stixnet

A C# API for STIX 2

Install from Nuget

Install-Package stixnet

What is STIX?

Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. The objects and features added for inclusion in STIX 2.1 represent an iterative approach to fulfilling basic consumer and producer requirements for CTI sharing. Objects and properties not included in this version of STIX, but deemed necessary by the community, will be included in future releases.

STIX is a schema that defines a taxonomy of cyber threat intelligence that is represented by the following objects:

1. STIX Bundle Object : An object that provides a wrapper mechanism for packaging arbitrary STIX content together
2. STIX Objects
   1. STIX Core Objects
      1. STIX Domain Objects (SDO) : Higher Level Intelligence Objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape.
      2. STIX Cyber-observable Objects (SCO) : Objects that represent observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape.
      3. STIX Relationship Objects (SRO) : Objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape.
   2. STIX Meta Objects (SMO) : A STIX Object that provides the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows.
      1. Extension Definition Objects
      2. Language Content Objects
      3. Marking Definition Objects

Common Data Types

Type	Description
binary	A sequence of bytes.
boolean	A value of true or false.
dictionary	A set of key/value pairs.
enum	A value from a STIX Enumeration.
external-reference	A non-STIX identifier or reference to other related external content.
float	An IEEE 754 [IEEE 754-2008] double-precision number.
hashes	One or more cryptographic hashes.
hex	An array of octets as hexadecimal.
identifier	An identifier (ID) is for STIX Objects.
integer	A whole number.
kill-chain-phase	A name and a phase of a kill chain.
list	A sequence of values ordered based on how they appear in the list. The phrasing "list of type

" is used to indicate that all values within the list MUST conform to the specified type. |
| observable-container | One or more STIX Cyber-observable Objects in the deprecated Cyber Observable Container. |
| open-vocab | A value from a STIX open (open-vocab) or suggested vocabulary. |
| string | A series of Unicode characters. |
| timestamp | A time value (date and time). |

Common Properties

�	STIX Core Objects			STIX Meta Objects			�
Property Name	SDOs	SROs	SCOs	Extension	Language	Markings	Bundle
type	Required	Required	Required	Required	Required	Required	Required
spec_version	Required	Required	Optional	Required	Required	Required	N/A
id	Required	Required	Required	Required	Required	Required	Required
created_by_ref	Optional	Optional	N/A	Required	Optional	Optional	N/A
created	Required	Required	N/A	Required	Required	Required	N/A
modified	Required	Required	N/A	Required	Required	N/A	N/A
revoked	Optional	Optional	N/A	Optional	Optional	N/A	N/A
labels	Optional	Optional	N/A	Optional	Optional	N/A	N/A
confidence	Optional	Optional	N/A	N/A	Optional	N/A	N/A
lang	Optional	Optional	N/A	N/A	N/A	N/A	N/A
external_references	Optional	Optional	N/A	Optional	Optional	Optional	N/A
object_marking_refs	Optional	Optional	Optional	Optional	Optional	Optional	N/A
granular_markings	Optional	Optional	Optional	Optional	Optional	Optional	N/A
defanged	N/A	N/A	Optional	N/A	N/A	N/A	N/A
extensions	Optional	Optional	Optional	N/A	Optional	Optional	N/A

STIX Objects

1. STIX Domain Objects
2. Attack Pattern
3. Campaign
4. Course of Action
5. Grouping
6. Identity
7. Incident
8. Indicator
9. Infrastructure
10. Intrusion Set
11. Location
12. Malware
13. Malware Analysis
14. Note
15. Observed Data
16. Opinion
17. Report
18. Threat Actor
19. Tool
20. Vulnerability
21. STIX Relationship Objects
22. Relationship
23. Sighting
24. STIX Cyber-observable Objects
25. Artifact Object
26. Autonomous System (AS) Object
27. Directory Object
28. Domain Name Object
29. Email Address Object
30. Email Message Object
31. Email MIME Component Type
32. File Object
33. Archive File Extension
34. NTFS File Extension
35. Alternate Data Stream Type
36. PDF File Extension
37. Raster Image File Extension
38. Windows� PE Binary File Extension
39. Windows� PE Optional Header Type
40. Windows� PE Section Type
41. IPv4 Address Object
42. IPv6 Address Object
43. MAC Address Object
44. Mutex Object
45. Network Traffic Object
46. HTTP Request Extension
47. ICMP Extension
48. Network Socket Extension
49. TCP Extension
50. Process Object
51. Windows� Process Extension
52. Windows� Service Extension
53. Software Object
54. URL Object
55. User Account Object
56. UNIX� Account Extension
57. Windows� Registry Key Object
58. Windows� Registry Value Type
59. X.509 Certificate Object
60. X.509 v3 Extensions Type
61. STIX Meta Objects
62. Language Content
63. Data Markings
64. Marking Definition
65. Statement Marking Object Type
66. TLP Marking Object Type
67. Object Markings
68. Granular Markings
69. Granular Marking Type
70. Extension Definition
71. Extension Definition Properties
72. Requirements for STIX Extension Schemas
73. Requirements for Extension Properties
74. Requirements for Extension STIX Objects
75. STIX Bundle Object