref': '../common/binary.json', 'description': 'Specifies the binary data contained in the artifact as a base64-encoded string.'}, 'url': {'$ref': '../common/url-regex.json', 'description': 'The value of this property MUST be a valid URL that resolves to the unencoded content.'}, 'hashes': {'$ref': '../common/hashes-type.json', 'description': 'Specifies a dictionary of hashes for the contents of the url or the payload_bin. This MUST be provided when the url property is present.'}, 'encryption_algorithm': {'$ref': '#/definitions/encryption-algorithm-enum', 'description': 'If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.'}, 'decryption_key': {'type': 'string', 'description': 'Specifies the decryption key for the encrypted binary data (either via payload_bin or url).'}}}, {'oneOf': [{'required': ['payload_bin'], 'not': {'required': ['url']}}, {'required': ['url', 'hashes'], 'not': {'required': ['payload_bin']}}]}, {'oneOf': [{'required': ['encryption_algorithm'], 'not': {'required': ['decryption_key']}}, {'required': ['encryption_algorithm', 'decryption_key']}, {'allOf': [{'not': {'required': ['encryption_algorithm']}}, {'not': {'required': ['decryption_key']}}]}]}], 'definitions': {'encryption-algorithm-enum': {'type': 'string', 'enum': ['AES-256-GCM', 'ChaCha20-Poly1305', 'mime-type-indicated']}}}
network_traffic = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/network-traffic.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'network-traffic', 'description': 'The Network Traffic Object represents arbitrary network traffic that originates from a source and is addressed to a destination.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `network-traffic`.', 'enum': ['network-traffic']}, 'id': {'title': 'id', 'pattern': '^network-traffic--'}, 'extensions': {'$ref': '#/definitions/network-traffic-extensions-dictionary', 'description': 'The Network Traffic Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: http-ext, tcp-ext, icmp-ext, socket-ext'}, 'start': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the network traffic was initiated, if known.'}, 'end': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time the network traffic ended, if known.'}, 'src_ref': {'description': 'Specifies the source of the network traffic, as a reference to an Observable Object.', 'type': 'string'}, 'dst_ref': {'description': 'Specifies the destination of the network traffic, as a reference to an Observable Object.', 'type': 'string'}, 'src_port': {'type': 'integer', 'description': 'Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535.', 'minimum': 0, 'maximum': 65535}, 'dst_port': {'type': 'integer', 'description': 'Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535.', 'minimum': 0, 'maximum': 65535}, 'protocols': {'type': 'array', 'description': 'Specifies the protocols observed in the network traffic, along with their corresponding state.', 'items': {'type': 'string'}, 'minItems': 1}, 'src_byte_count': {'type': 'integer', 'description': 'Specifies the number of bytes sent from the source to the destination.'}, 'dst_byte_count': {'type': 'integer', 'description': 'Specifies the number of bytes sent from the destination to the source.'}, 'src_packets': {'type': 'integer', 'description': 'Specifies the number of packets sent from the source to the destination.'}, 'dst_packets': {'type': 'integer', 'description': 'Specifies the number of packets sent destination to the source.'}, 'ipfix': {'description': 'Specifies any IP Flow Information Export (IPFIX) data for the traffic.', 'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^[a-zA-Z0-9_-]{0,250}$': {'anyOf': [{'type': 'string'}, {'type': 'integer'}]}}}, 'src_payload_ref': {'description': 'Specifies the bytes sent from the source to the destination.', 'type': 'string'}, 'dst_payload_ref': {'description': 'Specifies the bytes sent from the source to the destination.', 'type': 'string'}, 'encapsulates_refs': {'type': 'array', 'description': 'Links to other network-traffic objects encapsulated by a network-traffic.', 'items': {'type': 'string'}, 'minItems': 1}, 'encapsulated_by_ref': {'description': 'Links to another network-traffic object which encapsulates this object.', 'type': 'string'}}}], 'required': ['protocols'], 'anyOf': [{'required': ['src_ref']}, {'required': ['dst_ref']}], 'oneOf': [{'properties': {'is_active': {'type': 'boolean', 'enum': [False], 'description': 'Indicates whether the network traffic is still ongoing.'}}, 'required': ['is_active']}, {'properties': {'is_active': {'type': 'boolean', 'enum': [True], 'description': 'Indicates whether the network traffic is still ongoing.'}}, 'required': ['is_active'], 'not': {'required': ['end']}}, {'not': {'required': ['is_active']}}], 'definitions': {'network-traffic-extensions-dictionary': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^http-request-ext$': {'type': 'object', 'description': 'The HTTP request extension specifies a default extension for capturing network traffic properties specific to HTTP requests.', 'properties': {'request_method': {'type': 'string', 'description': 'Specifies the HTTP method portion of the HTTP request line, as a lowercase string.'}, 'request_value': {'type': 'string', 'description': 'Specifies the value (typically a resource path) portion of the HTTP request line.'}, 'request_version': {'type': 'string', 'description': 'Specifies the HTTP version portion of the HTTP request line, as a lowercase string.'}, 'request_header': {'allOf': [{'$ref': '../common/dictionary.json'}], 'description': 'Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary.', 'patternProperties': {'^.+$': {'type': 'string'}}, 'additionalProperties': False}, 'message_body_length': {'type': 'integer', 'description': 'Specifies the length of the HTTP message body, if included, in bytes.'}, 'message_body_data_ref': {'description': 'Specifies the data contained in the HTTP message body, if included.', 'type': 'string'}}, 'required': ['request_method', 'request_value']}, '^icmp-ext$': {'type': 'object', 'description': 'The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP.', 'properties': {'icmp_type_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the ICMP type byte.'}, 'icmp_code_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the ICMP code byte.'}}, 'required': ['icmp_type_hex', 'icmp_code_hex']}, '^socket-ext$': {'type': 'object', 'description': 'The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets.', 'properties': {'address_family': {'type': 'string', 'description': 'Specifies the address family (AF_*) that the socket is configured for.', 'enum': ['AF_UNSPEC', 'AF_INET', 'AF_IPX', 'AF_APPLETALK', 'AF_NETBIOS', 'AF_INET6', 'AF_IRDA', 'AF_BTH']}, 'is_blocking': {'type': 'boolean', 'description': 'Specifies whether the socket is in blocking mode.'}, 'is_listening': {'type': 'boolean', 'description': 'Specifies whether the socket is in listening mode.'}, 'options': {'allOf': [{'$ref': '../common/dictionary.json'}], 'description': 'Specifies any options (SO_*) that may be used by the socket, as a dictionary.', 'patternProperties': {'^(SO|ICMP|ICMP6|IP|IPV6|MCAST|TCP|IRLMP)(_[A-Z]+)+$': {'type': 'integer'}}, 'additionalProperties': False}, 'socket_type': {'type': 'string', 'description': 'Specifies the type of the socket.', 'enum': ['SOCK_STREAM', 'SOCK_DGRAM', 'SOCK_RAW', 'SOCK_RDM', 'SOCK_SEQPACKET']}, 'socket_descriptor': {'type': 'integer', 'minimum': 0, 'description': 'Specifies the socket file descriptor value associated with the socket, as a non-negative integer.'}, 'socket_handle': {'type': 'integer', 'description': 'Specifies the handle or inode value associated with the socket.'}}, 'required': ['address_family']}, '^tcp-ext$': {'type': 'object', 'description': 'The TCP extension specifies a default extension for capturing network traffic properties specific to TCP.', 'allOf': [{'properties': {'src_flags_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). '}, 'dst_flags_hex': {'$ref': '../common/hex.json', 'description': 'Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property).'}}}, {'anyOf': [{'required': ['src_flags_hex']}, {'required': ['dst_flags_hex']}]}]}}, 'additionalProperties': {'$ref': '../common/dictionary.json', 'description': 'Custom file extension'}}}}
process = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/process.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'process', 'description': 'The Process Object represents common properties of an instance of a computer program as executed on an operating system.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `process`.', 'enum': ['process']}, 'id': {'title': 'id', 'pattern': '^process--'}, 'extensions': {'$ref': '#/definitions/process-extensions-dictionary', 'description': 'The Process Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: windows-process-ext, windows-service-ext.'}, 'is_hidden': {'type': 'boolean', 'description': 'Specifies whether the process is hidden.'}, 'pid': {'type': 'integer', 'description': 'Specifies the Process ID, or PID, of the process.'}, 'created_time': {'$ref': '../common/timestamp.json', 'description': 'Specifies the date/time at which the process was created.'}, 'cwd': {'type': 'string', 'description': 'Specifies the current working directory of the process.'}, 'command_line': {'type': 'string', 'description': 'Specifies the full command line used in executing the process, including the process name (which may be specified individually via the binary_ref.name property) and any arguments.'}, 'environment_variables': {'$ref': '../common/dictionary.json', 'description': 'Specifies the list of environment variables associated with the process as a dictionary.'}, 'opened_connection_refs': {'type': 'array', 'description': 'Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects.', 'items': {'type': 'string'}, 'minItems': 1}, 'creator_user_ref': {'description': 'Specifies the user that created the process, as a reference to a User Account Object.', 'type': 'string'}, 'image_ref': {'description': 'Specifies the executable binary that was executed as the process image, as a reference to a File Object.', 'type': 'string'}, 'parent_ref': {'description': 'Specifies the other process that spawned (i.e. is the parent of) this one, as represented by a Process Object.', 'type': 'string'}, 'child_refs': {'type': 'array', 'description': 'Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects.', 'items': {'type': 'string'}, 'minItems': 1}}}], 'anyOf': [{'required': ['extensions']}, {'required': ['is_hidden']}, {'required': ['pid']}, {'required': ['name']}, {'required': ['created']}, {'required': ['cwd']}, {'required': ['arguments']}, {'required': ['command_line']}, {'required': ['environment_variables']}, {'required': ['opened_connection_refs']}, {'required': ['creator_user_ref']}, {'required': ['image_ref']}, {'required': ['parent_ref']}, {'required': ['child_refs']}], 'definitions': {'process-extensions-dictionary': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^windows-process-ext$': {'type': 'object', 'description': 'The Windows Process extension specifies a default extension for capturing properties specific to Windows processes.', 'allOf': [{'properties': {'aslr_enabled': {'type': 'boolean', 'description': 'Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process.'}, 'dep_enabled': {'type': 'boolean', 'description': 'Specifies whether Data Execution Prevention (DEP) is enabled for the process.'}, 'priority': {'type': 'string', 'description': 'Specifies the current priority class of the process in Windows.'}, 'owner_sid': {'type': 'string', 'description': 'Specifies the Security ID (SID) value of the owner of the process.'}, 'window_title': {'type': 'string', 'description': 'Specifies the title of the main window of the process.'}, 'startup_info': {'$ref': '#/definitions/startup-info-dictionary', 'description': 'Specifies the STARTUP_INFO struct used by the process, as a dictionary.'}, 'integrity_level': {'$ref': '#/definitions/windows-integrity-level-enum', 'description': 'Specifies the Windows integrity level, or trustworthiness, of the process.'}}}, {'anyOf': [{'required': ['aslr_enabled']}, {'required': ['dep_enabled']}, {'required': ['priority']}, {'required': ['owner_sid']}, {'required': ['window_title']}, {'required': ['startup_info']}]}]}, '^windows-service-ext$': {'type': 'object', 'description': 'The Windows Service extension specifies a default extension for capturing properties specific to Windows services.', 'properties': {'service_name': {'type': 'string', 'description': 'Specifies the name of the service.'}, 'descriptions': {'type': 'array', 'description': 'Specifies the descriptions defined for the service.', 'items': {'type': 'string'}, 'minItems': 1}, 'display_name': {'type': 'string', 'description': 'Specifies the displayed name of the service in Windows GUI controls.'}, 'group_name': {'type': 'string', 'description': 'Specifies the name of the load ordering group of which the service is a member.'}, 'start_type': {'type': 'string', 'description': 'Specifies the start options defined for the service. windows-service-start-enum', 'enum': ['SERVICE_AUTO_START', 'SERVICE_BOOT_START', 'SERVICE_DEMAND_START', 'SERVICE_DISABLED', 'SERVICE_SYSTEM_ALERT']}, 'service_dll_refs': {'type': 'array', 'description': 'Specifies the DLLs loaded by the service, as a reference to one or more File Objects.', 'items': {'type': 'string'}, 'minItems': 1}, 'service_type': {'type': 'string', 'description': 'Specifies the type of the service. windows-service-enum', 'enum': ['SERVICE_KERNEL_DRIVER', 'SERVICE_FILE_SYSTEM_DRIVER', 'SERVICE_WIN32_OWN_PROCESS', 'SERVICE_WIN32_SHARE_PROCESS']}, 'service_status': {'type': 'string', 'description': 'Specifies the current status of the service. windows-service-status-enum', 'enum': ['SERVICE_CONTINUE_PENDING', 'SERVICE_PAUSE_PENDING', 'SERVICE_PAUSED', 'SERVICE_RUNNING', 'SERVICE_START_PENDING', 'SERVICE_STOP_PENDING', 'SERVICE_STOPPED']}}, 'anyOf': [{'required': ['service_name']}, {'required': ['descriptions']}, {'required': ['display_name']}, {'required': ['group_name']}, {'required': ['start_type']}, {'required': ['service_dll_refs']}, {'required': ['service_type']}, {'required': ['service_status']}]}}, 'additionalProperties': {'$ref': '../common/dictionary.json', 'description': 'Custom file extension'}}, 'startup-info-dictionary': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^lpDesktop|lpTitle|dwFillAttribute|dwFlags|wShowWindow|hStdInput|hStdOutput|hStdError$': {'type': 'string'}, '^lpReserved|lpReserved2$': {'type': 'null'}, '^cb|dwX|dwY|dwXSize|dwYSize|dwXCountChars|dwYCountChars$': {'type': 'integer'}, '^cbReserved2$': {'type': 'integer', 'minimum': 0, 'maximum': 0}}, 'additionalProperties': False}, 'windows-integrity-level-enum': {'type': 'string', 'enum': ['low', 'medium', 'high', 'system']}}}
ipv6_addr = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/ipv6-addr.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'ipv6-addr', 'description': 'The IPv6 Address Object represents one or more IPv6 addresses expressed using CIDR notation.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `ipv6-addr`.', 'enum': ['ipv6-addr']}, 'id': {'title': 'id', 'pattern': '^ipv6-addr--'}, 'value': {'type': 'string', 'description': 'Specifies one or more IPv6 addresses expressed using CIDR notation.', 'pattern': '^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))?$'}, 'resolves_to_refs': {'type': 'array', 'description': 'Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to.', 'items': {'type': 'string'}, 'minItems': 1}, 'belongs_to_refs': {'type': 'array', 'description': 'Specifies a reference to one or more autonomous systems (AS) that the IPv6 address belongs to.', 'items': {'type': 'string'}, 'minItems': 1}}, 'required': ['value']}]}
user_account = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/user-account.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'user-account', 'description': 'The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `user-account`.', 'enum': ['user-account']}, 'id': {'title': 'id', 'pattern': '^user-account--'}, 'extensions': {'$ref': '#/definitions/user-account-extensions-dictionary', 'description': 'The User Account Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: unix-account-ext.'}, 'user_id': {'type': 'string', 'description': 'Specifies the identifier of the account.'}, 'credential': {'type': 'string', 'description': 'Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII.'}, 'account_login': {'type': 'string', 'description': 'Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login.'}, 'account_type': {'type': 'string', 'description': 'Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov vocabulary.'}, 'display_name': {'type': 'string', 'description': 'Specifies the display name of the account, to be shown in user interfaces, if applicable.'}, 'is_service_account': {'type': 'boolean', 'description': 'Indicates that the account is associated with a network service or system process (daemon), not a specific individual.'}, 'is_privileged': {'type': 'boolean', 'description': 'Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account).'}, 'can_escalate_privs': {'type': 'boolean', 'description': 'Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account).'}, 'is_disabled': {'type': 'boolean', 'description': 'Specifies if the account is disabled.'}, 'account_created': {'$ref': '../common/timestamp.json', 'description': 'Specifies when the account was created.'}, 'account_expires': {'$ref': '../common/timestamp.json', 'description': 'Specifies the expiration date of the account.'}, 'credential_last_changed': {'$ref': '../common/timestamp.json', 'description': 'Specifies when the account credential was last changed.'}, 'account_first_login': {'$ref': '../common/timestamp.json', 'description': 'Specifies when the account was first accessed.'}, 'account_last_login': {'$ref': '../common/timestamp.json', 'description': 'Specifies when the account was last accessed.'}}}], 'anyOf': [{'required': ['extensions']}, {'required': ['user_id']}, {'required': ['credential']}, {'required': ['account_login']}, {'required': ['account_type']}, {'required': ['display_name']}, {'required': ['is_service_account']}, {'required': ['is_privileged']}, {'required': ['can_escalate_privs']}, {'required': ['is_disabled']}, {'required': ['account_created']}, {'required': ['account_expires']}, {'required': ['credential_last_changed']}, {'required': ['account_first_login']}, {'required': ['account_last_login']}], 'definitions': {'user-account-extensions-dictionary': {'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^unix-account-ext$': {'type': 'object', 'description': 'The User Account Object defines the following extensions. In addition to these, producers MAY create their own.', 'allOf': [{'properties': {'gid': {'type': 'number', 'description': 'Specifies the primary group ID of the account.'}, 'groups': {'type': 'array', 'description': 'Specifies a list of names of groups that the account is a member of.', 'items': {'type': 'string'}, 'minItems': 1}, 'home_dir': {'type': 'string', 'description': 'Specifies the home directory of the account.'}, 'shell': {'type': 'string', 'description': 'Specifies the account’s command shell.'}}}, {'anyOf': [{'required': ['gid']}, {'required': ['groups']}, {'required': ['home_dir']}, {'required': ['shell']}]}]}}, 'additionalProperties': {'$ref': '../common/dictionary.json', 'description': 'Custom file extension'}}, 'account-type-ov': {'type': 'string', 'enum': ['unix', 'windows local', 'windows domain', 'ldap', 'tacacs', 'radius', 'nis', 'openid', 'facebook', 'skype', 'twitter', 'kavi']}}}
url = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/observables/url.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'url', 'description': 'The URL Object represents the properties of a uniform resource locator (URL).', 'type': 'object', 'allOf': [{'$ref': '../common/cyber-observable-core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The value of this property MUST be `url`.', 'enum': ['url']}, 'id': {'title': 'id', 'pattern': '^url--'}, 'value': {'$ref': '../common/url-regex.json', 'description': 'Specifies the value of the URL.'}}}], 'required': ['value']}
url_regex = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/url-regex.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'url-regex', 'description': 'Matches a URI according to RFC 3986.', 'type': 'string', 'format': 'uri'}
core = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json', '$schema': 'https://json-schema.org/draft/2020-12/schema', 'title': 'core', 'description': 'Common properties and behavior across all STIX Domain Objects and STIX Relationship Objects.', 'type': 'object', 'properties': {'type': {'title': 'type', 'type': 'string', 'pattern': '^([a-z][a-z0-9]*)+(-[a-z0-9]+)*\\-?$', 'minLength': 3, 'maxLength': 250, 'description': 'The type property identifies the type of STIX Object (SDO, Relationship Object, etc). The value of the type field MUST be one of the types defined by a STIX Object (e.g., indicator).', 'not': {'enum': ['action']}}, 'spec_version': {'type': 'string', 'enum': ['2.0', '2.1'], 'description': 'The version of the STIX specification used to represent this object.'}, 'id': {'$ref': '../common/identifier.json', 'description': 'The id property universally and uniquely identifies this object.'}, 'created_by_ref': {'$ref': '../common/identifier.json', 'description': 'The ID of the Source object that describes who created this object.'}, 'labels': {'type': 'array', 'description': 'The labels property specifies a set of terms used to describe this object.', 'items': {'type': 'string'}, 'minItems': 1}, 'created': {'description': 'The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.', 'allOf': [{'$ref': '../common/timestamp.json'}, {'title': 'timestamp_millis', 'pattern': 'T\\d{2}:\\d{2}:\\d{2}\\.\\d{3,}Z$'}]}, 'modified': {'description': 'The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond.', 'allOf': [{'$ref': '../common/timestamp.json'}, {'title': 'timestamp_millis', 'pattern': 'T\\d{2}:\\d{2}:\\d{2}\\.\\d{3,}Z$'}]}, 'revoked': {'type': 'boolean', 'description': 'The revoked property indicates whether the object has been revoked.'}, 'confidence': {'type': 'integer', 'minimum': 0, 'maximum': 100, 'description': 'Identifies the confidence that the creator has in the correctness of their data.'}, 'lang': {'type': 'string', 'description': 'Identifies the language of the text content in this object.'}, 'external_references': {'type': 'array', 'description': 'A list of external references which refers to non-STIX information.', 'items': {'$ref': '../common/external-reference.json'}, 'minItems': 1}, 'object_marking_refs': {'type': 'array', 'description': 'The list of marking-definition objects to be applied to this object.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}, 'granular_markings': {'type': 'array', 'description': 'The set of granular markings that apply to this object.', 'items': {'$ref': '../common/granular-marking.json'}, 'minItems': 1}, 'extensions': {'description': 'Specifies any extensions of the object, as a dictionary.', 'type': 'object', 'minProperties': 1, 'patternProperties': {'^extension-definition--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$': {'allOf': [{'$ref': '../common/extension.json'}]}}, 'additionalProperties': False}}, 'allOf': [{'$ref': '../common/properties.json'}], 'not': {'anyOf': [{'required': ['severity']}, {'required': ['action']}, {'required': ['username']}, {'required': ['phone_numbers']}]}, 'required': ['type', 'spec_version', 'id', 'created', 'modified']}
binary = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/binary.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'binary', 'description': "The \u200bbinary data type represents a sequence of bytes. In order to allow pattern matching on custom objects, for all properties that use the binary type, the property name MUST end with '_bin'. The JSON MTI serialization represents this as a base64-\xadencoded string as specified in RFC4648\u200b. Other serializations SHOULD use a native binary type, if available.", 'type': 'string', 'pattern': '^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$'}
language_content = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/language-content.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'language-content', 'description': 'The language-content object represents text content for STIX Objects represented in languages other than that of the original object.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `language-content`.', 'enum': ['language-content']}, 'id': {'title': 'id', 'pattern': '^language-content--'}, 'object_ref': {'description': 'Identifies the object that this Language Content applies to.', 'allOf': [{'$ref': '../common/identifier.json'}, {'not': {'pattern': '^(bundle|language-content)--.+$'}}]}, 'object_modified': {'$ref': '../common/timestamp.json', 'description': 'Identifies the modified time of the object that this Language Content applies to.'}, 'contents': {'$ref': '../common/dictionary.json', 'description': 'Contains the actual Language Content (translation).'}}}, {'required': ['object_ref', 'contents']}]}
timestamp = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'timestamp', 'description': "Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.", 'type': 'string', 'pattern': '^[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\\.[0-9]+)?Z$'}
extension_definition = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/extension-definition.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'extension-definition', 'description': 'The STIX Extension Definition object allows producers of threat intelligence to extend existing STIX objects or to create entirely new STIX objects in a standardized way.', 'type': 'object', 'allOf': [{'$ref': '../common/core.json'}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `extension-definition`.', 'enum': ['extension-definition']}, 'id': {'title': 'id', 'pattern': '^extension-definition--'}, 'name': {'type': 'string', 'description': 'A name used for display purposes during execution, development, or debugging.'}, 'description': {'type': 'string', 'description': 'A detailed explanation of what data the extension conveys and how it is intended to be used.'}, 'schema': {'type': 'string', 'description': 'The normative definition of the extension, either as a URL or as plain text explaining the definition.'}, 'version': {'type': 'string', 'description': 'The version of this extension.'}, 'extension_types': {'type': 'array', 'description': 'Which extension types are contained within this extension.', 'items': {'$ref': '#/definitions/extension-type-enum'}, 'minItems': 1}, 'extension_properties': {'type': 'array', 'description': 'The list of new property names that are added to an object by this extension', 'items': {'type': 'string'}, 'minItems': 1}}}, {'if': {'not': {'properties': {'extension_types': {'type': 'array', 'contains': {'const': 'toplevel-property-extension'}}}}}, 'then': {'not': {'required': ['extension_properties']}}}], 'required': ['name', 'schema', 'version', 'extension_types'], 'definitions': {'extension-type-enum': {'type': 'string', 'enum': ['new-sdo', 'new-sco', 'new-sro', 'property-extension', 'toplevel-property-extension']}}}
external_reference = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/external-reference.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'external-reference', 'description': 'External references are used to describe pointers to information represented outside of STIX.', 'type': 'object', 'properties': {'description': {'type': 'string', 'description': 'A human readable description'}, 'url': {'$ref': '../common/url-regex.json', 'description': 'A URL reference to an external resource.'}, 'hashes': {'description': 'Specifies a dictionary of hashes for the file.', 'allOf': [{'$ref': '../common/hashes-type.json'}, {'propertyNames': {'pattern': '^MD5|SHA-1|SHA-256|SHA-512|SHA3-256|SHA3-512|SSDEEP|TLSH$'}}]}}, 'oneOf': [{'properties': {'source_name': {'type': 'string', 'description': 'The source within which the external-reference is defined (system, registry, organization, etc.)', 'pattern': '^cve$'}, 'external_id': {'type': 'string', 'description': 'An identifier for the external reference content.', 'pattern': '^CVE-\\d{4}-(0\\d{3}|[1-9]\\d{3,})$'}}, 'required': ['source_name', 'external_id']}, {'properties': {'source_name': {'type': 'string', 'description': 'The source within which the external-reference is defined (system, registry, organization, etc.)', 'pattern': '^capec$'}, 'external_id': {'type': 'string', 'description': 'An identifier for the external reference content.', 'pattern': '^CAPEC-\\d+$'}}, 'required': ['source_name', 'external_id']}, {'properties': {'source_name': {'type': 'string', 'description': 'The source within which the external-reference is defined (system, registry, organization, etc.)', 'not': {'pattern': '^((cve)|(capec))$'}}, 'external_id': {'type': 'string', 'description': 'An identifier for the external reference content.', 'not': {'pattern': '^((CVE-\\d{4}-(0\\d{3}|[1-9]\\d{3,}))|(CAPEC-\\d+))$'}}}, 'required': ['source_name'], 'anyOf': [{'required': ['external_id']}, {'required': ['description']}, {'required': ['url']}]}]}
dictionary = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/dictionary.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'dictionary', 'description': 'A dictionary captures a set of key/value pairs', 'type': 'object', 'minProperties': 1, 'patternProperties': {'^[a-zA-Z0-9_-]{0,250}$': {'anyOf': [{'type': 'array', 'minItems': 1}, {'type': 'string'}, {'type': 'integer'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'object'}]}}, 'additionalProperties': False}
bundle = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/bundle.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'bundle', 'description': 'A Bundle is a collection of arbitrary STIX Objects and Marking Definitions grouped together in a single container.', 'type': 'object', 'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `bundle`.', 'enum': ['bundle']}, 'id': {'allOf': [{'$ref': '../common/identifier.json', 'description': 'An identifier for this bundle. The id field for the Bundle is designed to help tools that may need it for processing, but tools are not required to store or track it. '}, {'pattern': '^bundle--'}]}, 'objects': {'type': 'array', 'description': 'Specifies a set of one or more STIX Objects.', 'items': {'anyOf': [{'oneOf': [{'$ref': '../sdos/attack-pattern.json'}, {'$ref': '../sdos/campaign.json'}, {'$ref': '../sdos/course-of-action.json'}, {'$ref': '../sdos/identity.json'}, {'$ref': '../sdos/indicator.json'}, {'$ref': '../sdos/infrastructure.json'}, {'$ref': '../sdos/intrusion-set.json'}, {'$ref': '../sdos/malware.json'}, {'$ref': '../sdos/malware-analysis.json'}, {'$ref': '../sdos/observed-data.json'}, {'$ref': '../sros/relationship.json'}, {'$ref': '../sdos/report.json'}, {'$ref': '../sros/sighting.json'}, {'$ref': '../sdos/threat-actor.json'}, {'$ref': '../sdos/tool.json'}, {'$ref': '../sdos/vulnerability.json'}, {'$ref': '../observables/artifact.json'}, {'$ref': '../observables/autonomous-system.json'}, {'$ref': '../observables/directory.json'}, {'$ref': '../observables/domain-name.json'}, {'$ref': '../observables/email-addr.json'}, {'$ref': '../observables/email-message.json'}, {'$ref': '../observables/file.json'}, {'$ref': '../observables/ipv4-addr.json'}, {'$ref': '../observables/ipv6-addr.json'}, {'$ref': '../observables/mac-addr.json'}, {'$ref': '../observables/mutex.json'}, {'$ref': '../observables/network-traffic.json'}, {'$ref': '../observables/process.json'}, {'$ref': '../observables/software.json'}, {'$ref': '../observables/url.json'}, {'$ref': '../observables/user-account.json'}, {'$ref': '../observables/windows-registry-key.json'}, {'$ref': '../observables/x509-certificate.json'}, {'$ref': '../common/language-content.json'}, {'$ref': '../common/marking-definition.json'}]}, {'allOf': [{'oneOf': [{'$ref': '../common/core.json'}, {'$ref': '../common/cyber-observable-core.json'}]}, {'properties': {'type': {'type': 'string', 'description': 'The type of this object, which for custom objects cannot be one of those defined in the specification.', 'not': {'enum': ['attack-pattern', 'campaign', 'course-of-action', 'identity', 'indicator', 'infrastructure', 'intrusion-set', 'malware', 'observed-data', 'relationship', 'report', 'sighting', 'threat-actor', 'tool', 'vulnerability', 'artifact', 'autonomous-system', 'directory', 'domain-name', 'email-addr', 'email-message', 'file', 'ipv4-addr', 'ipv6-addr', 'mac-addr', 'mutex', 'network-traffic', 'process', 'software', 'url', 'user-account', 'windows-registry-key', 'x509-certificate', 'language-content', 'marking-definition']}}}}]}]}, 'minItems': 1}}, 'required': ['type', 'id']}
identifier = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'identifier', 'description': 'Represents identifiers across the CTI specifications. The format consists of the name of the top-level object being identified, followed by two dashes (--), followed by a UUIDv4.', 'type': 'string', 'pattern': '^[a-z][a-z0-9-]+[a-z0-9]--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$'}
hashes = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/hashes-type.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'hashes', 'description': 'The Hashes type represents one or more cryptographic hashes, as a special set of key/value pairs', 'type': 'object', 'allOf': [{'$ref': '../common/dictionary.json'}], 'patternProperties': {'^[a-zA-Z0-9_-]{3,250}$': {'type': 'string', 'description': 'Custom hash key'}, '^MD5$': {'type': 'string', 'description': 'Specifies the MD5 message digest algorithm.', 'pattern': '^[a-fA-F0-9]{32}$'}, '^SHA-1$': {'type': 'string', 'description': 'Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function.', 'pattern': '^[a-fA-F0-9]{40}$'}, '^SHA-256$': {'type': 'string', 'description': 'Specifies the SHA-256 cryptographic hash function (part of the SHA2 family).', 'pattern': '^[a-fA-F0-9]{64}$'}, '^SHA-512$': {'type': 'string', 'description': 'Specifies the SHA-512 cryptographic hash function (part of the SHA2 family).', 'pattern': '^[a-fA-F0-9]{128}$'}, '^SHA3-256$': {'type': 'string', 'description': 'Specifies the SHA3-256 cryptographic hash function.', 'pattern': '^[a-fA-F0-9]{64}$'}, '^SHA3-512$': {'type': 'string', 'description': 'Specifies the SHA3-512 cryptographic hash function.', 'pattern': '^[a-fA-F0-9]{128}$'}, '^SSDEEP$': {'type': 'string', 'description': 'Specifies the ssdeep fuzzy hashing algorithm.', 'pattern': '^[a-zA-Z0-9/+:.]{1,128}$'}, '^TLSH$': {'type': 'string', 'description': 'Specifies the TLSH locality-sensitive hashing algorithm.', 'pattern': '^[a-zA-Z0-9]{70}$'}}, 'additionalProperties': False}
properties = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/properties.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'properties', 'description': 'Rules for custom properties', 'patternProperties': {'^[a-z][a-z0-9_]{0,245}_bin$': {'$ref': '../common/binary.json'}, '^[a-z][a-z0-9_]{0,245}_hex$': {'$ref': '../common/hex.json'}, '^([a-z][a-z0-9_]{2,249})|id$': {'anyOf': [{'type': 'array', 'minItems': 1}, {'type': 'string'}, {'type': 'integer'}, {'type': 'boolean'}, {'type': 'number'}, {'type': 'object'}]}}, 'additionalProperties': False}
kill_chain_phase = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/kill-chain-phase.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'kill-chain-phase', 'description': 'The kill-chain-phase represents a phase in a kill chain.', 'type': 'object', 'properties': {'kill_chain_name': {'type': 'string', 'description': 'The name of the kill chain.'}, 'phase_name': {'type': 'string', 'description': 'The name of the phase in the kill chain.'}}, 'required': ['kill_chain_name', 'phase_name']}
marking_definition = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/marking-definition.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'marking-definition', 'description': 'The marking-definition object represents a specific marking.', 'type': 'object', 'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `marking-definition`.', 'enum': ['marking-definition']}, 'spec_version': {'type': 'string', 'enum': ['2.0', '2.1'], 'description': 'The version of the STIX specification used to represent this object.'}, 'name': {'type': 'string', 'description': 'A name used to identify the Marking Definition.'}, 'created_by_ref': {'$ref': '../common/identifier.json', 'description': 'The created_by_ref property specifies the ID of the identity object that describes the entity that created this Marking Definition.'}, 'created': {'$ref': '../common/timestamp.json', 'description': 'The created property represents the time at which the first version of this Marking Definition object was created.'}, 'external_references': {'type': 'array', 'description': 'A list of external references which refers to non-STIX information.', 'items': {'$ref': '../common/external-reference.json'}, 'minItems': 1}, 'object_marking_refs': {'type': 'array', 'description': 'The object_marking_refs property specifies a list of IDs of marking-definition objects that apply to this Marking Definition.', 'items': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^marking-definition--'}]}, 'minItems': 1}, 'granular_markings': {'type': 'array', 'description': 'The granular_markings property specifies a list of granular markings applied to this object.', 'items': {'$ref': 'granular-marking.json'}, 'minItems': 1}, 'extensions': {'description': 'Specifies any extensions of the object, as a dictionary.', 'type': 'object', 'minProperties': 1, 'patternProperties': {'^extension-definition--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$': {'allOf': [{'$ref': '../common/extension.json'}]}}, 'additionalProperties': False}}, 'oneOf': [{'properties': {'id': {'allOf': [{'$ref': '../common/identifier.json'}, {'title': 'id', 'pattern': '^marking-definition--', 'description': 'An identifier for this bundle.'}]}}, 'oneOf': [{'properties': {'definition_type': {'type': 'string', 'description': 'The definition_type property identifies the type of Marking Definition.', 'pattern': '^statement$'}, 'definition': {'$ref': '#/definitions/statement', 'description': 'The definition property contains the marking object itself.'}}, 'required': ['definition_type', 'definition']}, {'properties': {'definition_type': {'type': 'string', 'description': 'The definition_type property identifies the type of Marking Definition.', 'not': {'pattern': '^(statement)|(tlp)$'}}, 'definition': {'type': 'object', 'description': 'The definition property contains the marking object itself.'}}}], 'if': {'not': {'required': ['extensions']}}, 'then': {'required': ['definition', 'definition_type']}, 'required': ['id', 'type', 'spec_version', 'created']}, {'description': 'The TLP marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition field.', 'properties': {'type': {'type': 'string', 'description': 'The type of this object, which MUST be the literal `marking-definition`.', 'enum': ['marking-definition']}, 'id': {'type': 'string', 'description': 'The unique identifier for this TLP Marking Definition.'}, 'spec_version': {'type': 'string', 'enum': ['2.1'], 'description': 'The version of the STIX specification used to represent this object.'}, 'name': {'type': 'string', 'description': 'A name used to identify this TLP Marking Definition.'}, 'created': {'type': 'string', 'enum': ['2017-01-20T00:00:00.000Z']}, 'definition': {'type': 'object', 'description': 'The marking object itself.'}, 'definition_type': {'type': 'string', 'enum': ['tlp']}}, 'oneOf': [{'$ref': '#/definitions/tlp_white'}, {'$ref': '#/definitions/tlp_green'}, {'$ref': '#/definitions/tlp_amber'}, {'$ref': '#/definitions/tlp_red'}], 'required': ['id', 'type', 'spec_version', 'created', 'name', 'definition', 'definition_type'], 'additionalProperties': False}], 'definitions': {'statement': {'type': 'object', 'description': 'The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition', 'properties': {'statement': {'type': 'string', 'description': 'A statement (e.g., copyright, terms of use) applied to the content marked by this marking definition.'}}, 'required': ['statement']}, 'tlp_white': {'description': 'The marking-definition object representing Traffic Light Protocol (TLP) White.', 'properties': {'id': {'type': 'string', 'enum': ['marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9']}, 'name': {'type': 'string', 'enum': ['TLP:WHITE']}, 'definition': {'type': 'object', 'properties': {'tlp': {'type': 'string', 'enum': ['white']}}}}}, 'tlp_green': {'description': 'The marking-definition object representing Traffic Light Protocol (TLP) Green.', 'properties': {'id': {'type': 'string', 'enum': ['marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da']}, 'name': {'type': 'string', 'enum': ['TLP:GREEN']}, 'definition': {'type': 'object', 'properties': {'tlp': {'type': 'string', 'enum': ['green']}}}}}, 'tlp_amber': {'description': 'The marking-definition object representing Traffic Light Protocol (TLP) Amber.', 'properties': {'id': {'type': 'string', 'enum': ['marking-definition--f88d31f6-486f-44da-b317-01333bde0b82']}, 'name': {'type': 'string', 'enum': ['TLP:AMBER']}, 'definition': {'type': 'object', 'properties': {'tlp': {'type': 'string', 'enum': ['amber']}}}}}, 'tlp_red': {'description': 'The marking-definition object representing Traffic Light Protocol (TLP) Red.', 'properties': {'id': {'type': 'string', 'enum': ['marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed']}, 'name': {'type': 'string', 'enum': ['TLP:RED']}, 'definition': {'type': 'object', 'properties': {'tlp': {'type': 'string', 'enum': ['red']}}}}}}}
hex = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/hex.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'hex', 'description': "The hex data type encodes an array of octets (8-bit bytes) as hexadecimal. The string MUST consist of an even number of hexadecimal characters, which are the digits '0' through '9' and the letters 'a' through 'f'. In order to allow pattern matching on custom objects, all properties that use the hex type, the property name MUST end with '_hex'.", 'type': 'string', 'pattern': '^([a-fA-F0-9]{2})+$'}
granular_marking = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/granular-marking.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'granular-marking', 'description': 'The granular-marking type defines how the list of marking-definition objects referenced by the marking_refs property to apply to a set of content identified by the list of selectors in the selectors property.', 'type': 'object', 'properties': {'selectors': {'type': 'array', 'description': 'A list of selectors for content contained within the STIX object in which this property appears.', 'items': {'type': 'string', 'pattern': '^([a-z0-9_-]{3,249}(\\.(\\[\\d+\\]|[a-z0-9_-]{1,250}))*|id)$'}, 'minItems': 1}, 'lang': {'type': 'string', 'description': 'Identifies the language of the text identified by this marking.'}, 'marking_ref': {'allOf': [{'$ref': '../common/identifier.json'}, {'pattern': '^marking-definition--', 'description': 'The marking_ref property specifies the ID of the marking-definition object that describes the marking.'}]}}, 'required': ['selectors', 'marking_ref']}
cyber_observable_core = {'$id': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/cyber-observable-core.json', '$schema': 'http://json-schema.org/draft/2020-12/schema#', 'title': 'cyber-observable-core', 'description': 'Common properties and behavior across all Cyber Observable Objects.', 'type': 'object', 'properties': {'type': {'type': 'string', 'pattern': '^([a-z][a-z0-9]*)+(-[a-z0-9]+)*\\-?$', 'minLength': 3, 'maxLength': 250, 'description': 'Indicates that this object is an Observable Object. The value of this property MUST be a valid Observable Object type name, but to allow for custom objects this has been removed from the schema.', 'not': {'enum': ['action']}}, 'spec_version': {'type': 'string', 'enum': ['2.0', '2.1'], 'description': 'The version of the STIX specification used to represent the content in this cyber-observable.'}, 'object_marking_refs': {'type': 'array', 'description': 'The list of marking-definition objects to be applied to this object.', 'items': {'$ref': '../common/identifier.json'}, 'minItems': 1}, 'granular_markings': {'type': 'array', 'description': 'The set of granular markings that apply to this object.', 'items': {'$ref': '../common/granular-marking.json'}, 'minItems': 1}, 'defanged': {'type': 'boolean', 'description': 'Defines whether or not the data contained within the object has been defanged.'}, 'id': {'$ref': '../common/identifier.json', 'description': 'Specifies the identifier of the observable object, as a string.'}, 'extensions': {'description': 'Specifies any extensions of the object, as a dictionary.', 'type': 'object', 'minProperties': 1, 'patternProperties': {'^([a-z][a-z0-9]*)+(-[a-z0-9]+)*\\-ext$': {'type': 'object', 'minProperties': 1, 'allOf': [{'$ref': '../common/properties.json'}]}, '^extension-definition--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$': {'allOf': [{'$ref': '../common/extension.json'}]}}, 'additionalProperties': False}}, 'allOf': [{'$ref': '../common/properties.json'}], 'not': {'anyOf': [{'required': ['severity']}, {'required': ['action']}, {'required': ['username']}, {'required': ['phone_numbers']}]}, 'required': ['type', 'id']}