STIX 2.1 Generator Skill

STIX 2.1 Generator

Generate valid STIX 2.1 objects and bundles for threat intelligence sharing. This skill helps create properly formatted STIX content from various sources including IOC lists, threat descriptions, and MITRE ATT&CK mappings.

Requirements

Install the STIX library before use:

pip install stix2

Usage

Generate from IOC List

python scripts/generate_stix.py --iocs examples/ioc_list.txt --output bundle.json

Generate from Threat Description

python scripts/generate_stix.py --threat examples/threat_description.json --output bundle.json

Generate from MITRE ATT&CK

python scripts/generate_stix.py --attack-pattern T1055 --output bundle.json

Interactive Mode

python scripts/generate_stix.py --interactive

Batch Processing

python scripts/generate_stix.py --batch examples/batch_input.json --output-dir ./output/

Options

| Option | Description | |--------|-------------| | --iocs FILE | Generate indicators from IOC list file | | --threat FILE | Generate threat actor and campaign from description | | --attack-pattern ID | Generate attack pattern from MITRE ATT&CK ID | | --malware FILE | Generate malware object from description | | --campaign FILE | Generate campaign with related objects | | --identity NAME | Specify identity for created_by_ref | | --labels LIST | Add labels to indicators (comma-separated) | | --pattern-type TYPE | Specify pattern type (stix, snort, yara) | | --valid-from DATE | Valid from timestamp (ISO format) | | --valid-until DATE | Valid until timestamp (ISO format) | | --confidence LEVEL | Confidence level (0-100) | | --output FILE | Output file (default: stdout) | | --format FORMAT | Output format (json, yaml) | | --validate | Validate generated STIX | | --bundle | Wrap objects in a bundle | | --relationships | Generate relationships between objects | | --interactive | Interactive mode for guided creation | | --batch FILE | Batch process multiple objects |

Object Types

Indicators

Generate indicators from various sources:

# From IP addresses
python scripts/generate_stix.py --iocs ips.txt --labels malicious-activity

# From domain list
python scripts/generate_stix.py --iocs domains.txt --labels phishing

# From file hashes
python scripts/generate_stix.py --iocs hashes.txt --labels malware

# Mixed IOCs with auto-detection
python scripts/generate_stix.py --iocs mixed_iocs.txt --auto-detect

Malware

Create malware objects:

python scripts/generate_stix.py --malware examples/emotet.json

Input format:

{
  "name": "Emotet",
  "malware_types": ["trojan", "downloader"],
  "is_family": true,
  "description": "Emotet is a modular banking trojan",
  "capabilities": ["captures-credentials", "exfiltrates-data"],
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "initial-access"
    }
  ]
}

Attack Patterns

Generate from MITRE ATT&CK:

# Single technique
python scripts/generate_stix.py --attack-pattern T1055

# Multiple techniques
python scripts/generate_stix.py --attack-pattern T1055,T1003,T1021.001

# With custom description
python scripts/generate_stix.py --attack-pattern T1055 --description "Custom process injection implementation"

Threat Actors

Create threat actor profiles:

python scripts/generate_stix.py --threat examples/apt28.json

Input format:

{
  "name": "APT28",
  "threat_actor_types": ["nation-state"],
  "description": "Russian threat actor group",
  "aliases": ["Fancy Bear", "Sofacy"],
  "roles": ["agent"],
  "sophistication": "expert",
  "resource_level": "government",
  "primary_motivation": "organizational-gain",
  "goals": ["espionage", "disruption"],
  "observed_ttps": ["T1055", "T1003"]
}

Campaigns

Generate complete campaigns:

python scripts/generate_stix.py --campaign examples/campaign.json --relationships

Output Examples

Simple Indicator Bundle

{
  "type": "bundle",
  "id": "bundle--uuid",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--uuid",
      "created": "2024-01-01T00:00:00.000Z",
      "modified": "2024-01-01T00:00:00.000Z",
      "name": "Malicious IP: 192.0.2.1",
      "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.0.2.1']",
      "pattern_type": "stix",
      "valid_from": "2024-01-01T00:00:00.000Z",
      "labels": ["malicious-activity"],
      "confidence": 90
    }
  ]
}

Complex Bundle with Relationships

{
  "type": "bundle",
  "id": "bundle--uuid",
  "objects": [
    {
      "type": "threat-actor",
      "id": "threat-actor--uuid",
      "name": "APT28",
      "threat_actor_types": ["nation-state"]
    },
    {
      "type": "attack-pattern",
      "id": "attack-pattern--uuid",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--uuid",
      "relationship_type": "uses",
      "source_ref": "threat-actor--uuid",
      "target_ref": "attack-pattern--uuid"
    }
  ]
}

Batch Processing

Process multiple objects at once:

{
  "identity": {
    "name": "ACME Security",
    "identity_class": "organization"
  },
  "objects": [
    {
      "type": "indicator",
      "iocs": ["192.0.2.1", "192.0.2.2"],
      "labels": ["malicious-activity"]
    },
    {
      "type": "malware",
      "name": "BadMalware",
      "malware_types": ["remote-access-trojan"]
    },
    {
      "type": "attack-pattern",
      "mitre_id": "T1055"
    }
  ],
  "relationships": [
    {
      "source": "malware/BadMalware",
      "relationship": "uses",
      "target": "attack-pattern/T1055"
    }
  ]
}

Integration

With STIX Validator

Generate and validate in one command:

python scripts/generate_stix.py --iocs iocs.txt --output bundle.json --validate

With MISP

Export to MISP format:

python scripts/generate_stix.py --iocs iocs.txt --format misp --output event.json

With TAXII

Prepare for TAXII upload:

python scripts/generate_stix.py --iocs iocs.txt --taxii-collection indicators --output bundle.json

Pattern Types

STIX Patterns

Default pattern type for indicators:

[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']
[domain-name:value = 'evil.com']
[ipv4-addr:value = '192.0.2.1']

SNORT Rules

Generate SNORT-compatible patterns:

python scripts/generate_stix.py --iocs ips.txt --pattern-type snort

YARA Rules

Generate YARA-compatible patterns:

python scripts/generate_stix.py --iocs hashes.txt --pattern-type yara

Best Practices

Always validate generated STIX using the validator skill
Use meaningful labels for indicators (malicious-activity, phishing, etc.)
Include confidence scores when known
Set appropriate valid_from and valid_until timestamps
Generate relationships to show connections between objects
Include external references for MITRE ATT&CK techniques
Use consistent identities for created_by_ref
Batch process related objects together
Document custom extensions if used

Error Handling

The generator validates input and provides clear error messages:

Invalid IOC format
Missing required fields
Invalid MITRE ATT&CK IDs
Relationship reference errors
Pattern syntax errors

Security Considerations

Generated STIX should be validated before sharing
Sensitive information should be reviewed before distribution
Use TLP markings when appropriate
Consider privacy implications of shared indicators
Validate source authenticity before generating STIX from external data

Performance

Batch processing is more efficient than individual generation
Large IOC lists are processed in chunks
Relationship generation uses efficient graph algorithms
Memory-efficient for large bundles

Agent Skills: STIX 2.1 Generator

Install this agent skill to your local

Skill Files