Checking STIX Content¶
The validator will always validate input against all of the mandatory
“MUST” requirements from the spec. By default it will issue warnings
if the input fails any of the “SHOULD” recommendations, but validation
will still pass. To turn these “best practice” warnings into errors
and cause validation to fail, use the --strict option with the
command-line script, or create a ValidationOptions object with
strict=True when using the library.
You cannot select which of the “MUST” requirement checks will be
performed; all of them will always be performed. However, you may
select which of the “SHOULD” checks to perform. Use the codes from the
table below to enable or disable these checks. For example, to disable
the checks for the report label and tool label vocabularies, use
--disable 218,222 or disabled="218,222". All the other
checks will still be performed. Conversely, to only check that custom
property names adhere to the recommended format but not run any of the
other “best practice” checks, use --enable 103 or
enabled="103".
Enabling supersedes disabling. Simultaneously enabling and disabling the same check will result in the validator performing that check.
Mandatory Checks - STIX 2.1¶
Name |
Ensures… |
Errors/Warnings |
timestamp |
timestamps contain sane months, days, hours, minutes, seconds |
‘<property>’: ‘<timestamp>’ is not a valid timestamp: <message> ‘<object>’: ‘<property>’: ‘<timestamp>’ is not a valid timestamp: <message> ‘<object>’: ‘<extension>’: ‘<property>’: ‘<timestamp>’ is not a valid timestamp: <message> ‘<object>’: ‘<property>’: ‘<embedded-property>’ is not a valid timestamp: <message> |
timestamp_compare |
timestamp properties with a comparison are valid |
‘<operand_1>’ (<operand1_value>) must be <comparison_op> ‘<operand_2>’ (<operand2_value) |
observable_timestamp_compare |
cyber observable timestamp properties with a comparison requirement are valid |
In object ‘<identifier>’, ‘<operand_1>’ (<operand1_value>) must be <comparison_op> ‘<operand_2>’ (<operand2_value>) |
object_marking_circular_refs |
that marking definitions do not contain circular references (i.e., they do not reference themselves in the ‘object_marking_refs’ property |
‘object_marking_refs’ cannot contain any references to this marking definition object (no circular references) |
granular_markings_circular_refs |
that marking definitions do not contain circular references (i.e., they do not reference themselves in the ‘granular_markings’ property |
‘granular markings’ cannot contain any references to this marking definition object (no circular references) |
marking_selector_syntax |
selectors in granular markings refer to items which are actually present in the object |
‘<selector>’ is not a valid selector because ‘<index>’ is not a valid index ‘<selector>’ is not a valid selector because ‘<selector_segment>’ is not a list. ‘<selector>’ is not a valid selector because ‘<selector_segment>’ is not a property. |
observable_object_references |
certain observable object properties reference the correct type of object |
‘<property>’ in observable object ‘<identifier>’ can’t resolve ‘<embed-property>’ reference ‘<identifier>’ ‘<property>’ in observable object ‘<identifier>’ must refer to an object of type ‘<type(s)>’ |
artifact_mime_type |
the ‘mime_type’ property of artifact objects comes from the Template column in the IANA media type registry |
the ‘mime_type’ property of object ‘<identifier>’ (‘<mime_type>’) must be an IANA registered MIME Type of the form ‘type/subtype’. |
character_set |
certain properties of cyber observable objects come from the IANA Character Set list. |
The ‘path_enc’ property of object ‘<identifier>’ (‘<path_enc>’) must be an IANA registered character set. The ‘name_enc’ property of object ‘<identifier>’ (‘<name_enc>’) must be IANA registered character set. |
language |
the ‘lang’ property of SDOs is a valid RFC 5646 language code |
‘<lang>’ is not a valid RFC 5646 language code. |
software_language |
the ‘language’ property of software objects is a valid ISO 639-2 language code |
The ‘languages’ property of object ‘<identifier>’ contains an invalid code (‘<lang>’). |
patterns |
that the syntax of the pattern of an indicator is valid, and that objects and properties referenced by the pattern are valid. This runs the cti-pattern-validator (https://github.com/oasis-open/cti- pattern-validator) to check the syntax of the pattern. |
‘<object>’ is not a valid observable type name Custom Observable Object type ‘<object>’ should start with ‘x-’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name Custom Observable Object type ‘<object>’ should start with ‘x-’ ‘<property>’ is not a valid observable property name Cyber Observable Object custom property ‘<property>’ should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by underscores), an underscore and then the name Cyber Observable Object custom property ‘<property>’ should start with ‘x_’ |
language_contents |
keys in Language Content’s ‘contents’ dictionary are valid language codes, and that the keys in the sub- dictionaries match the rules for object property names |
Invalid key ‘<key>’ in ‘contents’ property must be an RFC 5646 code ‘<subkey>’ in ‘<key>’ of the ‘contents’ property is invalid and must match a valid property name |
uuid_version_check |
that an SCO with only optional ID Contributing Properties use a UUIDv4 |
If no Contributing Properties are present a UUIDv4 must be used |
process |
that process objects use UUIDv4 |
A process object must use UUIDv4 in its id |
Optional Checks - STIX 2.1¶
Code |
Name |
Ensures… |
Errors/Warnings |
1 |
format-checks |
all 1xx checks are run. Specifically: |
|
101 |
custom-prefix |
names of custom object types, properties, observable objects, observable object properties, and observable object extensions follow the correct format |
Note: This checks functionality that has been deprecated and replaced by extensions. Thus, this check only runs if extensions-use (401) is disabled. custom object type ‘<object>’ should start with ‘x-’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. custom property ‘<property>’ should have a type that starts with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by a hyphen), a hyphen and then the name. Custom Observable Object type ‘<observable_object>’ should start with ‘x-’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. Custom Cyber Observable Object extension type ‘<observable-object-extension>’ should start with ‘x-’ followed by a source unique identifier (like a domain with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<observable_object_property>’ should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<property>’ in the <extension> extension should start with ‘x_’ followed by a source unique (like a domain name with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<property>’ in the <extension_property> of the <extension> extension should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. |
102 |
custom-prefix-lax |
same as 101 but more lenient; no source identifier needed in prefix |
Note: This checks functionality that has been deprecated and replaced by extensions. Thus, this check only runs if extensions-use (401) is disabled. custom object type ‘<object>’ should start with ‘x-’ in order to be compatible with future versions of the STIX 2 specification. custom property ‘<property>’ should have a type that starts with ‘x_’ in order to be compatible with future versions of the STIX 2 specification. Custom Observable Object type ‘<observable_object>’ should start with ‘x-‘. Custom Observable Object extension type ‘<observable-object_extension>’ should start with ‘x-‘. Cyber Observable Object custom property ‘<property>’ should start with ‘x_’. Cyber Observable Object custom property ‘<embedded_property>’ in the <property> of the <object> object should start with ‘x_’. Cyber Observable Object custom property ‘<property>’ in the <extension> extension should start with ‘x_’. Cyber Observable Object custom property ‘<property>’ in the <extension_property> property of the <extension> extension should start with ‘x_’. |
103 |
uuid-check |
objects use the recommended versions of UUID (v5 for SCOs, v4 for the rest) |
Cyber Observable ID value <identifier> is not a valid UUIDv5 ID. Given ID value <identifier> is not a valid UUIDv4 ID. |
111 |
open-vocab-format |
values of open vocabularies follow the correct format |
Open vocabulary value ‘<value>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators. |
121 |
kill-chain-names |
kill-chain-phase name and phase follow the correct format |
kill_chain_name ‘<chain_name>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators. phase_name ‘<phase_name>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators |
141 |
observable-object-keys |
observable object keys follow the correct format |
‘<key_value>’ is not a good key value. Observable Objects should use non- negative integers for their keys. |
142 |
observable-dictionary-keys |
dictionaries in cyber observable objects follow the correct format |
As a dictionary key, ‘<key_value>’ should be lowercase. |
143 |
malware-analysis-product |
malware analysis product names follow the correct format |
The ‘product’ property of object ‘<identifier>’ should be all lowercase with words separated by dash. |
149 |
windows-process-priority-format |
windows-process-ext’s ‘priority’ follows the correct format |
The ‘priority’ property of object ‘<identifier>’ should end in ‘_CLASS’. |
150 |
hash-length |
keys in ‘hashes’-type properties are not too long |
Object ‘<identifier>’ has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. Object ‘<identifier>’ has an NTFS extension with an alternate data stream that has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with a file header hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with an optional header that has a hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with a section that has a hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ hash a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. |
2 |
approved-values |
all 2xx checks are run. Specifically: |
|
201 |
marking-definition-type |
marking definitions use a valid definition_type |
Marking definition ‘definition_type’ should be one of: <marking-definition-type>. |
202 |
relationship-types |
relationships are among those defined in the specification |
‘<object>’ is not a suggested relationship source object for the ‘<relationship>’ relationship. ‘<relationship>’ is not a suggested relationship type for ‘<object>’ objects. ‘<object>’ is not a suggested relationship target object for ‘<object>’ objects with the ‘<relationship>’ relationship. |
203 |
duplicate-ids |
objects in a bundle with duplicate IDs have different modified timestamps |
Duplicate ID ‘<identifier>’ has identical ‘modified’ timestamp. If they are different versions of the same object, they should have different ‘modified’ properties, |
210 |
all-vocabs |
all of the following open vocabulary checks are run |
|
211 |
attack-motivation |
certain property values are from the attack-motivation vocabulary |
‘<property>’ contains a value not in the attack-motivation-ov vocabulary |
212 |
attack-resource-level |
certain property values are from the attack-resource-level vocabulary |
‘<property>’ contains a value not in the attack-resource-level-ov vocabulary |
213 |
identity-class |
certain property values are from the identity-class vocabulary |
‘<property>’ contains a value not in the identity-class-ov vocabulary |
214 |
indicator-types |
certain property values are from the indicator-types vocabulary |
‘<property>’ contains a value not in the indicator-types-ov vocabulary |
215 |
industry-sector |
certain property values are from the industry-sector vocabulary |
‘<property>’ contains a value not in the industry-sector-ov vocabulary |
216 |
malware-types |
certain property values are from the malware-types vocabulary |
‘<property>’ contains a value not in the malware-types-ov vocabulary |
218 |
report-types |
certain property values are from the report-types vocabulary |
‘<property>’ contains a value not in the report-types-ov vocabulary |
219 |
threat-actor-types |
certain property values are from the threat-actor-types vocabulary |
‘<property>’ contains a value not in the threat-actor-types-ov vocabulary |
220 |
threat-actor-role |
certain property values are from the threat_actor_role vocabulary |
‘<property>’ contains a value not in the threat-actor-role-ov vocabulary |
221 |
threat-actor-sophistication |
certain property values are from the threat_actor_sophistication vocabulary |
‘<property>’ contains a value not in the threat-actor-sophistication-ov vocabulary |
222 |
tool-types |
certain property values are from the tool_types vocabulary |
‘<property>’ contains a value not in the tool-types-ov vocabulary |
223 |
region |
certain property values are from the region vocabulary |
‘<property>’ contains a value not in the region-ov vocabulary |
225 |
grouping-context |
certain property values are from the grouping-context vocabulary |
‘<property>’ contains a value not in the grouping-context-ov vocabulary |
226 |
implementation-languages |
certain property values are from the implementation-languages vocabulary |
‘<property>’ contains a value not in the implementation-languages-ov vocabulary |
227 |
infrastructure-types |
certain property values are from the infrastructure-types vocabulary |
‘<property>’ contains a value not in the infrastructure-types-ov vocabulary |
228 |
malware-capabilities |
certain property values are from the malware-capabilities vocabulary |
‘<property>’ contains a value not in the malware-capabilities-ov vocabulary |
230 |
processor-architecture |
certain property values are from the processor-architecture vocabulary |
‘<property>’ contains a value not in the processor-architecture-ov vocabulary |
231 |
malware-result |
certain property values are from the malware-result vocabulary |
‘<property>’ contains a value not in the malware-result-ov vocabulary |
241 |
hash-algo |
certain property values are from the hash-algo vocabulary |
Object ‘<identifier>’ has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has an NTFS extension with an alternate data stream that has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is not a value in the hash- algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with a file header hash of ‘<hash_type>’, which is not a value in the hash-algorithm- vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with an optional header that has a hash of ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with a section that has a hash of ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. |
243 |
windows-pebinary-type |
certain property values are from the windows-pebinary-type vocabulary |
Object ‘<identifier>’ has a Windows PE Binary File extension with a ‘pe_type’ of ‘<pe_type>’, which is not a value in the windows-pebinary-type-ov vocabulary. |
244 |
account-type |
certain property values are from the account-type vocabulary |
Object ‘<identifier>’is a User Account Object with an ‘account_type’ of ‘<account_type>’, which is not a value in the account-type-ov vocabulary. |
245 |
indicator-pattern-types |
certain property values are from the pattern-type vocabulary |
‘<property>’ contains a value not in the pattern-type-ov vocabulary |
270 |
all-external-sources |
all of the following external source checks are run |
|
271 |
mime-type |
file.mime_type is a valid IANA MIME type |
The ‘mime_type’ property of object ‘<identifier>’ (‘<mime_type>’) should be an IANA registered MIME Type of the form ‘type/subtype’. |
272 |
protocols |
certain property values are valid IANA Service and Protocol names |
The ‘protocols’ property of object ‘<identifier>’ contains a value (‘<protocol>’) not in IANA Service Name and Transport Protocol Port Number Registry. |
273 |
ipfix |
certain property values are valid IANA IP Flow Information Export (IPFIX) Entities |
The ‘ipfix’ property of object ‘<identifier>’ contains a key (‘<ipfix>’) not in IANA IP Flow Information Export (IPFIX) Entities Registry. |
274 |
http-request-headers |
certain property values are valid HTTP request header names |
The ‘request_header’ property of object ‘<identifier>’ contains an invalid HTTP header (‘<http_request_header>’). |
275 |
socket-options |
certain property values are valid socket options |
The ‘options’ property of object ‘<identifier>’ contains a key (‘<option>’) that is not a valid socket option (SO|ICMP|ICMP6|IP|IPV6| MCAST|TCP|IRLMP)_*. |
276 |
pdf-doc-info |
certain property values are valid PDF Document Information Dictionary keys |
The ‘document_info_dict’ property of object ‘<identifier>’ contains a key (‘<key>’) that is not a valid PDF Document Information Dictionary key. |
277 |
countries |
certain property values are valid ISO 3166-1 ALPHA-2 codes |
Location ‘country’ should be a valid ISO 3166-1 ALPHA-2 Code. |
301 |
network-traffic-ports |
network-traffic objects contain both src_port and dst_port |
The Network Traffic object ‘<identifier>’ should contain both the ‘src_port’ and ‘dst_port’ properties. |
302 |
extref-hashes |
external references SHOULD have hashes if they have a url |
External reference ‘<src>’ has a URL but no hash. |
303 |
indicator-properties |
Indicator objects have both name and description properties |
Both the name and description properties SHOULD be present. |
304 |
deprecated-properties |
certain properties which have been deprecated are not being used |
Included property ‘<property>’ is deprecated within the indicated spec version. |
305 |
extension-description |
Extension Definitions have a description property |
The ‘description’ property SHOULD be populated. |
306 |
extension-properties |
Ensure toplevel-property-extensions include the extension_properties property |
For extensions of the ‘toplevel- property-extension’ type, the ‘extension_properties’ property SHOULD include one or more property names. |
401 |
extensions-use |
custom objects, properties, and observable extensions have been implemented with Extension Definitions |
Custom object type ‘<object>’ should be implemented using an extension with an ‘extension_type’ of ‘new-sdo’. Custom property ‘<property>’ should be ‘implemented using an extension with an ‘extension_type’ of ‘property- extension’ or ‘toplevel-property- extension’. Custom Cyber Observable Object extension type ‘<extension>’ should be implemented using an ‘extension_type’ of ‘property-extension’. |