Skip to content

This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.


Notifications You must be signed in to change notification settings


Repository files navigation

example workflow codecov


STIX-shifter is an open source python library allowing software to connect to products that house data repositories by using STIX Patterning, and return results as STIX Observations.

This library takes in STIX 2 Patterns as input, and "finds" data that matches the patterns inside various products that house repositories of cybersecurity data. Examples of such products include SIEM systems, endpoint management systems, threat intelligence platforms, orchestration platforms, network control points, data lakes, and more.

In addition to "finding" the data by using these patterns, STIX-Shifter also transforms the output into STIX 2 Observations. Why would we do that you ask? To put it simply - so that all of the security data, regardless of the source, mostly looks and behaves the same.

Project Documentation

For general information about STIX, this project, and the command line utilities, see the STIX-shifter Documentation


The recommended method for installing stix-shifter is via pip. Two prerequisite packages needs to be installed inlcuding the package of stix-shifter connector module to complete a stix-shifter connector installation. Run the below commands to install all the packages:

  1. Main stix-shifter package: pip install stix-shifter

  2. Stix-shifter Utility package: pip install stix-shifter-utils

  3. Desired stix-shifter connector module package: pip install stix-shifter-modules-<module name> Example: pip install stix-shifter-modules-qradar


STIX-shifter requries Python 3.8 or greater. See the requirements file for library dependencies.


STIX-Shifter can use used the following ways:

As a command line utility

The STIX-Shifter comes with a bundled script which you can use to translate STIX Pattern to a native datasource query. It can also be used to translate a JSON data source query result to a STIX bundle of observable objects. You can also send query to a datasource by using a transmission option.

More details of the command line option can be found here

$ stix-shifter translate <MODULE NAME> query "<STIX IDENTITY OBJECT>" "<STIX PATTERN>" "<OPTIONS>"


$ stix-shifter translate qradar query {} "[ipv4-addr:value = '']" {}

In order to build stix-shifter packages from source follow the below prerequisite steps:

  1. Go to the stix-shifter parent directory
  2. Optionally, you can create a Python 3 virtual environemnt: virtualenv -p python3 virtualenv && source virtualenv/bin/activate
  3. Run setup: python3 install

Running from the source

You may also use the python3 script. All the options are the same as the command line utility described above.


python3 translate qradar query {} "[ipv4-addr:value = '']" {}

In order to run python3 from the source follow the below prerequisite steps:

  1. Go to the stix-shifter parent directory
  2. Optionally, you can create a Python 3 virtual environemnt: virtualenv -p python3 virtualenv && source virtualenv/bin/activate
  3. Run setup to install dependancies: INSTALL_REQUIREMENTS_ONLY=1 python3 install.

Note: only installs dependencies when INSTALL_REQUIREMENTS_ONLY=1 directive is used. This option is similar to python3 && pip install -r requirements.txt

As a library

You can also use this library to integrate STIX Shifter into your own tools. You can translate a STIX Pattern:

from stix_shifter.stix_translation import stix_translation

translation = stix_translation.StixTranslation()
response = translation.translate('<MODULE NAME>', 'query', '{}', '<STIX PATTERN>', '<OPTIONS>')


Use of custom mappings

If a connector has been installed using pip, the process for editing the STIX mappings is different than if you have pulled-down the project. When working locally, you can edit the mapping files directly. See the mapping files for the MySQL connector as an example. Editing the mapping files won't work if the connector has been installed with pip; the setup script of the stix-shifter package includes the mapppings inside config.json. This allows stix-shifter to injest custom mappings as part of the connector's configuration.

Refer to Use of custom mappings for more details on how to edit the mappings in the configuration.


We are thrilled you are considering contributing! We welcome all contributors. Please read our guidelines for contributing.


Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Resources

Join us on Slack!

Click here and fill out the form to receive an invite to the Open Cybersecurity Alliance slack instance, then join the #stix-shifter channel, to meet and discuss usage with the team.

Introduction Webinar!

Click here to view an introduction webinar on STIX Shifter and the use cases it solves for.