Checking STIX Content¶
The validator will always validate input against all of the mandatory
“MUST” requirements from the spec. By default it will issue warnings
if the input fails any of the “SHOULD” recommendations, but validation
will still pass. To turn these “best practice” warnings into errors
and cause validation to fail, use the --strict
option with the
command-line script, or create a ValidationOptions object with
strict=True
when using the library.
You cannot select which of the “MUST” requirement checks will be
performed; all of them will always be performed. However, you may
select which of the “SHOULD” checks to perform. Use the codes from the
table below to enable or disable these checks. For example, to disable
the checks for the report label and tool label vocabularies, use
--disable 218,222
or disabled="218,222"
. All the other
checks will still be performed. Conversely, to only check that custom
property names adhere to the recommended format but not run any of the
other “best practice” checks, use --enable 103
or
enabled="103"
.
Enabling supersedes disabling. Simultaneously enabling and disabling the same check will result in the validator performing that check.
Some checks access Internet resources to determine valid values for
certain properties. For instance, the ‘mime-type’ check accesses the
IANA’s list of registered MIME types. These web requests are cached to
conserve bandwidth, will expire after one week, and are stored in a
file called ‘cache.sqlite’ in the same directory the script is run
from. The cache can be refreshed manually with the --refresh-cache
or refresh_cache=True
, or cleared with --clear-cache
or
clear_cache=True
. This caching can be disabled entirely with
--no-cache
or no_cache=True
.
Mandatory Checks - STIX 2.1¶
Name | Ensures… | Errors/Warnings |
timestamp | timestamps contain sane months, days, hours, minutes, seconds | ‘<property>’: ‘<timestamp>’ is not a valid timestamp: <message> ‘<object>’: ‘<property>’: ‘<timestamp>’ is not a valid timestamp: <message> ‘<object>’: ‘<extension>’: ‘<property>’: ‘<timestamp>’ is not a a valid timestamp: <message> ‘<object>’: ‘<property>’: ‘<embedded-property>’ is not a valid timestamp: <message> |
timestamp_compare | timestamp properties with a comparison are valid | ‘<operand_1>’ (<operand1_value>) must be <comparison_op> ‘<operand_2>’ (<operand2_value) |
observable_timestamp_compare | cyber observable timestamp properties with a comparison requirement are valid | In object ‘<identifier>’, ‘<operand_1>’ (<operand1_value>) must be <comparison_op> ‘<operand_2>’ (<operand2_value>) |
object_marking_circular_refs | that marking definitions do not contain circular references (i.e., they do not reference themselves in the ‘object_marking_refs’ property | ‘object_marking_refs’ cannot contain any references to this marking definition object (no circular references) |
granular_markings_circular_refs | that marking definitions do not contain circular references (i.e., they do not reference themselves in the ‘granular_markings’ property | ‘granular markings’ cannot contain any references to this marking definition object (no circular references) |
marking_selector_syntax | selectors in granular markings refer to items which are actually present in the object | ‘<selector>’ is not a valid selector because ‘<index>’ is not a valid index ‘<selector>’ is not a valid selector because ‘<selector_segment>’ is not a list. ‘<selector>’ is not a valid selector because ‘<selector_segment>’ is not a property. |
observable_object_references | certain observable object properties reference the correct type of object | ‘<property>’ in observable object ‘<identifier>’ can’t resolve ‘<embed-property>’ reference ‘<identifier>’ ‘<property>’ in observable object ‘<identifier>’ must refer to an object of type ‘<type(s)>’ |
artifact_mime_type | the ‘mime_type’ property of artifact objects comes from the Template column in the IANA media type registry | the ‘mime_type’ property of object ‘<identifier>’ (‘<mime_type>’) must be an IANA registered MIME Type of the form ‘type/subtype’. |
character_set | certain properties of cyber observable objects come from the IANA Character Set list. | The ‘path_enc’ property of object ‘<identifier>’ (‘<path_enc>’) must be an IANA registered character set. The ‘name_enc’ property of object ‘<identifier>’ (‘<name_enc>’) must be IANA registered character set. |
language | the ‘lang’ property of SDOs is a valid RFC 5646 language code | ‘<lang>’ is not a valid RFC 5646 language code. |
software_language | the ‘language’ property of software objects is a valid ISO 639-2 language code | The ‘languages’ property of object ‘<identifier>’ contains an invalid code (‘<lang>’). |
patterns | that the syntax of the pattern of an indicator is valid, and that objects and properties referenced by the pattern are valid. This runs the cti-pattern-validator (https://github.com/oasis-open/cti- pattern-validator) to check the syntax of the pattern. | ‘<object>’ is not a valid observable type name Custom Observable Object type ‘<object>’ should start with ‘x-‘ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name Custom Observable Object type ‘<object>’ should start with ‘x-‘ ‘<property>’ is not a valid observable property name Cyber Observable Object custom property ‘<property>’ should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by underscores), an underscore and then the name Cyber Observable Object custom property ‘<property>’ should start with ‘x_’ |
language_contents | keys in Language Content’s ‘contents’ dictionary are valid language codes, and that the keys in the sub- dictionaries match the rules for object property names | Invalid key ‘<key>’ in ‘contents’ property must be an RFC 5646 code ‘<subkey>’ in ‘<key>’ of the ‘contents’ property is invalid and must match a valid property name |
uuid_version_check | that an SCO with only optional ID Contributing Properties use a UUIDv4 | If no Contributing Properties are present a UUIDv4 must be used |
process | that process objects use UUIDv4 | A process object must use UUIDv4 in its id |
Optional Checks - STIX 2.1¶
Code | Name | Ensures… | Errors/Warnings |
1 | format-checks | all 1xx checks are run. Specifically: | |
101 | custom-prefix | names of custom object types, properties, observable objects, observable object properties, and observable object extensions follow the correct format | custom object type ‘<object>’ should start with ‘x-‘ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. custom property ‘<property>’ should have a type that starts with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by a hyphen), a hyphen and then the name. Custom Observable Object type ‘<observable_object>’ should start with ‘x-‘ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. Custom Cyber Observable Object extension type ‘<observable-object-extension>’ should start with ‘x-‘ followed by a source unique identifier (like a domain with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<observable_object_property>’ should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<property>’ in the <extension> extension should start with ‘x_’ followed by a source unique (like a domain name with dots replaced by hyphens), a hyphen and then the name. Cyber Observable Object custom property ‘<property>’ in the <extension_property> of the <extension> extension should start with ‘x_’ followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. |
102 | custom-prefix-lax | same as 101 but more lenient; no source identifier needed in prefix | custom object type ‘<object>’ should start with ‘x-‘ in order to be compatible with future versions of the STIX 2 specification. custom property ‘<property>’ should have a type that starts with ‘x_’ in order to be compatible with future versions of the STIX 2 specification. Custom Observable Object type ‘<observable_object>’ should start with ‘x-‘. Custom Observable Object extension type ‘<observable-object_extension>’ should start with ‘x-‘. Cyber Observable Object custom property ‘<property>’ should start with ‘x_’. Cyber Observable Object custom property ‘<embedded_property>’ in the <property> of the <object> object should start with ‘x_’. Cyber Observable Object custom property ‘<property>’ in the <extension> extension should start with ‘x_’. Cyber Observable Object custom property ‘<property>’ in the <extension_property> property of the <extension> extension should start with ‘x_’. |
103 | uuid-check | objects use the recommended versions of UUID (v5 for SCOs, v4 for the rest) | Cyber Observable ID value <identifier> is not a valid UUIDv5 ID. Given ID value <identifier> is not a valid UUIDv4 ID. |
111 | open-vocab-format | values of open vocabularies follow the correct format | Open vocabulary value ‘<value>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators. |
121 | kill-chain-names | kill-chain-phase name and phase follow the correct format | kill_chain_name ‘<chain_name>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators. phase_name ‘<phase_name>’ should be all lowercase and use hyphens instead of spaces or underscores as word separators |
141 | observable-object-keys | observable object keys follow the correct format | ‘<key_value>’ is not a good key value. Observable Objects should use non- negative integers for their keys. |
142 | observable-dictionary-keys | dictionaries in cyber observable objects follow the correct format | As a dictionary key, ‘<key_value>’ should be lowercase. |
143 | malware-analysis-product | malware analysis product names follow the correct format | The ‘product’ property of object ‘<identifier>’ should be all lowercase with words separated by dash. |
149 | windows-process-priority-format | windows-process-ext’s ‘priority’ follows the correct format | The ‘priority’ property of object ‘<identifier>’ should end in ‘_CLASS’. |
150 | hash-length | keys in ‘hashes’-type properties are not too long | Object ‘<identifier>’ has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. Object ‘<identifier>’ has an NTFS extension with an alternate data stream that has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with a file header hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with an optional header that has a hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ has a Windows PE Binary File extension with a section that has a hash of ‘<hash>’, which is longer than 30 characters. Object ‘<identifier>’ hash a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is longer than 30 characters. |
2 | approved-values | all 2xx checks are run. Specifically: | |
201 | marking-definition-type | marking definitions use a valid definition_type | Marking definition ‘definition_type’ should be one of: <marking-definition-type>. |
202 | relationship-types | relationships are among those defined in the specification | ‘<object>’ is not a suggested relationship source object for the ‘<relationship>’ relationship. ‘<relationship>’ is not a suggested relationship type for ‘<object>’ objects. ‘<object>’ is not a suggested relationship target object for ‘<object>’ objects with the ‘<relationship>’ relationship. |
203 | duplicate-ids | objects in a bundle with duplicate IDs have different modified timestamps | Duplicate ID ‘<identifier>’ has identical ‘modified’ timestamp. If they are different versions of the same object, they should have different ‘modified’ properties, |
210 | all-vocabs | all of the following open vocabulary checks are run |
|
211 | attack-motivation | certain property values are from the attack-motivation vocabulary | ‘<property>’ contains a value not in the attack-motivation-ov vocabulary |
212 | attack-resource-level | certain property values are from the attack-resource-level vocabulary | ‘<property>’ contains a value not in the attack-resource-level-ov vocabulary |
213 | identity-class | certain property values are from the identity-class vocabulary | ‘<property>’ contains a value not in the identity-class-ov vocabulary |
214 | indicator-types | certain property values are from the indicator-types vocabulary | ‘<property>’ contains a value not in the indicator-types-ov vocabulary |
215 | industry-sector | certain property values are from the industry-sector vocabulary | ‘<property>’ contains a value not in the industry-sector-ov vocabulary |
216 | malware-types | certain property values are from the malware-types vocabulary | ‘<property>’ contains a value not in the malware-types-ov vocabulary |
218 | report-types | certain property values are from the report-types vocabulary | ‘<property>’ contains a value not in the report-types-ov vocabulary |
219 | threat-actor-types | certain property values are from the threat-actor-types vocabulary | ‘<property>’ contains a value not in the threat-actor-types-ov vocabulary |
220 | threat-actor-role | certain property values are from the threat_actor_role vocabulary | ‘<property>’ contains a value not in the threat-actor-role-ov vocabulary |
221 | threat-actor-sophistication | certain property values are from the threat_actor_sophistication vocabulary | ‘<property>’ contains a value not in the threat-actor-sophistication-ov vocabulary |
222 | tool-types | certain property values are from the tool_types vocabulary | ‘<property>’ contains a value not in the tool-types-ov vocabulary |
223 | region | certain property values are from the region vocabulary | ‘<property>’ contains a value not in the region-ov vocabulary |
225 | grouping-context | certain property values are from the grouping-context vocabulary | ‘<property>’ contains a value not in the grouping-context-ov vocabulary |
226 | implementation-languages | certain property values are from the implementation-languages vocabulary | ‘<property>’ contains a value not in the implementation-languages-ov vocabulary |
227 | infrastructure-types | certain property values are from the infrastructure-types vocabulary | ‘<property>’ contains a value not in the infrastructure-types-ov vocabulary |
228 | malware-capabilities | certain property values are from the malware-capabilities vocabulary | ‘<property>’ contains a value not in the malware-capabilities-ov vocabulary |
230 | processor-architecture | certain property values are from the processor-architecture vocabulary | ‘<property>’ contains a value not in the processor-architecture-ov vocabulary |
231 | malware-result | certain property values are from the malware-result vocabulary | ‘<property>’ contains a value not in the malware-result-ov vocabulary |
241 | hash-algo | certain property values are from the hash-algo vocabulary | Object ‘<identifier>’ has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has an NTFS extension with an alternate data stream that has a ‘hashes’ dictionary with a hash of type ‘<hash_type>’, which is not a value in the hash- algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with a file header hash of ‘<hash_type>’, which is not a value in the hash-algorithm- vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with an optional header that has a hash of ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. Object ‘<identifier>’ has a Windows PE Binary File extension with a section that has a hash of ‘<hash_type>’, which is not a value in the hash-algorithm-ov vocabulary nor a custom value prepended with ‘x_’. |
243 | windows-pebinary-type | certain property values are from the windows-pebinary-type vocabulary | Object ‘<identifier>’ has a Windows PE Binary File extension with a ‘pe_type’ of ‘<pe_type>’, which is not a value in the windows-pebinary-type-ov vocabulary. |
244 | account-type | certain property values are from the account-type vocabulary | Object ‘<identifier>’is a User Account Object with an ‘account_type’ of ‘<account_type>’, which is not a value in the account-type-ov vocabulary. |
245 | indicator-pattern-types | certain property values are from the pattern-type vocabulary | ‘<property>’ contains a value not in the pattern-type-ov vocabulary |
270 | all-external-sources | all of the following external source checks are run | |
271 | mime-type | file.mime_type is a valid IANA MIME type | The ‘mime_type’ property of object ‘<identifier>’ (‘<mime_type>’) should be an IANA registered MIME Type of the form ‘type/subtype’. |
272 | protocols | certain property values are valid IANA Service and Protocol names | The ‘protocols’ property of object ‘<identifier>’ contains a value (‘<protocol>’) not in IANA Service Name and Transport Protocol Port Number Registry. |
273 | ipfix | certain property values are valid IANA IP Flow Information Export (IPFIX) Entities | The ‘ipfix’ property of object ‘<identifier>’ contains a key (‘<ipfix>’) not in IANA IP Flow Information Export (IPFIX) Entities Registry. |
274 | http-request-headers | certain property values are valid HTTP request header names | The ‘request_header’ property of object ‘<identifier>’ contains an invalid HTTP header (‘<http_request_header>’). |
275 | socket-options | certain property values are valid socket options | The ‘options’ property of object ‘<identifier>’ contains a key (‘<option>’) that is not a valid socket option (SO|ICMP|ICMP6|IP|IPV6| MCAST|TCP|IRLMP)_*. |
276 | pdf-doc-info | certain property values are valid PDF Document Information Dictionary keys | The ‘document_info_dict’ property of object ‘<identifier>’ contains a key (‘<key>’) that is not a valid PDF Document Information Dictionary key. |
277 | countries | certain property values are valid ISO 3166-1 ALPHA-2 codes | Location ‘country’ should be a valid ISO 3166-1 ALPHA-2 Code. |
301 | network-traffic-ports | network-traffic objects contain both src_port and dst_port | The Network Traffic object ‘<identifier>’ should contain both the ‘src_port’ and ‘dst_port’ properties. |
302 | extref-hashes | external references SHOULD have hashes if they have a url | External reference ‘<src>’ has a URL but no hash. |
303 | indicator-properties | Indicator objects have both name and description properties | Both the name and description properties SHOULD be present. |
304 | deprecated-properties | certain properties which have been deprecated are not being used | Included property ‘<property>’ is deprecated within the indicated spec version. |