ruby-stix2 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. checksums.yaml +7 -0
  2. data/.github/workflows/build.yml +31 -0
  3. data/.gitignore +56 -0
  4. data/Gemfile +4 -0
  5. data/Gemfile.lock +43 -0
  6. data/LICENSE +339 -0
  7. data/README.md +116 -0
  8. data/Rakefile +8 -0
  9. data/lib/stix2/boolean.rb +18 -0
  10. data/lib/stix2/bundle.rb +7 -0
  11. data/lib/stix2/common.rb +62 -0
  12. data/lib/stix2/cyberobservable_objects/artifact.rb +12 -0
  13. data/lib/stix2/cyberobservable_objects/autonomous_system.rb +9 -0
  14. data/lib/stix2/cyberobservable_objects/base.rb +6 -0
  15. data/lib/stix2/cyberobservable_objects/directory.rb +12 -0
  16. data/lib/stix2/cyberobservable_objects/domain_name.rb +8 -0
  17. data/lib/stix2/cyberobservable_objects/email_addr.rb +9 -0
  18. data/lib/stix2/cyberobservable_objects/email_message.rb +21 -0
  19. data/lib/stix2/cyberobservable_objects/email_mime_part_type.rb +10 -0
  20. data/lib/stix2/cyberobservable_objects/file.rb +18 -0
  21. data/lib/stix2/cyberobservable_objects/ipv4_addr.rb +11 -0
  22. data/lib/stix2/cyberobservable_objects/ipv6_addr.rb +11 -0
  23. data/lib/stix2/cyberobservable_objects/mac_addr.rb +7 -0
  24. data/lib/stix2/cyberobservable_objects/mutex.rb +7 -0
  25. data/lib/stix2/cyberobservable_objects/network_traffic.rb +23 -0
  26. data/lib/stix2/cyberobservable_objects/software.rb +12 -0
  27. data/lib/stix2/cyberobservable_objects/url.rb +7 -0
  28. data/lib/stix2/cyberobservable_objects/user_account.rb +20 -0
  29. data/lib/stix2/cyberobservable_objects/windows_registry_key.rb +11 -0
  30. data/lib/stix2/cyberobservable_objects/windows_registry_value.rb +9 -0
  31. data/lib/stix2/cyberobservable_objects/x509_certificate.rb +19 -0
  32. data/lib/stix2/cyberobservable_objects/x509_v3_extension_type.rb +22 -0
  33. data/lib/stix2/domain_objects/attack_pattern.rb +12 -0
  34. data/lib/stix2/domain_objects/base.rb +6 -0
  35. data/lib/stix2/domain_objects/campaign.rb +12 -0
  36. data/lib/stix2/domain_objects/course_of_action.rb +9 -0
  37. data/lib/stix2/domain_objects/grouping.rb +10 -0
  38. data/lib/stix2/domain_objects/identity.rb +12 -0
  39. data/lib/stix2/domain_objects/indicator.rb +15 -0
  40. data/lib/stix2/domain_objects/infrastructure.rb +13 -0
  41. data/lib/stix2/domain_objects/intrusion-set.rb +15 -0
  42. data/lib/stix2/domain_objects/location.rb +17 -0
  43. data/lib/stix2/domain_objects/malware.rb +19 -0
  44. data/lib/stix2/domain_objects/malware_analysis.rb +22 -0
  45. data/lib/stix2/domain_objects/note.rb +10 -0
  46. data/lib/stix2/domain_objects/observed_data.rb +11 -0
  47. data/lib/stix2/domain_objects/opinion.rb +10 -0
  48. data/lib/stix2/domain_objects/report.rb +11 -0
  49. data/lib/stix2/domain_objects/threat_actor.rb +19 -0
  50. data/lib/stix2/domain_objects/tool.rb +12 -0
  51. data/lib/stix2/domain_objects/vulnerability.rb +8 -0
  52. data/lib/stix2/enum.rb +32 -0
  53. data/lib/stix2/external_reference.rb +13 -0
  54. data/lib/stix2/identifier.rb +18 -0
  55. data/lib/stix2/kill_chain_phase.rb +10 -0
  56. data/lib/stix2/meta_objects/base.rb +6 -0
  57. data/lib/stix2/meta_objects/data_markings/base.rb +11 -0
  58. data/lib/stix2/meta_objects/data_markings/granular_marking.rb +15 -0
  59. data/lib/stix2/meta_objects/data_markings/marking_definition.rb +19 -0
  60. data/lib/stix2/meta_objects/data_markings/object_marking.rb +22 -0
  61. data/lib/stix2/meta_objects/language_content.rb +9 -0
  62. data/lib/stix2/ov.rb +319 -0
  63. data/lib/stix2/relationship_objects/base.rb +6 -0
  64. data/lib/stix2/relationship_objects/relationship.rb +12 -0
  65. data/lib/stix2/relationship_objects/sighting.rb +14 -0
  66. data/lib/stix2/storage.rb +23 -0
  67. data/lib/stix2/version.rb +3 -0
  68. data/lib/stix2.rb +101 -0
  69. data/ruby-stix2.gemspec +27 -0
  70. metadata +208 -0
@@ -0,0 +1,62 @@
1
+ module Stix2
2
+ class Common < Hashie::Dash
3
+ include Hashie::Extensions::Dash::PredefinedValues
4
+ include Hashie::Extensions::IndifferentAccess
5
+ include Hashie::Extensions::Dash::Coercion
6
+
7
+ property :type, required: true, coerce: String
8
+ property :spec_version, coerce: String, values: ['2.1']
9
+ property :id, coerce: Identifier
10
+ property :created_by_ref, coerce: Identifier
11
+ property :created, coerce: Time
12
+ property :modified, coerce: Time
13
+ property :revoked, coerce: Stix2::Boolean
14
+ property :labels, coerce: Array[String]
15
+ property :confidence, coerce: Integer
16
+ property :lang, coerce: String
17
+ property :external_references, coerce: Array[ExternalReference]
18
+ property :object_marking_refs, coerce: Array[Stix2::MetaObject::DataMarking::ObjectMarking]
19
+ property :granular_markings, coerce: Array[MetaObject::DataMarking::GranularMarking]
20
+ property :defanged, coerce: Stix2::Boolean
21
+ property :extensions, coerce: Hash
22
+
23
+ def initialize(options = {})
24
+ Hashie.symbolize_keys!(options)
25
+ type = to_dash(self.class.name.split('::').last)
26
+ if options[:type]
27
+ raise("Property 'type' must be '#{type}'") if options[:type] != type
28
+ else
29
+ options[:type] = type
30
+ end
31
+ super(options)
32
+ Stix2.storage_add(self)
33
+ end
34
+
35
+ def method_missing(m, *args, &block)
36
+ super(m, args, block) if !m.to_s.end_with?('_instance')
37
+ # Retrieve the original method
38
+ ref_method = m.to_s.gsub(/_instance$/, '')
39
+ obj = send(ref_method)
40
+ raise("Can't get a Stix2::Identifier from #{ref_method}") if !obj.is_a?(Stix2::Identifier)
41
+ Stix2.storage_find(obj)
42
+ end
43
+
44
+ private
45
+
46
+ def to_dash(string)
47
+ string.gsub(/[[:upper:]]/) { "-#{$&.downcase}" }[1..]
48
+ end
49
+
50
+ def self.validate_array(list, valid_values)
51
+ excess = (Array(list) - valid_values)
52
+ excess.empty? || raise("Invalid values: #{excess}")
53
+ list
54
+ end
55
+
56
+ def self.hash_dict(hsh)
57
+ invalids = hsh.keys.map(&:to_s) - HASH_ALGORITHM_OV
58
+ invalids.empty? || raise("Invalid values: #{invalids}")
59
+ hsh
60
+ end
61
+ end
62
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Artifact < Base
4
+ property :mime_type, coerce: String
5
+ property :payload_bin, coerce: String
6
+ property :url, coerce: String
7
+ property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
8
+ property :encryption_algorithm, values: ENCRYPTION_ALGORITHM_ENUM
9
+ property :decryption_key, coerce: String
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,9 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class AutonomousSystem < Base
4
+ property :number, required: true, coerce: Integer
5
+ property :name, coerce: String
6
+ property :rir, coerce: String
7
+ end
8
+ end
9
+ end
@@ -0,0 +1,6 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Base < Stix2::Common
4
+ end
5
+ end
6
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Directory < Base
4
+ property :path, required: true, coerce: String
5
+ property :path, required: true, coerce: String
6
+ property :ctime, coerce: Time
7
+ property :mtime, coerce: Time
8
+ property :atime, coerce: Time
9
+ property :contains_refs, coerce: Array[Identifier]
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,8 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class DomainName < Base
4
+ property :value, required: true, coerce: String
5
+ property :resolves_to_refs, coerce: Array[Identifier]
6
+ end
7
+ end
8
+ end
@@ -0,0 +1,9 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class EmailAddr < Base
4
+ property :value, required: true, coerce: String
5
+ property :display_name, coerce: String
6
+ property :belongs_to_ref, coerce: Identifier
7
+ end
8
+ end
9
+ end
@@ -0,0 +1,21 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class EmailMessage < Base
4
+ property :is_multipart, required: true, coerce: Stix2::Boolean
5
+ property :date, coerce: Time
6
+ property :content_type, coerce: String
7
+ property :from_ref, coerce: Identifier
8
+ property :sender_ref, coerce: Identifier
9
+ property :to_refs, coerce: Array[Identifier]
10
+ property :cc_refs, coerce: Array[Identifier]
11
+ property :bcc_refs, coerce: Array[Identifier]
12
+ property :message_id, coerce: String
13
+ property :subject, coerce: String
14
+ property :received_lines, coerce: Array[String]
15
+ property :additional_header_fields, coerce: Hash[String => String]
16
+ property :body, coerce: String
17
+ property :body_multipart, coerce: Array[EmailMimePartType]
18
+ property :raw_email_ref, coerce: Identifier
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class EmailMimePartType < Base
4
+ property :body, coerce: String
5
+ property :body_raw_ref, coerce: Identifier
6
+ property :content_type, coerce: String
7
+ property :content_disposition, coerce: String
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,18 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class File < Base
4
+ property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
5
+ property :size, coerce: Integer
6
+ property :name, coerce: String
7
+ property :name_enc, coerce: String
8
+ property :magic_number_hex, coerce: String
9
+ property :mime_type, coerce: String
10
+ property :ctime, coerce: String
11
+ property :mtime, coerce: String
12
+ property :atime, coerce: String
13
+ property :parent_directory_ref, coerce: Identifier
14
+ property :contains_refs, coerce: Array[Identifier]
15
+ property :content_ref, coerce: Identifier
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,11 @@
1
+ require 'ipaddr'
2
+
3
+ module Stix2
4
+ module CyberobservableObject
5
+ class Ipv4Addr < Base
6
+ property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET).to_s }
7
+ property :resolves_to_refs, coerce: Array[Identifier]
8
+ property :resolves_to_refs, coerce: Array[Identifier]
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,11 @@
1
+ require 'ipaddr'
2
+
3
+ module Stix2
4
+ module CyberobservableObject
5
+ class Ipv6Addr < Base
6
+ property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET6).to_s }
7
+ property :resolves_to_refs, coerce: Array[Identifier]
8
+ property :resolves_to_refs, coerce: Array[Identifier]
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,7 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class MacAddr < Base
4
+ property :value, required: true, coerce: String
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,7 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Mutex < Base
4
+ property :name, required: true, coerce: String
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,23 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class NetworkTraffic < Base
4
+ property :start, coerce: Time
5
+ property :end, coerce: Time
6
+ property :is_active, coerce: ->(v){ boolean(v) }
7
+ property :src_ref, coerce: Identifier
8
+ property :dst_ref, coerce: Identifier
9
+ property :src_port, coerce: Integer
10
+ property :dst_port, coerce: Integer
11
+ property :protocols, required: true, coerce: Array[String]
12
+ property :src_byte_count, coerce: Integer
13
+ property :dst_byte_count, coerce: Integer
14
+ property :src_packets, coerce: Integer
15
+ property :dst_packets, coerce: Integer
16
+ property :ipfix, coerce: Hash
17
+ property :src_payload_ref, coerce: Identifier
18
+ property :dst_payload_ref, coerce: Identifier
19
+ property :encapsulates_refs, coerce: Array[Identifier]
20
+ property :encapsulated_by_ref, coerce: Identifier
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Software < Base
4
+ property :name, required: true, coerce: String
5
+ property :cpe, coerce: String
6
+ property :swid, coerce: String
7
+ property :languages, coerce: Array[String]
8
+ property :vendor, coerce: String
9
+ property :version, coerce: String
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,7 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class Url < Base
4
+ property :value, required: true, coerce: String
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,20 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class UserAccount < Base
4
+ property :user_id, coerce: String
5
+ property :credential, coerce: String
6
+ property :account_login, coerce: String
7
+ property :account_type, values: ACCOUNT_TYPE_OV
8
+ property :display_name, coerce: String
9
+ property :is_service_account, coerce: Stix2::Boolean
10
+ property :is_privileged, coerce: Stix2::Boolean
11
+ property :can_escalate_privs, coerce: Stix2::Boolean
12
+ property :is_disabled, coerce: Stix2::Boolean
13
+ property :account_created, coerce: Time
14
+ property :account_expires, coerce: Time
15
+ property :credential_last_changed, coerce: Time
16
+ property :account_first_login, coerce: Time
17
+ property :account_last_login, coerce: Time
18
+ end
19
+ end
20
+ end
@@ -0,0 +1,11 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class WindowsRegistryKey < Base
4
+ property :key, coerce: String
5
+ property :values, coerce: [WindowsRegistryValue]
6
+ property :modified_time, coerce: Time
7
+ property :creator_user_ref, coerce: Identifier
8
+ property :number_of_subkeys, coerce: Integer
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,9 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class WindowsRegistryValue < Base
4
+ property :name, coerce: String
5
+ property :data, coerce: String
6
+ property :data_type, values: WINDOWS_REGISTRY_DATATYPE_ENUM
7
+ end
8
+ end
9
+ end
@@ -0,0 +1,19 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class X509Certificate < Base
4
+ property :is_self_signed, coerce: ->(v){ boolean(v) }
5
+ property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
6
+ property :version, coerce: String
7
+ property :serial_number, coerce: String
8
+ property :signature_algorithm, coerce: String
9
+ property :issuer, coerce: String
10
+ property :validity_not_before, coerce: Time
11
+ property :validity_not_after, coerce: Time
12
+ property :subject, coerce: String
13
+ property :subject_public_key_algorithm, coerce: String
14
+ property :subject_public_key_modulus, coerce: String
15
+ property :subject_public_key_exponent, coerce: String
16
+ property :x509_v3_extensions, coerce: X509V3ExtensionType
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,22 @@
1
+ module Stix2
2
+ module CyberobservableObject
3
+ class X509V3ExtensionType < Base
4
+ property :basic_constraints, coerce: String
5
+ property :name_constraints, coerce: String
6
+ property :policy_constraints, coerce: String
7
+ property :key_usage, coerce: String
8
+ property :extended_key_usage, coerce: String
9
+ property :subject_key_identifier, coerce: String
10
+ property :authority_key_identifier, coerce: String
11
+ property :subject_alternative_name, coerce: String
12
+ property :issuer_alternative_name, coerce: String
13
+ property :subject_directory_attributes, coerce: String
14
+ property :crl_distribution_points, coerce: String
15
+ property :inhibit_any_policy, coerce: String
16
+ property :private_key_usage_period_not_before, coerce: Time
17
+ property :private_key_usage_period_not_after, coerce: Time
18
+ property :certificate_policies, coerce: String
19
+ property :policy_mappings, coerce: String
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class AttackPattern < Base
4
+ property :type, required: true, coerce: String
5
+ property :external_references, coerce: Array[Stix2::ExternalReference]
6
+ property :name, coerce: String
7
+ property :description, coerce: String
8
+ property :aliases, coerce: Array[String]
9
+ property :kill_chain_phases, coerce: Array[Stix2::KillChainPhase]
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,6 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Base < Stix2::Common
4
+ end
5
+ end
6
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Campaign < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :aliases, coerce: Array[String]
7
+ property :first_seen, coerce: Time
8
+ property :last_seen, coerce: Time
9
+ property :objective, coerce: String
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,9 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class CourseOfAction < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :action
7
+ end
8
+ end
9
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Grouping < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :context, values: Stix2::GROUPING_CONTEXT_OV
7
+ property :object_refs, coerce: Array[Identifier]
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Identity < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :roles, coerce: Array[String]
7
+ property :identity_class, coerce: String, values: IDENTITY_CLASS_OV
8
+ property :sectors, coerce: String, values: INDUSTRY_SECTOR_OV
9
+ property :contact_information, coerce: String
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,15 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Indicator < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :indicator_types, coerce: ->(v){ validate_array(v, Stix2::INDICATOR_TYPE_OV) }
7
+ property :pattern, coerce: String
8
+ property :pattern_type, coerce: String, values: PATTERN_TYPE_OV
9
+ property :pattern_version, coerce: String
10
+ property :valid_from, coerce: Time
11
+ property :valid_until, coerce: Time
12
+ property :kill_chain_phases, coerce: Array[KillChainPhase]
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,13 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Infrastructure < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :infrastructure_types, coerce: ->(v){ validate_array(v, Stix2::INFRASTRUCTURE_TYPE_OV) }
7
+ property :aliases, coerce: Array[String]
8
+ property :kill_chain_phases, coerce: Array[KillChainPhase]
9
+ property :first_seen, coerce: Time
10
+ property :last_seen, coerce: Time
11
+ end
12
+ end
13
+ end
@@ -0,0 +1,15 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class IntrusionSet < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :aliases, coerce: Array[String]
7
+ property :first_seen, coerce: Time
8
+ property :last_seen, coerce: Time
9
+ property :goals, coerce: Array[String]
10
+ property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
11
+ property :primary_motivation, values: ATTACK_MOTIVATION_OV
12
+ property :secondary_motivations, coerce: ->(v){ validate_array(v, Stix2::ATTACK_MOTIVATION_OV) }
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,17 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Location < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :latitude, coerce: Float
7
+ property :longitude, coerce: Float
8
+ property :precision, coerce: Float
9
+ property :region, values: REGION_OV
10
+ property :country, coerce: String
11
+ property :administrative_area, coerce: String
12
+ property :city, coerce: String
13
+ property :street_address, coerce: String
14
+ property :postal_code, coerce: String
15
+ end
16
+ end
17
+ end
@@ -0,0 +1,19 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Malware < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ property :malware_types, coerce: ->(v){ validate_array(v, Stix2::MALWARE_TYPE_OV) }
7
+ property :is_family, coerce: ->(v){ is_boolean?(v) }
8
+ property :aliases, coerce: Array[String]
9
+ property :kill_chain_phases, coerce: Array[KillChainPhase]
10
+ property :first_seen, coerce: Time
11
+ property :last_seen, coerce: Time
12
+ property :operating_system_refs, coerce: Array[Identifier]
13
+ property :architecture_execution_envs, coerce: ->(v){ validate_array(v, Stix2::PROCESSOR_ARCHITECTURE_OV) }
14
+ property :implementation_languages, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_LANGUAGE_OV) }
15
+ property :capabilities, coerce: ->(v){ validate_array(v, Stix2::IMPLEMENTATION_CAPABILITIES_OV) }
16
+ property :sample_refs, coerce: Array[Identifier]
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,22 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class MalwareAnalysis < Base
4
+ property :product, coerce: String
5
+ property :version, coerce: String
6
+ property :host_vm_ref, coerce: Identifier
7
+ property :operating_system_ref, coerce: Identifier
8
+ property :installed_software_refs, coerce: Array[Identifier]
9
+ property :configuration_version, coerce: String
10
+ property :modules, coerce: Array[String]
11
+ property :analysis_engine_version, coerce: String
12
+ property :analysis_definition_version, coerce: String
13
+ property :submitted, coerce: Time
14
+ property :analysis_started, coerce: Time
15
+ property :analysis_ended, coerce: Time
16
+ property :result_name, coerce: String
17
+ property :result, values: MALWARE_RESULT_OV
18
+ property :analysis_sco_refs, coerce: Array[Identifier]
19
+ property :sample_ref, coerce: Identifier
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Note < Base
4
+ property :abstract, coerce: String
5
+ property :content, coerce: String
6
+ property :authors, coerce: Array[String]
7
+ property :object_refs, coerce: Array[Identifier]
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,11 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class ObservedData < Base
4
+ property :first_observed, required: true, coerce: Time
5
+ property :last_observed, required: true, coerce: Time
6
+ property :number_observed, required: true, coerce: Integer
7
+ property :objects, coerce: Hash
8
+ property :object_refs, coerce: Array[Identifier]
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,10 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Opinion < Base
4
+ property :explanation, coerce: String
5
+ property :authors, coerce: Array[String]
6
+ property :opinion, values: OPINION_ENUM
7
+ property :object_refs, coerce: Array[Identifier]
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,11 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Report < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :report_types, coerce: ->(v){ validate_array(v, Stix2::REPORT_TYPE_OV) }
7
+ property :published, coerce: Time
8
+ property :object_refs, coerce: Array[Identifier]
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,19 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class ThreatActor < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :threat_actor_types, coerce: ->(v){ validate_array(v, THREAT_ACTOR_TYPE_OV) }
7
+ property :aliases, coerce: Array[String]
8
+ property :first_seen, coerce: Time
9
+ property :last_seen, coerce: Time
10
+ property :roles, coerce: ->(v){ validate_array(v, THREAT_ACTOR_ROLE_OV) }
11
+ property :goals, coerce: Array[String]
12
+ property :sophistication, values: THREAT_ACTOR_SOPHISTICATION_OV
13
+ property :resource_level, values: ATTACK_RESOURCE_LEVEL_OV
14
+ property :primary_motivation, values: ATTACK_MOTIVATION_OV
15
+ property :secondary_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
16
+ property :personal_motivations, coerce: ->(v){ validate_array(v, ATTACK_MOTIVATION_OV) }
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,12 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Tool < Base
4
+ property :name, required: true, coerce: String
5
+ property :description, coerce: String
6
+ property :tool_types, coerce: ->(v){ validate_array(v, TOOL_TYPES_OV) }
7
+ property :aliases, coerce: Array[String]
8
+ property :kill_chain_phases, coerce: Array[KillChainPhase]
9
+ property :tool_version, coerce: String
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,8 @@
1
+ module Stix2
2
+ module DomainObject
3
+ class Vulnerability < Base
4
+ property :name, coerce: String
5
+ property :description, coerce: String
6
+ end
7
+ end
8
+ end