stidantic 0.1.3__py3-none-any.whl

stidantic/sro.py

@@ -0,0 +1,159 @@
+from typing import Literal, Self, Annotated
+from datetime import datetime
+from pydantic import Field
+from pydantic.functional_validators import model_validator
+from pydantic.types import PositiveInt
+from stidantic.types import StixRelationship, Identifier, StixType
+
+
+# 5.1 Relationship
+class Relationship(StixRelationship):
+    """
+    The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to
+    each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs)
+    represent "edges".
+
+    STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the
+    "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD
+    be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates
+    a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition.
+
+    STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this
+    specification. These relationships MAY use the related-to relationship type or MAY use a user-defined
+    relationship type. As an example, a user might want to link malware directly to a tool.
+    They can do so using related-to to say that the Malware is related to the Tool but not describe how,
+    or they could use delivered-by (a user-defined name they determined) to indicate more detail.
+
+    Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect
+    a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that
+    campaign. While some analysts might want all of the source data and think that shortcuts are misleading,
+    in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details.
+    In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is.
+    For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX.
+    """
+
+    type: Literal["relationship"] = "relationship"  # pyright: ignore[reportIncompatibleVariableOverride]
+    # The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the
+    # relationships for the source and target SDO, but MAY be any string.
+    relationship_type: StixType
+    # A description that provides more details and context about the Relationship,
+    # potentially including its purpose and its key characteristics.
+    description: str | None = None
+    # The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO
+    # (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition).
+    source_ref: Identifier
+    # The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO
+    # (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition).
+    target_ref: Identifier
+    # This optional timestamp represents the earliest time at which the Relationship between the objects exists.
+    # If this property is a future timestamp, at the time the start_time property is defined,
+    # then this represents an estimate by the producer of the intelligence of the earliest
+    # time at which relationship will be asserted to be true.
+    # If it is not specified, then the earliest time at which the relationship between the objects exists
+    # is not defined.
+    start_time: datetime | None = None
+    # The latest time at which the Relationship between the objects exists. If this property is a future timestamp,
+    # at the time the stop_time property is defined, then this represents an estimate by the producer of the
+    # intelligence of the latest time at which relationship will be asserted to be true.
+    # If stop_time is not specified, then the latest time at which the relationship between
+    # the objects exists is either not known, not disclosed, or has no defined stop time.
+    stop_time: datetime | None = None
+
+    @model_validator(mode="after")
+    def validate_start_stop_interval(self) -> Self:
+        """
+        If start_time and stop_time are both defined, then stop_time MUST be later than the start_time value.
+        """
+        if self.start_time and self.stop_time and self.start_time > self.stop_time:
+            raise ValueError(
+                "the stop_time property MUST be greater than or equal to the timestamp in the start_time property"
+            )
+        return self
+
+
+# 5.2 Sighting
+class Sighting(StixRelationship):
+    """
+    A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.)
+    was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to
+    track trends in attack behavior.
+
+    The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties
+    not present on the Generic Relationship object. These extra properties are included to represent data specific
+    to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes
+    a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship
+    because you cannot have a sighting unless you have something that has been sighted.
+    Sighting does not make sense without the relationship to what was sighted.
+
+    Sighting relationships relate three aspects of the sighting:
+    ●      What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref)
+    ●      Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs)
+    ●      What was actually seen on systems and networks, represented as Observed Data (observed_data_refs)
+
+    What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it,
+    where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide
+    that level of detail in order to provide value.
+
+    Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little
+    information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or
+    threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary;
+    saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those
+    IPs is still malicious.
+
+    Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor")
+    while Observed Data is simply information ("I saw this file"). When you combine them by including the linked
+    Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw
+    this threat actor".
+    """
+
+    type: Literal["sighting"] = "sighting"  # pyright: ignore[reportIncompatibleVariableOverride]
+    # A description that provides more details and context about the Sighting.
+    description: str | None = None
+    # The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted.
+    first_seen: datetime | None = None
+    # The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted.
+    last_seen: datetime | None = None
+    # If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the
+    # SDO referenced by the sighting_of_ref property was sighted.
+    # Observed Data has a similar property called number_observed, which refers to the number of times the data was
+    # observed. These counts refer to different concepts and are distinct.
+    # For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic
+    # that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data
+    # number_observed would be much higher.
+    # As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all.
+    count: PositiveInt | None = None
+    # An ID reference to the SDO that was sighted (e.g., Indicator or Malware).
+    # For example, if this is a Sighting of an Indicator, that Indicator’s ID would be the value of this property.
+    # This property MUST reference only an SDO.
+    sighting_of_ref: Identifier | None = None
+    # A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting.
+    # For example, a Sighting of an Indicator with an IP address could include the Observed Data for the
+    # network connection that the Indicator was used to detect.
+    # This property MUST reference only Observed Data SDOs.
+    observed_data_refs: list[Identifier] | None = None
+    # A list of ID references to the Identity or Location objects describing the entities or types of entities
+    # that saw the sighting.
+    # Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator.
+    # To indicate that the sighting was seen by the object creator, an Identity representing the object creator
+    # should be listed in where_sighted_refs.
+    # This property MUST reference only Identity or Location SDOs.
+    where_sighted_refs: list[Identifier] | None = None
+    # The summary property indicates whether the Sighting should be considered summary data.
+    # Summary data is an aggregation of previous Sightings reports and should not be considered primary source data.
+    # Default value is false.
+    summary: bool | None = False
+
+    @model_validator(mode="after")
+    def validate_first_last_interval(self) -> Self:
+        """
+        If this property and the first_seen property are both defined, then this property
+        MUST be greater than or equal to the timestamp in the first_seen property.
+        """
+        if self.first_seen and self.last_seen and self.first_seen > self.last_seen:
+            raise ValueError(
+                "the last_seen property MUST be greater than or equal to the timestamp in the first_seen property"
+            )
+        return self
+
+
+SROs = Annotated[(Relationship | Sighting), Field(discriminator="type")]

stidantic/types.py

@@ -0,0 +1,441 @@
+from enum import Enum
+from re import compile
+from datetime import datetime
+from typing import Annotated, Literal, Any, Self, Type, get_args  # pyright: ignore[reportDeprecated]
+from annotated_types import Ge, Le
+from typing_extensions import TypedDict
+
+from pydantic.functional_validators import AfterValidator, model_validator
+from pydantic.networks import AnyUrl, UrlConstraints
+from pydantic.types import Base64Bytes, StringConstraints
+from pydantic_core import CoreSchema, core_schema
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+    Field,
+    GetCoreSchemaHandler,
+    SerializeAsAny,
+)
+
+from stidantic.validators import (
+    validate_bin_field,
+    validate_hex_field,
+)
+
+
+# Common constraints on Stix dictionnary keys.
+StixKeyPattern = compile(r"^[a-zA-Z0-9\-\_]+$")
+StixKeyConstraint = StringConstraints(max_length=250, pattern=StixKeyPattern)
+StixKey = Annotated[str, StixKeyConstraint]
+
+# Common constraints on Stix type names.
+StixTypePattern = compile(r"^[a-zA-Z0-9\-]+$")
+StixTypeConstraint = StringConstraints(pattern=StixTypePattern)
+StixType = Annotated[str, StixTypeConstraint]
+
+# Common constraints on Stix property names.
+StixPropPattern = compile(r"^[a-zA-Z0-9\_]+$")
+StixPropConstraint = StringConstraints(
+    min_length=3, max_length=250, pattern=StixPropPattern
+)
+StixProp = Annotated[str, StixPropConstraint]
+
+# 2.1 Binary
+# The binary data type represents a sequence of bytes. In order to allow pattern matching on custom objects,
+# for all properties that use the binary type, the property name MUST end with '_bin'.
+type StixBinary = Annotated[Base64Bytes, AfterValidator(validate_bin_field)]
+
+# 2.8 Hexadecimal
+# The hex data type encodes an array of octets (8-bit bytes) as hexadecimal. The string MUST consist of an even number
+# of hexadecimal characters, which are the digits '0' through '9' and the lower-case letters 'a' through 'f'. In order
+# to allow pattern matching on custom objects, for all properties that use the hex type,
+# the property name MUST end with '_hex'.
+type StixHex = Annotated[str, AfterValidator(validate_hex_field)]
+
+# 2.3 Dictionnary
+# Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters
+# a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_).
+# Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase.
+type StixDict = dict[
+    StixKey,
+    Any,  # pyright: ignore[reportExplicitAny]
+]
+
+
+# A URL reference to an external resource [RFC3986].
+type StixUrl = Annotated[AnyUrl, UrlConstraints(preserve_empty_path=True)]
+
+
+# 2.9 Identifier
+class Identifier(str):
+    @classmethod
+    def __get_pydantic_core_schema__(
+        cls,
+        source_type: Any,  # pyright: ignore[reportExplicitAny, reportAny]
+        handler: GetCoreSchemaHandler,
+    ) -> CoreSchema:
+        return core_schema.no_info_after_validator_function(cls, handler(str))
+
+    def get_type(self: str) -> str:
+        return self.split("--", maxsplit=1)[0]
+
+
+class StixCore(BaseModel):
+    model_config = ConfigDict(  # pyright: ignore[reportUnannotatedClassAttribute]
+        use_enum_values=True,
+        validate_by_alias=True,
+        validate_by_name=True,
+        frozen=True,
+        extra="allow",
+    )
+
+
+# 2.7 Hashes
+class Hashes(StixCore, extra="allow"):
+    """
+    The Hashes type represents one or more cryptographic hashes, as a special set of key/value pairs.
+    Accordingly, the name of each hashing algorithm MUST be specified as a key in the dictionary
+    and MUST identify the name of the hashing algorithm used to generate the corresponding value.
+    This name SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary.
+
+    To enhance compatibility, the SHA-256 hash SHOULD be used whenever possible.
+    """
+
+    # Specifies the MD5 message digest algorithm. The corresponding hash string for this
+    # value MUST be a valid MD5 message digest as defined in [RFC1321].
+    md5: Annotated[str | None, Field(serialization_alias="MD5")] = None
+    # Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function.
+    # The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174].
+    sha1: Annotated[str | None, Field(serialization_alias="SHA-1")] = None
+    # Specifies the SHA-256 cryptographic hash function (part of the SHA2 family).
+    # The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234].
+    sha256: Annotated[str | None, Field(serialization_alias="SHA-256")] = None
+    # Specifies the SHA-512 cryptographic hash function (part of the SHA2 family).
+    # The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234].
+    sha512: Annotated[str | None, Field(serialization_alias="SHA-512")] = None
+    # Specifies the SHA3-256 cryptographic hash function. The corresponding hash string
+    # for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202].
+    sha3_256: Annotated[str | None, Field(serialization_alias="SHA3-256")] = None
+    # Specifies the SHA3-512 cryptographic hash function. The corresponding hash string
+    # for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202].
+    sha3_512: Annotated[str | None, Field(serialization_alias="SHA3-512")] = None
+    # Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this
+    # value MUST be a valid piecewise hash as defined in the [SSDEEP] specification.
+    ssdeep: Annotated[str | None, Field(serialization_alias="SSDEEP")] = None
+    # Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this
+    # value MUST be a valid 35 byte long hash as defined in the [TLSH] specification.
+    tlsh: Annotated[str | None, Field(serialization_alias="TLSH")] = None
+
+    @model_validator(mode="after")
+    def lang_or_marking_ref(self) -> "Hashes":
+        """
+        Dictionary keys MUST be unique in each hashes property, MUST be in ASCII, and are limited to the
+        characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_).
+        Dictionary keys MUST have a minimum length of 3 ASCII characters
+        and MUST be no longer than 250 ASCII characters in length.
+        The value MUST be a string in the appropriate format defined by the hash type indicated in the dictionary key.
+        """
+        if self.__pydantic_extra__ and any(
+            not (len(key) > 250 or len(key) < 3 or StixKeyPattern.match(key))
+            for key in self.__pydantic_extra__.keys()
+        ):
+            raise ValueError("Invalid extra hash key.")
+        return self
+
+
+# 2.5 External Reference
+class ExternalReference(StixCore):
+    """
+    External references are used to describe pointers to information represented outside of STIX.
+    For example, a Malware object could use an external reference to indicate an ID for that malware
+    in an external database or a report could use references to represent source material.
+    """
+
+    # The name of the source that the external-reference is defined within (system, registry, organization, etc.).
+    source_name: str
+    # A human readable description.
+    description: str | None = None
+    # A URL reference to an external resource [RFC3986].
+    url: StixUrl | None = None
+    # Specifies a dictionary of hashes for the contents of the url. This SHOULD be provided when the url property is
+    # present. Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary.
+    # As stated in Section 2.7, to ensure interoperability, a SHA-256 hash SHOULD be included whenever possible.
+    hashes: Hashes | None = None
+    # An identifier for the external reference content.
+    external_id: str | None = None
+
+    @model_validator(mode="before")
+    def at_least_one(cls, values: dict[str, str]) -> dict[str, str]:
+        """
+        In addition to the source_name property, at least one of the description, url,
+        or external_id properties MUST be present.
+        """
+        for value in values.values():
+            if value:
+                return values
+        raise ValueError("Missing at least one hash value.")
+
+
+# 2.11 Kill Chain Phase
+class KillChainPhase(StixCore):
+    """
+    The kill-chain-phase represents a phase in a kill chain, which describes the
+    various phases an attacker may undertake in order to achieve their objectives.
+    """
+
+    # The name of the kill chain. The value of this property SHOULD be all lowercase
+    # and SHOULD use hyphens instead of spaces or underscores as word separators.
+    kill_chain_name: str
+    # The name of the phase in the kill chain. The value of this property SHOULD be all
+    # lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.
+    phase_name: str
+
+
+# 7.2.3 Granular Markings
+class GranularMarking(StixCore):
+    """
+    The granular-marking type defines how the list of marking-definition objects referenced by
+    the marking_refs property to apply to a set of content identified by
+    the list of selectors in the selectors property.
+    """
+
+    # The lang property identifies the language of the text identified by this marking. The value of the lang property,
+    # if present, MUST be an [RFC5646] language code. If the marking_ref property is not present, this property MUST
+    # be present. If the marking_ref property is present, this property MUST NOT be present.
+    lang: str | None = None
+    # The marking_ref property specifies the ID of the marking-definition object that describes the marking.
+    # If the lang property is not present, this property MUST be present. If the lang property is present,
+    # this property MUST NOT be present.
+    marking_ref: Identifier | None = None
+    # The selectors property specifies a list of selectors for content contained within the STIX Object in which this
+    # property appears. Selectors MUST conform to the syntax defined below. The marking-definition referenced in
+    # the marking_ref property is applied to the content selected by the selectors in this list. The [RFC5646] language
+    # code specified by the lang property is applied to the content selected by the selectors in this list.
+    selectors: list[str] | None = None
+    # Selector Syntax:
+    # Selectors contained in the selectors list are strings that consist of multiple components that MUST be separated
+    # by the . character. Each component MUST be one of:
+    #    ●      A property name or dictionary key, e.g., description, or;
+    #    ●      A zero-based list index, specified as a non-negative integer in square brackets, e.g., [4]
+    # Selectors denote path traversals: the root of each selector is the STIX Object
+    # that the granular_markings property appears in.
+    # Starting from that root, for each component in the selector, properties and list items are traversed.
+    # When the complete list has been traversed, the value of the content is considered selected.
+    # Selectors MUST refer to properties or list items that are actually present on the marked object.
+
+    @model_validator(mode="after")
+    def lang_or_marking_ref(self) -> "GranularMarking":
+        if self.lang and self.marking_ref:
+            raise ValueError(
+                "Both lang and marking_ref properties MUST NOT be present."
+            )
+        if not self.lang and not self.marking_ref:
+            raise ValueError("Either lang or marking_ref property MUST be present.")
+        return self
+
+
+# 10.5 Extension Types Enumeration
+class ExtensionType(Enum):
+    new_sdo = "new-sdo"
+    new_sco = "new-sco"
+    new_sro = "new-sro"
+    property_extension = "property-extension"
+    toplevel_property_extension = "toplevel-property-extension"
+
+
+class Extension(StixCore):
+    extension_type: ExtensionType | None = None
+
+
+class ExtensionsDict(TypedDict, total=False, extra_items=SerializeAsAny[Extension]): ...  # noqa: E701
+
+
+# 3.2 Common Properties
+class StixCommon(StixCore):
+    """
+    This section defines the common properties that MAY exist on a STIX Objects. While some STIX Objects use all
+    of these common properties, not all object types do.
+    Each type of STIX Object defines which common properties are required, which are optional,
+    and which are not in use.
+    """
+
+    # All STIX Objects and the STIX Bundle Object have an id property that uniquely identifies each instance
+    # of the object.
+    # This id MUST meet the requirements of the identifier type (see section 2.9).
+    # For objects that support versioning, all objects with the same id are considered different versions
+    # of the same object and the version of the object is identified by its modified property.
+    id: Identifier
+    # The type property identifies the type of STIX Object.
+    type: str
+    # The value of this property MUST be 2.1 for STIX Objects defined according to this specification.
+    spec_version: Literal["2.1"] = "2.1"
+    # The revoked property is only used by STIX Objects that support versioning and indicates whether the object
+    # has been revoked.
+    revoked: bool | None = None
+    # The labels property specifies a set of terms used to describe this object.
+    # Where an object has a specific property defined in the specification for characterizing
+    # subtypes of that object, the labels property MUST NOT be used for that purpose.
+    labels: list[str] | None = None
+    # The confidence property identifies the confidence that the creator has in the correctness of their data.
+    # The confidence value MUST be a number in the range of 0-100.
+    confidence: Annotated[int, Ge(0), Le(100)] | None = None
+    # The lang property identifies the language of the text content in this object.
+    # When present, it MUST be a language code conformant to [RFC5646].
+    # RFC5646 does not enforce ISO 639-1 alpha-2 or ISO 639-3 alpha-3 formats.
+    lang: str | None = None
+    # The external_references property specifies a list of external references which refers to non-STIX information.
+    external_references: list[ExternalReference] | None = None
+    # The object_marking_refs property specifies a list of id properties of marking-definition objects that apply
+    # to this object.
+    object_marking_refs: list[Identifier] | None = None
+    # The granular_markings property specifies a list of granular markings applied to this object.
+    granular_markings: list[GranularMarking] | None = None
+    # Specifies any extensions of the object, as a dictionary.
+    # Dictionary keys SHOULD be the id of a STIX Extension object or the name of a predefined object extension found
+    # in this specification, depending on the type of extension being used.
+    # The corresponding dictionary values MUST contain the contents of the extension instance.
+    # Each extension dictionary MAY contain the property extension_type.
+    # The value of this property MUST come from the extension-type-enum enumeration.
+    # If the extension_type property is not present, then this is a predefined extension which
+    # does not use the extension facility described in section 7.3.
+    # When this extension facility is used the extension_type property MUST be present.
+    extensions: ExtensionsDict | dict[str, Extension] | None = None
+
+    @classmethod
+    def register_new_extension(
+        cls,
+        definition: "StixCommon",  # pyright: ignore[reportUnusedParameter]
+        extension: Type[Extension],  # pyright: ignore[reportUnusedParameter, reportDeprecated]
+    ):
+        """
+        Dynamically update the extensions property so that new classes get deserialized based on the extension key.
+        """
+        annotations = get_args(cls.model_fields["extensions"].annotation)[0]  # pyright: ignore[reportAny, reportUnusedVariable]
+        CustomExtensionsDict = TypedDict(
+            "CustomExtensionsDict",
+            {
+                definition.id: extension,  # pyright: ignore[reportGeneralTypeIssues]
+                **annotations.__annotations__,  # pyright: ignore[reportGeneralTypeIssues]
+            },
+            total=False,
+            extra_items=SerializeAsAny[Extension],
+        )
+        cls.model_fields["extensions"].annotation = CustomExtensionsDict | None  # pyright: ignore[reportAttributeAccessIssue]
+        cls.model_rebuild(force=True)  # pyright: ignore[reportUnusedCallResult]
+
+
+class StixDomain(StixCommon):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixObservable(StixCommon):
+    # This property defines whether or not the data contained within the object has been defanged.
+    defanged: bool | None = None
+
+
+class StixRelationship(StixCommon):
+    relationship_type: str
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixMeta(StixCommon):
+    type: str
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+
+
+class StixLanguage(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixMarking(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+
+
+class StixExtension(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self

stidantic/validators.py

@@ -0,0 +1,20 @@
+from pydantic import ValidationInfo
+
+
+def validate_identifier(value: str) -> str:
+    _type, _uuid = value.split("--")
+    if not _type and not _uuid:
+        raise ValueError("Invalid identifier format.")
+    return value
+
+
+def validate_bin_field(value: str, info: ValidationInfo) -> str:
+    if info.field_name and not info.field_name.endswith("_bin"):
+        raise ValueError("The property name MUST end with '_bin'.")
+    return value
+
+
+def validate_hex_field(value: str, info: ValidationInfo) -> str:
+    if info.field_name and not info.field_name.endswith("_hex"):
+        raise ValueError("The property name MUST end with '_hex'.")
+    return value