threatintel

package
v1.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Overview

Package threatintel provides export functionality for threat intelligence data.

Package threatintel provides STIX 2.1 object generation and serialization.

Package threatintel provides TAXII 2.1 protocol client implementation.

Package threatintel provides STIX 2.1 and TAXII 2.1 threat intelligence integration for the AegisGate AI Security Gateway. It supports generating, exporting, and sharing threat intelligence in standardized formats.

Features:

  • STIX 2.1 object generation from SIEM events
  • TAXII 2.1 protocol client for threat intel exchange
  • Multiple export formats (STIX, JSON, CSV, MISP)
  • MITRE ATT&CK framework mapping
  • Support for indicators, attack patterns, threat actors, malware
  • Observable generation for network and file artifacts
  • Relationship management between STIX objects

Index

Constants

View Source 
const (
	IdentityClassIndividual   = "individual"
	IdentityClassGroup        = "group"
	IdentityClassOrganization = "organization"
	IdentityClassClass        = "class"
	IdentityClassUnknown      = "unknown"
)

Identity classes

View Source 
const (
	// ContextKeyBuilder is the context key for the STIX builder.
	ContextKeyBuilder contextKey = "stix_builder"
)

Variables

This section is empty.

Functions

func ComputeHash 

func ComputeHash(data []byte) string

ComputeHash computes a hash of the exported data for integrity checking.

func ConvertToCEF 

func ConvertToCEF(event *SIEMEvent) string

ConvertToCEF converts a SIEM event to CEF format pattern.

func ConvertToLEEF 

func ConvertToLEEF(event *SIEMEvent) string

ConvertToLEEF converts a SIEM event to LEEF format.

func GenerateExportFilename 

func GenerateExportFilename(format, prefix string) string

GenerateExportFilename generates a filename for an export.

func GenerateSTIXID 

func GenerateSTIXID(stixType STIXType) (string, error)

GenerateSTIXID generates a STIX-compliant ID.

func MarshalBundle 

func MarshalBundle(bundle *Bundle) ([]byte, error)

MarshalBundle marshals a STIX bundle to JSON.

func MarshalBundleIndent 

func MarshalBundleIndent(bundle *Bundle) ([]byte, error)

MarshalBundleIndent marshals a STIX bundle to indented JSON.

func MarshalSTIX 

func MarshalSTIX(obj STIXObject) ([]byte, error)

MarshalSTIX marshals a STIX object to JSON.

func MarshalSTIXIndent 

func MarshalSTIXIndent(obj STIXObject) ([]byte, error)

MarshalSTIXIndent marshals a STIX object to indented JSON.

func ValidateDomain 

func ValidateDomain(domain string) bool

ValidateDomain validates a domain name.

func ValidateEmail 

func ValidateEmail(email string) bool

ValidateEmail validates an email address.

func ValidateExport 

func ValidateExport(data []byte, format string) error

ValidateExport validates exported data.

func ValidateIP 

func ValidateIP(ip string) bool

ValidateIP validates an IP address.

func ValidateIPv4 

func ValidateIPv4(ip string) bool

ValidateIPv4 validates an IPv4 address.

func ValidateIPv6 

func ValidateIPv6(ip string) bool

ValidateIPv6 validates an IPv6 address.

func ValidateMD5 

func ValidateMD5(hash string) bool

ValidateMD5 validates an MD5 hash.

func ValidateSHA1 

func ValidateSHA1(hash string) bool

ValidateSHA1 validates a SHA-1 hash.

func ValidateSHA256 

func ValidateSHA256(hash string) bool

ValidateSHA256 validates a SHA-256 hash.

func ValidateSHA512 

func ValidateSHA512(hash string) bool

ValidateSHA512 validates a SHA-512 hash.

func ValidateURL 

func ValidateURL(urlStr string) bool

ValidateURL validates a URL.

func WithBuilder 

func WithBuilder(ctx context.Context, builder *STIXBuilder) context.Context

WithBuilder returns a context with a STIX builder.

Types

type AttackPattern 

type AttackPattern struct {
	BaseObject
	// Name of the attack pattern
	Name string `json:"name"`
	// Description of the attack pattern
	Description string `json:"description,omitempty"`
	// KillChainPhases maps to MITRE ATT&CK techniques
	KillChainPhases []KillChainPhase `json:"kill_chain_phases,omitempty"`
	// ExternalReferences references MITRE ATT&CK IDs
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// AbstractionLevel for the attack pattern
	AbstractionLevel string `json:"abstraction_level,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the attack pattern
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
	// Aliases for this attack pattern
	Aliases []string `json:"aliases,omitempty"`
}

AttackPattern represents a STIX Attack Pattern Object. Attack patterns describe adversarial behavior patterns (MITRE ATT&CK techniques).

func NewAttackPattern 

func NewAttackPattern(id, name string) *AttackPattern

NewAttackPattern creates a new AttackPattern.

type AttackPatternOptions 

type AttackPatternOptions struct {
	// Name of the attack pattern
	Name string
	// Description
	Description string
	// MITRE ATT&CK mapping
	MITRE *MITREMapping
	// Kill chain phases
	KillChainPhases []KillChainPhase
	// Labels
	Labels []string
	// Aliases
	Aliases []string
	// Abstraction level
	AbstractionLevel string
}

AttackPatternOptions contains options for attack pattern generation.

type BaseObject 

type BaseObject struct {
	// Type identifies the type of STIX Object
	Type STIXType `json:"type"`
	// ID is the unique identifier (UUIDv4 with type prefix)
	ID string `json:"id"`
	// Created is the creation timestamp
	Created time.Time `json:"created"`
	// Modified is the last modification timestamp
	Modified time.Time `json:"modified,omitempty"`
	// SpecVersion is the STIX specification version (always "2.1")
	SpecVersion string `json:"spec_version,omitempty"`
	// ObjectMarkingRefs contains marking definitions for this object
	ObjectMarkingRefs []string `json:"object_marking_refs,omitempty"`
	// GranularMarkings contains granular marking definitions
	GranularMarkings []GranularMarking `json:"granular_markings,omitempty"`
	// Defanged indicates whether the object has been defanged
	Defanged bool `json:"defanged,omitempty"`
	// Extensions contains custom extensions
	Extensions map[string]interface{} `json:"extensions,omitempty"`
}

BaseObject contains fields common to all STIX Domain Objects.

func (*BaseObject) GetCreated 

func (b *BaseObject) GetCreated() time.Time

GetCreated returns the creation timestamp.

func (*BaseObject) GetID 

func (b *BaseObject) GetID() string

GetID returns the object ID.

func (*BaseObject) GetModified 

func (b *BaseObject) GetModified() time.Time

GetModified returns the modification timestamp.

func (*BaseObject) GetType 

func (b *BaseObject) GetType() STIXType

GetType returns the object type.

type Bundle 

type Bundle struct {
	// Type is always "bundle"
	Type STIXType `json:"type"`
	// ID is the bundle identifier
	ID string `json:"id"`
	// Objects contains the STIX objects in this bundle
	Objects []json.RawMessage `json:"objects"`
	// SpecVersion is the STIX specification version
	SpecVersion string `json:"spec_version,omitempty"`
}

Bundle represents a STIX Bundle - a collection of STIX objects.

func NewBundle 

func NewBundle(id string) *Bundle

NewBundle creates a new STIX Bundle.

func (*Bundle) AddObject 

func (b *Bundle) AddObject(obj STIXObject) error

AddObject adds a STIX object to the bundle.

func (*Bundle) AddRawObject 

func (b *Bundle) AddRawObject(data json.RawMessage)

AddRawObject adds a raw JSON object to the bundle.

type CSVExportOptions 

type CSVExportOptions struct {
	// Headers to include in CSV
	Headers []string
	// Flatten nested objects
	Flatten bool
	// Include all fields
	IncludeAllFields bool
}

CSVExportOptions contains options for CSV export.

type ComplianceMapping 

type ComplianceMapping struct {
	Framework string
	Control   string
	Section   string
}

ComplianceMapping maps events to compliance frameworks.

type DomainName 

type DomainName struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the domain name
	Value string `json:"value"`
	// ResolvesToRefs are IP addresses this resolves to
	ResolvesToRefs []string `json:"resolves_to_refs,omitempty"`
}

DomainName represents a STIX Domain Name Object.

func NewDomainName 

func NewDomainName(id, value string) *DomainName

NewDomainName creates a new DomainName observable.

func (*DomainName) GetCreated 

func (d *DomainName) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*DomainName) GetID 

func (d *DomainName) GetID() string

GetID returns the identifier.

func (*DomainName) GetModified 

func (d *DomainName) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*DomainName) GetType 

func (d *DomainName) GetType() STIXType

GetType returns the STIX type.

type EmailAddress 

type EmailAddress struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the email address
	Value string `json:"value"`
	// DisplayName is the human-readable name
	DisplayName string `json:"display_name,omitempty"`
	// BelongsToRefs references identities this email belongs to
	BelongsToRefs []string `json:"belongs_to_ref,omitempty"`
}

EmailAddress represents a STIX Email Address Object.

func NewEmailAddress 

func NewEmailAddress(id, value string) *EmailAddress

NewEmailAddress creates a new EmailAddress observable.

func (*EmailAddress) GetCreated 

func (e *EmailAddress) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*EmailAddress) GetID 

func (e *EmailAddress) GetID() string

GetID returns the identifier.

func (*EmailAddress) GetModified 

func (e *EmailAddress) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*EmailAddress) GetType 

func (e *EmailAddress) GetType() STIXType

GetType returns the STIX type.

type Error 

type Error struct {
	Operation string `json:"operation"`
	Message   string `json:"message"`
	Code      int    `json:"code,omitempty"`
	Retryable bool   `json:"retryable"`
	Cause     error  `json:"-"`
}

Error represents a threat intelligence error.

func NewError 

func NewError(operation, message string, retryable bool, cause error) *Error

NewError creates a new threat intelligence error.

func (*Error) Error 

func (e *Error) Error() string

Error implements the error interface.

func (*Error) Unwrap 

func (e *Error) Unwrap() error

Unwrap returns the underlying cause.

type ExportConfig 

type ExportConfig struct {
	// Output format: stix, json, csv, misp
	Format string `json:"format"`
	// Output path (file or directory)
	OutputPath string `json:"output_path"`
	// Include identity in export
	IncludeIdentity bool `json:"include_identity"`
	// Include observables in export
	IncludeObservables bool `json:"include_observables"`
	// Include relationships in export
	IncludeRelationships bool `json:"include_relationships"`
	// Filter by object types
	ObjectTypes []string `json:"object_types,omitempty"`
	// Filter by labels
	Labels []string `json:"labels,omitempty"`
	// Filter by confidence threshold
	MinConfidence int `json:"min_confidence,omitempty"`
	// Filter by time range
	StartTime time.Time `json:"start_time,omitempty"`
	EndTime   time.Time `json:"end_time,omitempty"`
	// Maximum objects per file
	MaxObjectsPerFile int `json:"max_objects_per_file,omitempty"`
	// Compress output
	Compress bool `json:"compress"`
	// Rate limit for network exports
	RateLimit int `json:"rate_limit,omitempty"`
	// Batch size for batched exports
	BatchSize int `json:"batch_size,omitempty"`
}

ExportConfig contains export configuration.

func DefaultExportConfig 

func DefaultExportConfig() ExportConfig

DefaultExportConfig returns default export configuration.

type ExportManager 

type ExportManager struct {
	// contains filtered or unexported fields
}

ExportManager manages multiple export destinations.

func NewExportManager 

func NewExportManager() *ExportManager

NewExportManager creates a new export manager.

func (*ExportManager) AddExporter 

func (em *ExportManager) AddExporter(name string, exporter *Exporter, config ExportConfig)

AddExporter adds an exporter to the manager.

func (*ExportManager) ExportToAll 

func (em *ExportManager) ExportToAll(ctx context.Context, objects []STIXObject) map[string]error

ExportToAll exports to all configured destinations.

func (*ExportManager) GetExporter 

func (em *ExportManager) GetExporter(name string) *Exporter

GetExporter returns an exporter by name.

func (*ExportManager) RemoveExporter 

func (em *ExportManager) RemoveExporter(name string)

RemoveExporter removes an exporter from the manager.

type ExportStats 

type ExportStats struct {
	ObjectsExported int64
	ObjectsFiltered int64
	FilesCreated    int64
	BytesWritten    int64
	BytesSent       int64
	LastExportTime  time.Time
	LastError       string
	// contains filtered or unexported fields
}

ExportStats tracks export statistics.

type Exporter 

type Exporter struct {
	// contains filtered or unexported fields
}

Exporter exports threat intelligence data in various formats.

func NewExporter 

func NewExporter(opts ExporterOptions) *Exporter

NewExporter creates a new exporter.

func (*Exporter) ExportToCSV 

func (e *Exporter) ExportToCSV(ctx context.Context, indicators []*Indicator, outputPath string, opts CSVExportOptions) error

ExportToCSV exports indicators to CSV format.

func (*Exporter) ExportToJSON 

func (e *Exporter) ExportToJSON(ctx context.Context, objects []STIXObject, outputPath string) error

ExportToJSON exports objects to JSON format.

func (*Exporter) ExportToJSONLines 

func (e *Exporter) ExportToJSONLines(ctx context.Context, objects []STIXObject, outputPath string) error

ExportToJSONLines exports objects to JSON Lines format.

func (*Exporter) ExportToMISP 

func (e *Exporter) ExportToMISP(ctx context.Context, indicators []*Indicator, outputPath string, opts MISPExportOptions) error

ExportToMISP exports indicators to MISP format.

func (*Exporter) ExportToSTIX 

func (e *Exporter) ExportToSTIX(ctx context.Context, objects []STIXObject, outputPath string) error

ExportToSTIX exports objects to a STIX bundle file.

func (*Exporter) ExportToSTIXBatched 

func (e *Exporter) ExportToSTIXBatched(ctx context.Context, objects []STIXObject, outputDir string) ([]string, error)

ExportToSTIXBatched exports objects to multiple STIX bundle files in batches.

func (*Exporter) ExportToSTIXWriter 

func (e *Exporter) ExportToSTIXWriter(ctx context.Context, objects []STIXObject, writer io.Writer) error

ExportToSTIXWriter exports objects to a STIX bundle using a writer.

func (*Exporter) ExportToTAXII 

func (e *Exporter) ExportToTAXII(ctx context.Context, objects []STIXObject, apiRootURL, collectionID string) (*TAXIIEnvelopes, error)

ExportToTAXII exports objects to a TAXII server.

func (*Exporter) ExportToTAXIIBatched 

func (e *Exporter) ExportToTAXIIBatched(ctx context.Context, objects []STIXObject, apiRootURL, collectionID string, batchSize int) ([]*TAXIIEnvelopes, error)

ExportToTAXIIBatched exports objects to a TAXII server in batches.

func (*Exporter) GetStats 

func (e *Exporter) GetStats() *ExportStats

GetStats returns export statistics.

type ExporterOptions 

type ExporterOptions struct {
	Config  ExportConfig
	Builder *STIXBuilder
	Client  *TAXIIClient
}

ExporterOptions contains options for creating an exporter.

type ExternalReference 

type ExternalReference struct {
	SourceName  string            `json:"source_name"`
	Description string            `json:"description,omitempty"`
	URL         string            `json:"url,omitempty"`
	ExternalID  string            `json:"external_id,omitempty"`
	Hashes      map[string]string `json:"hashes,omitempty"`
}

ExternalReference references external sources.

type File 

type File struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Hashes contains file hashes
	Hashes FileHash `json:"hashes,omitempty"`
	// Size in bytes
	Size int64 `json:"size,omitempty"`
	// Name of the file
	Name string `json:"name,omitempty"`
	// NameEnc is the encoding of the name
	NameEnc string `json:"name_enc,omitempty"`
	// MagicNumberHex is the magic number in hex
	MagicNumberHex string `json:"magic_number_hex,omitempty"`
	// Mime type
	MimeType string `json:"mime_type,omitempty"`
	// ContainsRefs references embedded objects
	ContainsRefs []string `json:"contains_refs,omitempty"`
	// Content is the content of the file
	Content string `json:"content,omitempty"`
}

File represents a STIX File Object.

func NewFile 

func NewFile(id string, hashes FileHash) *File

NewFile creates a new File observable.

func (*File) GetCreated 

func (f *File) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*File) GetID 

func (f *File) GetID() string

GetID returns the identifier.

func (*File) GetModified 

func (f *File) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*File) GetType 

func (f *File) GetType() STIXType

GetType returns the STIX type.

type FileHash 

type FileHash struct {
	// MD5 hash
	MD5 string `json:"MD5,omitempty"`
	// SHA-1 hash
	SHA1 string `json:"SHA-1,omitempty"`
	// SHA-256 hash
	SHA256 string `json:"SHA-256,omitempty"`
	// SHA-512 hash
	SHA512 string `json:"SHA-512,omitempty"`
	// SSDEEP fuzzy hash
	SSDEEP string `json:"SSDEEP,omitempty"`
}

FileHash represents file hash information.

func (FileHash) HasAny 

func (h FileHash) HasAny() bool

HasAny returns true if any hash is set.

type GetObjectsPaginator 

type GetObjectsPaginator struct {
	// contains filtered or unexported fields
}

GetObjectsPaginator provides paginated access to objects.

func (*GetObjectsPaginator) HasMore 

func (p *GetObjectsPaginator) HasMore() bool

HasMore returns true if there are more pages.

func (*GetObjectsPaginator) Next 

func (p *GetObjectsPaginator) Next(ctx context.Context) (*Bundle, error)

Next retrieves the next page of objects.

type GranularMarking 

type GranularMarking struct {
	MarkingRef string   `json:"marking_ref"`
	Selectors  []string `json:"selectors"`
}

GranularMarking defines granular markings for specific properties.

type IPv4Address 

type IPv4Address struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the IPv4 address
	Value string `json:"value"`
	// ResolvesToRefs are domain names that resolve to this IP
	ResolvesToRefs []string `json:"resolves_to_refs,omitempty"`
	// BelongsToRefs are ASNs this IP belongs to
	BelongsToRefs []string `json:"belongs_to_refs,omitempty"`
}

IPv4Address represents a STIX IPv4 Address Object.

func NewIPv4Address 

func NewIPv4Address(id, value string) *IPv4Address

NewIPv4Address creates a new IPv4Address observable.

func (*IPv4Address) GetCreated 

func (a *IPv4Address) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*IPv4Address) GetID 

func (a *IPv4Address) GetID() string

GetID returns the identifier.

func (*IPv4Address) GetModified 

func (a *IPv4Address) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*IPv4Address) GetType 

func (a *IPv4Address) GetType() STIXType

GetType returns the STIX type.

type IPv6Address 

type IPv6Address struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the IPv6 address
	Value string `json:"value"`
	// ResolvesToRefs are domain names that resolve to this IP
	ResolvesToRefs []string `json:"resolves_to_refs,omitempty"`
}

IPv6Address represents a STIX IPv6 Address Object.

func NewIPv6Address 

func NewIPv6Address(id, value string) *IPv6Address

NewIPv6Address creates a new IPv6Address observable.

func (*IPv6Address) GetCreated 

func (a *IPv6Address) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*IPv6Address) GetID 

func (a *IPv6Address) GetID() string

GetID returns the identifier.

func (*IPv6Address) GetModified 

func (a *IPv6Address) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*IPv6Address) GetType 

func (a *IPv6Address) GetType() STIXType

GetType returns the STIX type.

type Identity 

type Identity struct {
	BaseObject
	// Name of the identity
	Name string `json:"name"`
	// Description of the identity
	Description string `json:"description,omitempty"`
	// IdentityClass categorizes the identity
	IdentityClass string `json:"identity_class"`
	// Sectors the identity belongs to
	Sectors []string `json:"sectors,omitempty"`
	// ContactInformation for the identity
	ContactInformation string `json:"contact_information,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
}

Identity represents a STIX Identity Object. Identities represent individuals, organizations, or groups.

func NewIdentity 

func NewIdentity(id, name, identityClass string) *Identity

NewIdentity creates a new Identity.

type Indicator 

type Indicator struct {
	BaseObject
	// Name is a human-readable name
	Name string `json:"name,omitempty"`
	// Description provides more details
	Description string `json:"description,omitempty"`
	// IndicatorTypes categorizes the indicator
	IndicatorTypes []IndicatorType `json:"indicator_types,omitempty"`
	// Pattern is the detection pattern
	Pattern string `json:"pattern"`
	// PatternType specifies the pattern language
	PatternType IndicatorPatternType `json:"pattern_type"`
	// PatternVersion specifies the version of the pattern language
	PatternVersion string `json:"pattern_version,omitempty"`
	// ValidFrom is when the indicator is valid from
	ValidFrom time.Time `json:"valid_from"`
	// ValidUntil is when the indicator is no longer valid
	ValidUntil time.Time `json:"valid_until,omitempty"`
	// KillChainPhases maps to MITRE ATT&CK phases
	KillChainPhases []KillChainPhase `json:"kill_chain_phases,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the indicator (0-100)
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// ObjectMarkingRefs references marking definitions
	ObjectMarkingRefs []string `json:"object_marking_refs,omitempty"`
	// Types of the indicator (for observable-based patterns)
	Types []string `json:"types,omitempty"`
}

Indicator represents a STIX Indicator Object. Indicators contain patterns that can be used to detect suspicious activity.

func NewIndicator 

func NewIndicator(id, pattern string, patternType IndicatorPatternType) *Indicator

NewIndicator creates a new Indicator with defaults.

type IndicatorOptions 

type IndicatorOptions struct {
	// Name for the indicator
	Name string
	// Description of the indicator
	Description string
	// Indicator types
	IndicatorTypes []IndicatorType
	// Pattern type override
	PatternType IndicatorPatternType
	// Valid from timestamp
	ValidFrom time.Time
	// Valid until timestamp
	ValidUntil time.Time
	// Kill chain phases
	KillChainPhases []KillChainPhase
	// MITRE ATT&CK mapping
	MITRE *MITREMapping
	// Labels for the indicator
	Labels []string
	// Confidence override
	Confidence int
}

IndicatorOptions contains options for indicator generation.

type IndicatorPatternType 

type IndicatorPatternType string

IndicatorPatternType represents the type of indicator pattern. 

const (
	PatternTypeSTIX     IndicatorPatternType = "stix"
	PatternTypeSNORT    IndicatorPatternType = "snort"
	PatternTypeSuricata IndicatorPatternType = "suricata"
	PatternTypeSigma    IndicatorPatternType = "sigma"
	PatternTypeYARA     IndicatorPatternType = "yara"
	PatternTypePcre     IndicatorPatternType = "pcre"
	PatternTypeSigmaAny IndicatorPatternType = "sigma-any"
)

type IndicatorType 

type IndicatorType string

IndicatorType represents the type of threat indicator. 

const (
	IndicatorTypeMaliciousActivity IndicatorType = "malicious-activity"
	IndicatorTypeAnomalousActivity IndicatorType = "anomalous-activity"
	IndicatorTypeAttribution       IndicatorType = "attribution"
	IndicatorTypeUnknown           IndicatorType = "unknown"
	IndicatorTypeBenign            IndicatorType = "benign"
	IndicatorTypeCompromised       IndicatorType = "compromised"
)

type KillChainPhase 

type KillChainPhase struct {
	KillChainName string `json:"kill_chain_name"`
	PhaseName     string `json:"phase_name"`
}

KillChainPhase represents a phase in a kill chain.

type MACAddress 

type MACAddress struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the MAC address
	Value string `json:"value"`
}

MACAddress represents a STIX MAC Address Object.

func NewMACAddress 

func NewMACAddress(id, value string) *MACAddress

NewMACAddress creates a new MACAddress observable.

func (*MACAddress) GetCreated 

func (m *MACAddress) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*MACAddress) GetID 

func (m *MACAddress) GetID() string

GetID returns the identifier.

func (*MACAddress) GetModified 

func (m *MACAddress) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*MACAddress) GetType 

func (m *MACAddress) GetType() STIXType

GetType returns the STIX type.

type MISPAttribute 

type MISPAttribute struct {
	UUID         string `json:"uuid"`
	Type         string `json:"type"`
	Category     string `json:"category"`
	Value        string `json:"value"`
	ToIDS        bool   `json:"to_ids"`
	Distribution int    `json:"distribution"`
	Comment      string `json:"comment"`
	Timestamp    int64  `json:"timestamp"`
}

MISPAttribute represents a MISP attribute.

type MISPEvent 

type MISPEvent struct {
	UUID          string          `json:"uuid"`
	Info          string          `json:"info"`
	ThreatLevelID int             `json:"threat_level_id"`
	Analysis      int             `json:"analysis"`
	Distribution  int             `json:"distribution"`
	Timestamp     int64           `json:"timestamp"`
	Date          string          `json:"date"`
	Published     bool            `json:"published"`
	OrgID         string          `json:"org_id"`
	OrgcID        string          `json:"orgc_id"`
	Attribute     []MISPAttribute `json:"Attribute"`
	EventTag      []MISPTag       `json:"EventTag"`
}

MISPEvent represents a MISP event for export.

type MISPExportOptions 

type MISPExportOptions struct {
	// Event info
	EventInfo string
	// Event threat level (1-4)
	ThreatLevelID int
	// Event analysis (0-2)
	Analysis int
	// Event distribution (0-4)
	Distribution int
	// Event tags
	Tags []string
	// Org ID
	OrgID string
	// Orgc ID (owner)
	OrgcID string
	// Attribute category
	Category string
	// To IDS flag
	ToIDS bool
}

MISPExportOptions contains options for MISP export.

type MISPTag 

type MISPTag struct {
	Name   string `json:"name"`
	Colour string `json:"colour"`
}

MISPTag represents a MISP tag.

type MITREMapping 

type MITREMapping struct {
	Tactic         string   `json:"tactic,omitempty"`
	TacticID       string   `json:"tactic_id,omitempty"`
	Technique      string   `json:"technique,omitempty"`
	TechniqueID    string   `json:"technique_id,omitempty"`
	SubTechnique   string   `json:"sub_technique,omitempty"`
	SubTechniqueID string   `json:"sub_technique_id,omitempty"`
	Tactics        []string `json:"tactics,omitempty"`
	Techniques     []string `json:"techniques,omitempty"`
}

MITREMapping maps events to MITRE ATT&CK framework.

func (*MITREMapping) ToExternalReferences 

func (m *MITREMapping) ToExternalReferences() []ExternalReference

ToExternalReferences converts MITRE mapping to external references.

func (*MITREMapping) ToKillChainPhases 

func (m *MITREMapping) ToKillChainPhases() []KillChainPhase

ToKillChainPhases converts MITRE mapping to STIX kill chain phases.

type Malware 

type Malware struct {
	BaseObject
	// Name of the malware family
	Name string `json:"name"`
	// Description of the malware
	Description string `json:"description,omitempty"`
	// MalwareTypes categorizes the malware
	MalwareTypes []MalwareType `json:"malware_types,omitempty"`
	// IsFamily indicates if this represents a malware family
	IsFamily bool `json:"is_family"`
	// Aliases for this malware
	Aliases []string `json:"aliases,omitempty"`
	// KillChainPhases associated with the malware
	KillChainPhases []KillChainPhase `json:"kill_chain_phases,omitempty"`
	// FirstSeen timestamp
	FirstSeen time.Time `json:"first_seen,omitempty"`
	// LastSeen timestamp
	LastSeen time.Time `json:"last_seen,omitempty"`
	// OperatingSystemRefs for which the malware is designed
	OperatingSystemRefs []string `json:"operating_system_refs,omitempty"`
	// ArchitectureExecutionEnvs for which the malware is designed
	ArchitectureExecutionEnvs []string `json:"architecture_execution_envs,omitempty"`
	// ImplementationLanguages used to create the malware
	ImplementationLanguages []string `json:"implementation_languages,omitempty"`
	// Capabilities of the malware
	Capabilities []string `json:"capabilities,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the malware attribution
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
}

Malware represents a STIX Malware Object. Malware describes malicious software and its characteristics.

func NewMalware 

func NewMalware(id, name string, isFamily bool) *Malware

NewMalware creates a new Malware object.

type MalwareOptions 

type MalwareOptions struct {
	// Name of the malware family
	Name string
	// Description
	Description string
	// Malware types
	Types []MalwareType
	// Is this a family?
	IsFamily bool
	// Aliases
	Aliases []string
	// Kill chain phases
	KillChainPhases []KillChainPhase
	// Capabilities
	Capabilities []string
	// Labels
	Labels []string
}

MalwareOptions contains options for malware generation.

type MalwareType 

type MalwareType string

MalwareType represents the type of malware. 

const (
	MalwareTypeVirus       MalwareType = "virus"
	MalwareTypeWorm        MalwareType = "worm"
	MalwareTypeTrojan      MalwareType = "trojan"
	MalwareTypeRansomware  MalwareType = "ransomware"
	MalwareTypeSpyware     MalwareType = "spyware"
	MalwareTypeAdware      MalwareType = "adware"
	MalwareTypeBackdoor    MalwareType = "backdoor"
	MalwareTypeRootkit     MalwareType = "rootkit"
	MalwareTypeBotnet      MalwareType = "botnet"
	MalwareTypeCryptominer MalwareType = "cryptominer"
	MalwareTypeKeylogger   MalwareType = "keylogger"
	MalwareTypeDropper     MalwareType = "dropper"
	MalwareTypeLoader      MalwareType = "loader"
)

type OAuth2Config 

type OAuth2Config struct {
	// Token URL
	TokenURL string `json:"token_url"`
	// Client ID
	ClientID string `json:"client_id"`
	// Client secret
	ClientSecret string `json:"client_secret"`
	// Scopes
	Scopes []string `json:"scopes,omitempty"`
	// Existing token
	Token string `json:"token,omitempty"`
	// Token expiry
	TokenExpiry time.Time `json:"token_expiry,omitempty"`
}

OAuth2Config contains OAuth2 authentication settings.

type Observable 

type Observable struct {
	// Type identifies the type of observable
	Type STIXType `json:"type"`
	// ID is the observable object ID
	ID string `json:"id,omitempty"`
	// SpecVersion is the STIX spec version
	SpecVersion string `json:"spec_version,omitempty"`
	// ObjectMarkingRefs for marking definitions
	ObjectMarkingRefs []string `json:"object_marking_refs,omitempty"`
	// GranularMarkings for granular markings
	GranularMarkings []GranularMarking `json:"granular_markings,omitempty"`
	// Defanged indicates if the object is defanged
	Defanged bool `json:"defanged,omitempty"`
	// Extensions contains custom extensions
	Extensions map[string]interface{} `json:"extensions,omitempty"`
}

Observable represents a STIX Cyber Observable Object. These describe observable characteristics of network and system activity.

type ObservedData 

type ObservedData struct {
	BaseObject
	// FirstObserved timestamp
	FirstObserved time.Time `json:"first_observed"`
	// LastObserved timestamp
	LastObserved time.Time `json:"last_observed"`
	// Number of times observed
	NumberObserved int `json:"number_observed"`
	// Objects contains the observed objects
	Objects map[string]interface{} `json:"objects"`
	// ObjectRefs references to observed objects
	ObjectRefs []string `json:"object_refs,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
}

ObservedData represents a STIX Observed Data Object.

func NewObservedData 

func NewObservedData(id string, firstObserved, lastObserved time.Time, numberObserved int) *ObservedData

NewObservedData creates a new ObservedData.

type PatternBuilder 

type PatternBuilder struct {
	// contains filtered or unexported fields
}

PatternBuilder helps build STIX indicator patterns.

func NewPatternBuilder 

func NewPatternBuilder() *PatternBuilder

NewPatternBuilder creates a new pattern builder.

func (*PatternBuilder) And 

func (p *PatternBuilder) And() *PatternBuilder

And marks the next comparison to be ANDed with the previous one.

func (*PatternBuilder) Build 

func (p *PatternBuilder) Build() string

Build returns the final pattern string.

func (*PatternBuilder) DomainMatch 

func (p *PatternBuilder) DomainMatch(value string) *PatternBuilder

DomainMatch adds a domain name match to the pattern.

func (*PatternBuilder) EmailMatch 

func (p *PatternBuilder) EmailMatch(value string) *PatternBuilder

EmailMatch adds an email address match to the pattern.

func (*PatternBuilder) FileHashMD5 

func (p *PatternBuilder) FileHashMD5(value string) *PatternBuilder

FileHashMD5 adds an MD5 file hash match to the pattern.

func (*PatternBuilder) FileHashSHA1 

func (p *PatternBuilder) FileHashSHA1(value string) *PatternBuilder

FileHashSHA1 adds an SHA-1 file hash match to the pattern.

func (*PatternBuilder) FileHashSHA256 

func (p *PatternBuilder) FileHashSHA256(value string) *PatternBuilder

FileHashSHA256 adds an SHA-256 file hash match to the pattern.

func (*PatternBuilder) FileHashSHA512 

func (p *PatternBuilder) FileHashSHA512(value string) *PatternBuilder

FileHashSHA512 adds an SHA-512 file hash match to the pattern.

func (*PatternBuilder) FileNameMatch 

func (p *PatternBuilder) FileNameMatch(value string) *PatternBuilder

FileNameMatch adds a file name match to the pattern.

func (*PatternBuilder) FollowedBy 

func (p *PatternBuilder) FollowedBy(comparison string) *PatternBuilder

FollowedBy adds a FOLLOWED BY qualifier.

func (*PatternBuilder) IPv4Match 

func (p *PatternBuilder) IPv4Match(value string) *PatternBuilder

IPv4Match adds an IPv4 address match to the pattern.

func (*PatternBuilder) IPv6Match 

func (p *PatternBuilder) IPv6Match(value string) *PatternBuilder

IPv6Match adds an IPv6 address match to the pattern.

func (*PatternBuilder) Or 

func (p *PatternBuilder) Or() *PatternBuilder

Or marks the next comparison to be ORed with the previous one.

func (*PatternBuilder) Repeat 

func (p *PatternBuilder) Repeat(count int) *PatternBuilder

Repeat adds a repeat qualifier.

func (*PatternBuilder) URLMatch 

func (p *PatternBuilder) URLMatch(value string) *PatternBuilder

URLMatch adds a URL match to the pattern.

func (*PatternBuilder) Within 

func (p *PatternBuilder) Within(duration time.Duration) *PatternBuilder

Within adds a time window qualifier.

type PollOptions 

type PollOptions struct {
	// Collection ID to poll
	CollectionID string
	// AddedAfter filters objects added after this time
	AddedAfter time.Time
	// Types filters by object types
	Types []string
	// PollInterval is the interval between polls
	PollInterval time.Duration
	// MaxPolls is the maximum number of polls (0 = infinite)
	MaxPolls int
	// Handler is called for each received object
	Handler func(obj json.RawMessage) error
}

PollOptions contains options for polling a collection.

type PushOptions 

type PushOptions struct {
	// Collection ID to push to
	CollectionID string
	// Bundle of objects to push
	Bundle *Bundle
	// BatchSize for batching pushes
	BatchSize int
}

PushOptions contains options for pushing objects.

type Relationship 

type Relationship struct {
	BaseObject
	// RelationshipType describes the relationship
	RelationshipType RelationshipType `json:"relationship_type"`
	// SourceRef is the source object reference
	SourceRef string `json:"source_ref"`
	// TargetRef is the target object reference
	TargetRef string `json:"target_ref"`
	// Description of the relationship
	Description string `json:"description,omitempty"`
	// StartTime when the relationship is valid from
	StartTime time.Time `json:"start_time,omitempty"`
	// StopTime when the relationship is valid until
	StopTime time.Time `json:"stop_time,omitempty"`
	// KillChainPhases associated with the relationship
	KillChainPhases []KillChainPhase `json:"kill_chain_phases,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the relationship
	Confidence int `json:"confidence,omitempty"`
}

Relationship represents a STIX Relationship Object. Relationships link two STIX objects together.

func NewRelationship 

func NewRelationship(id string, relType RelationshipType, sourceRef, targetRef string) *Relationship

NewRelationship creates a new Relationship.

type RelationshipOptions 

type RelationshipOptions struct {
	// Relationship type
	Type RelationshipType
	// Description
	Description string
	// Source reference
	SourceRef string
	// Target reference
	TargetRef string
	// Start time
	StartTime time.Time
	// Stop time
	StopTime time.Time
	// Kill chain phases
	KillChainPhases []KillChainPhase
	// Confidence
	Confidence int
}

RelationshipOptions contains options for relationship generation.

type RelationshipType 

type RelationshipType string

RelationshipType represents the type of STIX relationship. 

const (
	RelationshipTypeRelatedTo        RelationshipType = "related-to"
	RelationshipTypeIndicates        RelationshipType = "indicates"
	RelationshipTypeUses             RelationshipType = "uses"
	RelationshipTypeTargets          RelationshipType = "targets"
	RelationshipTypeAttributedTo     RelationshipType = "attributed-to"
	RelationshipTypeCompromises      RelationshipType = "compromises"
	RelationshipTypeDelivers         RelationshipType = "delivers"
	RelationshipTypeDownloads        RelationshipType = "downloads"
	RelationshipTypeExploits         RelationshipType = "exploits"
	RelationshipTypeHas              RelationshipType = "has"
	RelationshipTypeHosts            RelationshipType = "hosts"
	RelationshipTypeOriginatesFrom   RelationshipType = "originates-from"
	RelationshipTypeOwns             RelationshipType = "owns"
	RelationshipTypePartOf           RelationshipType = "part-of"
	RelationshipTypeVariantOf        RelationshipType = "variant-of"
	RelationshipTypeCommunicatesWith RelationshipType = "communicates-with"
	RelationshipTypeConsistsOf       RelationshipType = "consists-of"
	RelationshipTypeControls         RelationshipType = "controls"
	RelationshipTypeCreatedBy        RelationshipType = "created-by"
	RelationshipTypeDerivedFrom      RelationshipType = "derived-from"
	RelationshipTypeDuplicateOf      RelationshipType = "duplicate-of"
	RelationshipTypeDetects          RelationshipType = "detects"
	RelationshipTypeImpersonates     RelationshipType = "impersonates"
	RelationshipTypeInvestigates     RelationshipType = "investigates"
	RelationshipTypeLocatedAt        RelationshipType = "located-at"
	RelationshipTypeMitigates        RelationshipType = "mitigates"
	RelationshipTypeRemediates       RelationshipType = "remediates"
	RelationshipTypeRevokedBy        RelationshipType = "revoked-by"
	RelationshipTypeSubtechniqueOf   RelationshipType = "subtechnique-of"
)

type Report 

type Report struct {
	BaseObject
	// Name of the report
	Name string `json:"name"`
	// Description of the report
	Description string `json:"description,omitempty"`
	// ReportTypes categorizes the report
	ReportTypes []string `json:"report_types,omitempty"`
	// Published timestamp
	Published time.Time `json:"published"`
	// ObjectRefs references to objects in this report
	ObjectRefs []string `json:"object_refs"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the report
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
}

Report represents a STIX Report Object. Reports are collections of STIX objects related to a specific topic.

func NewReport 

func NewReport(id, name string, published time.Time) *Report

NewReport creates a new Report.

type ReportOptions 

type ReportOptions struct {
	// Name of the report
	Name string
	// Description
	Description string
	// Report types
	Types []string
	// Published date
	Published time.Time
	// Object references
	ObjectRefs []string
	// Labels
	Labels []string
	// Confidence
	Confidence int
}

ReportOptions contains options for report generation.

type RetryConfig 

type RetryConfig struct {
	// Enable retries
	Enabled bool `json:"enabled"`
	// Maximum retry attempts
	MaxAttempts int `json:"max_attempts"`
	// Initial backoff duration
	InitialBackoff time.Duration `json:"initial_backoff"`
	// Maximum backoff duration
	MaxBackoff time.Duration `json:"max_backoff"`
	// Backoff multiplier
	BackoffMultiplier float64 `json:"backoff_multiplier"`
	// Retry on these HTTP status codes
	RetryOnStatusCodes []int `json:"retry_on_status_codes,omitempty"`
}

RetryConfig contains retry settings.

type SIEMEntity 

type SIEMEntity struct {
	Type  string
	ID    string
	Name  string
	Value string
}

SIEMEntity represents a related entity in a SIEM event.

type SIEMEvent 

type SIEMEvent struct {
	// Unique identifier
	ID string
	// Timestamp
	Timestamp time.Time
	// Source platform
	Source string
	// Event category
	Category string
	// Event type
	Type string
	// Severity
	Severity string
	// Human-readable message
	Message string
	// Raw event data
	Raw map[string]interface{}
	// Additional attributes
	Attributes map[string]string
	// Related entities
	Entities []SIEMEntity
	// MITRE ATT&CK mapping
	MITRE *MITREMapping
	// Compliance mappings
	Compliance []ComplianceMapping
}

SIEMEvent represents a security event from a SIEM system. This mirrors the siem.Event type for compatibility.

type STIXBuilder 

type STIXBuilder struct {
	// contains filtered or unexported fields
}

STIXBuilder builds STIX bundles from security events. It maintains state for identity and marking definitions.

func BuilderFromContext 

func BuilderFromContext(ctx context.Context) *STIXBuilder

BuilderFromContext returns the STIX builder from context.

func NewSTIXBuilder 

func NewSTIXBuilder(opts STIXBuilderOptions) *STIXBuilder

NewSTIXBuilder creates a new STIX builder.

func (*STIXBuilder) AddObject 

func (b *STIXBuilder) AddObject(obj STIXObject)

AddObject adds a STIX object to the builder.

func (*STIXBuilder) Clear 

func (b *STIXBuilder) Clear()

Clear removes all objects.

func (*STIXBuilder) ConvertSIEMEvent 

func (b *STIXBuilder) ConvertSIEMEvent(event *SIEMEvent) ([]STIXObject, error)

ConvertSIEMEvent converts a SIEM event to STIX objects.

func (*STIXBuilder) GenerateAttackPattern 

func (b *STIXBuilder) GenerateAttackPattern(opts AttackPatternOptions) (*AttackPattern, error)

GenerateAttackPattern generates a STIX attack pattern.

func (*STIXBuilder) GenerateAttackPatternFromMITRE 

func (b *STIXBuilder) GenerateAttackPatternFromMITRE(techniqueID, techniqueName string, tactics []string) (*AttackPattern, error)

GenerateAttackPatternFromMITRE generates an attack pattern from MITRE ATT&CK.

func (*STIXBuilder) GenerateDomainIndicator 

func (b *STIXBuilder) GenerateDomainIndicator(domain string, opts IndicatorOptions) (*Indicator, *DomainName, error)

GenerateDomainIndicator generates an indicator for a domain.

func (*STIXBuilder) GenerateEmailIndicator 

func (b *STIXBuilder) GenerateEmailIndicator(email string, opts IndicatorOptions) (*Indicator, *EmailAddress, error)

GenerateEmailIndicator generates an indicator for an email address.

func (*STIXBuilder) GenerateFileHashIndicator 

func (b *STIXBuilder) GenerateFileHashIndicator(hashes FileHash, opts IndicatorOptions) (*Indicator, *File, error)

GenerateFileHashIndicator generates an indicator for file hashes.

func (*STIXBuilder) GenerateIPIndicator 

func (b *STIXBuilder) GenerateIPIndicator(ip string, opts IndicatorOptions) (*Indicator, *IPv4Address, error)

GenerateIPIndicator generates an indicator for an IP address.

func (*STIXBuilder) GenerateIndicator 

func (b *STIXBuilder) GenerateIndicator(pattern string, opts IndicatorOptions) (*Indicator, error)

GenerateIndicator generates a STIX indicator from a pattern.

func (*STIXBuilder) GenerateMalware 

func (b *STIXBuilder) GenerateMalware(opts MalwareOptions) (*Malware, error)

GenerateMalware generates a STIX malware object.

func (*STIXBuilder) GenerateObservable 

func (b *STIXBuilder) GenerateObservable(entityType, value string) (interface{}, error)

GenerateObservable generates a STIX observable from an entity.

func (*STIXBuilder) GenerateRelationship 

func (b *STIXBuilder) GenerateRelationship(opts RelationshipOptions) (*Relationship, error)

GenerateRelationship generates a STIX relationship.

func (*STIXBuilder) GenerateReport 

func (b *STIXBuilder) GenerateReport(opts ReportOptions) (*Report, error)

GenerateReport generates a STIX report.

func (*STIXBuilder) GenerateSTIXBundle 

func (b *STIXBuilder) GenerateSTIXBundle(opts STIXBundleOptions) (*Bundle, error)

GenerateSTIXBundle generates a STIX bundle from all added objects.

func (*STIXBuilder) GenerateThreatActor 

func (b *STIXBuilder) GenerateThreatActor(opts ThreatActorOptions) (*ThreatActor, error)

GenerateThreatActor generates a STIX threat actor.

func (*STIXBuilder) GenerateURLIndicator 

func (b *STIXBuilder) GenerateURLIndicator(urlStr string, opts IndicatorOptions) (*Indicator, *URL, error)

GenerateURLIndicator generates an indicator for a URL.

func (*STIXBuilder) GetObjects 

func (b *STIXBuilder) GetObjects() []STIXObject

GetObjects returns all added objects.

func (*STIXBuilder) LinkIndicatorToMalware 

func (b *STIXBuilder) LinkIndicatorToMalware(indicatorID, malwareID string, description string) (*Relationship, error)

LinkIndicatorToMalware creates a relationship linking an indicator to malware.

func (*STIXBuilder) LinkIndicatorToThreatActor 

func (b *STIXBuilder) LinkIndicatorToThreatActor(indicatorID, threatActorID string, description string) (*Relationship, error)

LinkIndicatorToThreatActor creates a relationship linking an indicator to a threat actor.

func (*STIXBuilder) LinkMalwareToAttackPattern 

func (b *STIXBuilder) LinkMalwareToAttackPattern(malwareID, attackPatternID string, description string) (*Relationship, error)

LinkMalwareToAttackPattern creates a relationship linking malware to an attack pattern.

func (*STIXBuilder) LinkThreatActorToMalware 

func (b *STIXBuilder) LinkThreatActorToMalware(threatActorID, malwareID string, description string) (*Relationship, error)

LinkThreatActorToMalware creates a relationship linking a threat actor to malware.

func (*STIXBuilder) SetConfidence 

func (b *STIXBuilder) SetConfidence(confidence int)

SetConfidence sets the confidence level.

func (*STIXBuilder) SetIdentity 

func (b *STIXBuilder) SetIdentity(identity *Identity)

SetIdentity sets the identity.

type STIXBuilderOptions 

type STIXBuilderOptions struct {
	// Identity for the STIX objects
	Identity *Identity
	// Marking definitions
	MarkingDefinitions []string
	// Confidence level (0-100)
	Confidence int
	// Default pattern type
	DefaultPatternType IndicatorPatternType
}

STIXBuilderOptions contains options for creating a STIX builder.

type STIXBundleOptions 

type STIXBundleOptions struct {
	// Include identity in bundle
	IncludeIdentity bool
	// Custom bundle ID
	ID string
}

STIXBundleOptions contains options for bundle generation.

type STIXIDGenerator 

type STIXIDGenerator struct {
	// contains filtered or unexported fields
}

STIXIDGenerator generates STIX-compliant IDs.

func NewSTIXIDGenerator 

func NewSTIXIDGenerator(stixType STIXType) *STIXIDGenerator

NewSTIXIDGenerator creates a new ID generator for a STIX type.

func (*STIXIDGenerator) Generate 

func (g *STIXIDGenerator) Generate() (string, error)

Generate creates a new STIX ID.

type STIXObject 

type STIXObject interface {
	GetID() string
	GetType() STIXType
	GetCreated() time.Time
	GetModified() time.Time
}

STIXObject is the base interface for all STIX objects.

type STIXType 

type STIXType string

STIXType represents the type of a STIX object. 

const (
	// STIX Domain Objects (SDOs)
	STIXTypeIndicator      STIXType = "indicator"
	STIXTypeAttackPattern  STIXType = "attack-pattern"
	STIXTypeThreatActor    STIXType = "threat-actor"
	STIXTypeMalware        STIXType = "malware"
	STIXTypeVulnerability  STIXType = "vulnerability"
	STIXTypeTool           STIXType = "tool"
	STIXTypeReport         STIXType = "report"
	STIXTypeIntrusionSet   STIXType = "intrusion-set"
	STIXTypeCampaign       STIXType = "campaign"
	STIXTypeCourseOfAction STIXType = "course-of-action"
	STIXTypeIdentity       STIXType = "identity"
	STIXTypeLocation       STIXType = "location"
	STIXTypeNote           STIXType = "note"
	STIXTypeOpinion        STIXType = "opinion"
	STIXTypeObservedData   STIXType = "observed-data"

	// STIX Cyber Observable Objects (SCOs)
	STIXTypeDomainName         STIXType = "domain-name"
	STIXTypeIPv4Addr           STIXType = "ipv4-addr"
	STIXTypeIPv6Addr           STIXType = "ipv6-addr"
	STIXTypeURL                STIXType = "url"
	STIXTypeFile               STIXType = "file"
	STIXTypeEmailAddr          STIXType = "email-addr"
	STIXTypeMACAddr            STIXType = "mac-addr"
	STIXTypeMutex              STIXType = "mutex"
	STIXTypeProcess            STIXType = "process"
	STIXTypeSoftware           STIXType = "software"
	STIXTypeUserAgent          STIXType = "user-agent"
	STIXTypeWindowsRegistryKey STIXType = "windows-registry-key"
	STIXTypeX509Certificate    STIXType = "x509-certificate"

	// STIX Relationship Objects
	STIXTypeRelationship STIXType = "relationship"
	STIXTypeSighting     STIXType = "sighting"

	// Bundle
	STIXTypeBundle STIXType = "bundle"
)

func ParseSTIXID 

func ParseSTIXID(id string) (stixType STIXType, uuid string, err error)

ParseSTIXID parses a STIX ID into its type and UUID components.

type Sighting 

type Sighting struct {
	BaseObject
	// FirstSeen timestamp
	FirstSeen time.Time `json:"first_seen,omitempty"`
	// LastSeen timestamp
	LastSeen time.Time `json:"last_seen,omitempty"`
	// Count of sightings
	Count int `json:"count,omitempty"`
	// SightingOfRef is the object that was sighted
	SightingOfRef string `json:"sighting_of_ref"`
	// ObservedDataRefs references observed data objects
	ObservedDataRefs []string `json:"observed_data_refs,omitempty"`
	// WhereSightedRefs references locations where sighted
	WhereSightedRefs []string `json:"where_sighted_refs,omitempty"`
	// Summary indicates if this is a summary sighting
	Summary bool `json:"summary,omitempty"`
	// Description of the sighting
	Description string `json:"description,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
}

Sighting represents a STIX Sighting Object. Sighting indicates that a STIX object was observed.

func NewSighting 

func NewSighting(id, sightingOfRef string) *Sighting

NewSighting creates a new Sighting.

type StreamExporter 

type StreamExporter struct {
	// contains filtered or unexported fields
}

StreamExporter provides streaming export capabilities.

func NewStreamExporter 

func NewStreamExporter(config ExportConfig, builder *STIXBuilder) *StreamExporter

NewStreamExporter creates a new streaming exporter.

func (*StreamExporter) StreamToWriter 

func (se *StreamExporter) StreamToWriter(ctx context.Context, writer io.Writer, objectChan <-chan STIXObject) error

StreamToWriter exports objects as a stream to a writer.

type TAXIIAPIRoot 

type TAXIIAPIRoot struct {
	// MaxContentSize is the maximum content size in bytes
	MaxContentSize int64 `json:"max_content_length"`
	// Description of the API root
	Description string `json:"description,omitempty"`
	// Title of the API root
	Title string `json:"title,omitempty"`
	// Versions supported STIX versions
	Versions []string `json:"versions"`
	// MaxRange is the maximum range for partial content requests
	MaxRange int `json:"max_range,omitempty"`
}

TAXIIAPIRoot represents a TAXII API Root.

type TAXIIClient 

type TAXIIClient struct {
	// contains filtered or unexported fields
}

TAXIIClient is a client for TAXII 2.1 servers.

func NewTAXIIClient 

func NewTAXIIClient(config TAXIIConfig) (*TAXIIClient, error)

NewTAXIIClient creates a new TAXII client.

func (*TAXIIClient) AddObjects 

func (c *TAXIIClient) AddObjects(ctx context.Context, apiRootURL, collectionID string, bundle *Bundle) (*TAXIIEnvelopes, error)

AddObjects adds objects to a collection.

func (*TAXIIClient) Authenticate 

func (c *TAXIIClient) Authenticate(ctx context.Context) error

Authenticate authenticates with the TAXII server.

func (*TAXIIClient) CloseSession 

func (c *TAXIIClient) CloseSession()

CloseSession closes the current session.

func (*TAXIIClient) CreateSession 

func (c *TAXIIClient) CreateSession(ctx context.Context) (*TAXIISession, error)

CreateSession creates a new TAXII session.

func (*TAXIIClient) DeleteObject 

func (c *TAXIIClient) DeleteObject(ctx context.Context, apiRootURL, collectionID, objectID string) error

DeleteObject deletes an object from a collection.

func (*TAXIIClient) Discovery 

func (c *TAXIIClient) Discovery(ctx context.Context) (*TAXIIDiscovery, error)

Discovery retrieves the TAXII server discovery information.

func (*TAXIIClient) GetAPIRoot 

func (c *TAXIIClient) GetAPIRoot(ctx context.Context, apiRootURL string) (*TAXIIAPIRoot, error)

GetAPIRoot retrieves information about an API root.

func (*TAXIIClient) GetAPIRoots 

func (c *TAXIIClient) GetAPIRoots(ctx context.Context) ([]string, error)

GetAPIRoots retrieves available API roots from discovery.

func (*TAXIIClient) GetCollection 

func (c *TAXIIClient) GetCollection(ctx context.Context, apiRootURL, collectionID string) (*TAXIICollection, error)

GetCollection retrieves a specific collection by ID.

func (*TAXIIClient) GetCollections 

func (c *TAXIIClient) GetCollections(ctx context.Context, apiRootURL string) (*TAXIICollections, error)

GetCollections retrieves all collections from an API root.

func (*TAXIIClient) GetManifest 

func (c *TAXIIClient) GetManifest(ctx context.Context, apiRootURL, collectionID string, addedAfter time.Time) (*TAXIIManifest, error)

GetManifest retrieves the manifest for a collection.

func (*TAXIIClient) GetObject 

func (c *TAXIIClient) GetObject(ctx context.Context, apiRootURL, collectionID, objectID string) (json.RawMessage, error)

GetObject retrieves a specific object from a collection.

func (*TAXIIClient) GetObjects 

func (c *TAXIIClient) GetObjects(ctx context.Context, apiRootURL, collectionID string, opts *TAXIIGetObjectsRequest) (*Bundle, *TAXIIContentRange, error)

GetObjects retrieves objects from a collection.

func (*TAXIIClient) GetSession 

func (c *TAXIIClient) GetSession() *TAXIISession

GetSession returns the current session.

func (*TAXIIClient) GetStats 

func (c *TAXIIClient) GetStats() *TAXIIClientStats

GetStats returns client statistics.

func (*TAXIIClient) GetToken 

func (c *TAXIIClient) GetToken() string

GetToken returns the current authentication token.

func (*TAXIIClient) NewGetObjectsPaginator 

func (c *TAXIIClient) NewGetObjectsPaginator(apiRootURL, collectionID string, opts *TAXIIGetObjectsRequest, pageSize int) *GetObjectsPaginator

NewGetObjectsPaginator creates a new paginator for objects.

func (*TAXIIClient) Poll 

func (c *TAXIIClient) Poll(ctx context.Context, apiRootURL string, opts PollOptions) error

Poll polls a collection for new objects.

func (*TAXIIClient) Push 

func (c *TAXIIClient) Push(ctx context.Context, apiRootURL string, opts PushOptions) (*TAXIIEnvelopes, error)

Push pushes objects to a TAXII collection.

func (*TAXIIClient) PushIndicator 

func (c *TAXIIClient) PushIndicator(ctx context.Context, apiRootURL, collectionID string, indicator *Indicator) (*TAXIIEnvelopes, error)

PushIndicator pushes a single indicator to a collection.

func (*TAXIIClient) PushIndicators 

func (c *TAXIIClient) PushIndicators(ctx context.Context, apiRootURL, collectionID string, indicators []*Indicator, batchSize int) (*TAXIIEnvelopes, error)

PushIndicators pushes multiple indicators to a collection.

func (*TAXIIClient) SetAPIRoot 

func (c *TAXIIClient) SetAPIRoot(apiRoot string)

SetAPIRoot sets the current API root for the client.

func (*TAXIIClient) SetToken 

func (c *TAXIIClient) SetToken(token string)

SetToken sets the authentication token.

type TAXIIClientStats 

type TAXIIClientStats struct {
	RequestsTotal   int64
	RequestsSuccess int64
	RequestsFailed  int64
	RequestsRetried int64
	BytesSent       int64
	BytesReceived   int64
	LastRequestTime time.Time
	LastError       string
}

TAXIIClientStats contains client statistics.

type TAXIICollection 

type TAXIICollection struct {
	// ID of the collection
	ID string `json:"id"`
	// Title of the collection
	Title string `json:"title"`
	// Description of the collection
	Description string `json:"description,omitempty"`
	// CanRead indicates if objects can be read
	CanRead bool `json:"can_read"`
	// CanWrite indicates if objects can be written
	CanWrite bool `json:"can_write"`
	// MediaTypes supported by the collection
	MediaTypes []string `json:"media_types,omitempty"`
}

TAXIICollection represents a TAXII Collection.

type TAXIICollections 

type TAXIICollections struct {
	// Collections in this list
	Collections []TAXIICollection `json:"collections"`
}

TAXIICollections represents a list of collections.

type TAXIIConfig 

type TAXIIConfig struct {
	// Server URL (e.g., https://taxii.example.com/api2)
	ServerURL string `json:"server_url"`
	// Discovery URL
	DiscoveryURL string `json:"discovery_url,omitempty"`
	// Authentication type: basic, token, oauth2
	AuthType string `json:"auth_type"`
	// Username for basic auth
	Username string `json:"username,omitempty"`
	// Password for basic auth
	Password string `json:"password,omitempty"`
	// API token for token auth
	APIToken string `json:"api_token,omitempty"`
	// Token header name
	TokenHeader string `json:"token_header,omitempty"`
	// OAuth2 configuration
	OAuth2 OAuth2Config `json:"oauth2,omitempty"`
	// TLS configuration
	TLS TLSConfig `json:"tls"`
	// Retry configuration
	Retry RetryConfig `json:"retry"`
	// Timeout for requests
	Timeout time.Duration `json:"timeout"`
	// User agent
	UserAgent string `json:"user_agent,omitempty"`
	// Default collection
	DefaultCollection string `json:"default_collection,omitempty"`
}

TAXIIConfig contains TAXII client configuration.

func DefaultTAXIIConfig 

func DefaultTAXIIConfig() TAXIIConfig

DefaultTAXIIConfig returns default TAXII configuration.

type TAXIIConnectionPool 

type TAXIIConnectionPool struct {
	// contains filtered or unexported fields
}

TAXIIConnectionPool manages a pool of TAXII clients.

func NewTAXIIConnectionPool 

func NewTAXIIConnectionPool(config TAXIIConfig, maxSize int) (*TAXIIConnectionPool, error)

NewTAXIIConnectionPool creates a new connection pool.

func (*TAXIIConnectionPool) Close 

func (p *TAXIIConnectionPool) Close()

Close closes all clients in the pool.

func (*TAXIIConnectionPool) Get 

func (p *TAXIIConnectionPool) Get() (*TAXIIClient, error)

Get retrieves a client from the pool.

func (*TAXIIConnectionPool) Put 

func (p *TAXIIConnectionPool) Put(client *TAXIIClient)

Put returns a client to the pool.

type TAXIIContentRange 

type TAXIIContentRange struct {
	// Start is the starting index
	Start int `json:"start"`
	// End is the ending index
	End int `json:"end"`
	// Total is the total number of objects
	Total int `json:"total"`
}

TAXIIContentRange represents a Content-Range header for partial responses.

func ParseTAXIIContentRange 

func ParseTAXIIContentRange(header string) (*TAXIIContentRange, error)

ParseTAXIIContentRange parses a Content-Range header.

func (*TAXIIContentRange) MarshalText 

func (cr *TAXIIContentRange) MarshalText() ([]byte, error)

MarshalText implements encoding.TextMarshaler.

func (*TAXIIContentRange) Parse 

func (cr *TAXIIContentRange) Parse(header string) (int, error)

Parse parses a Content-Range header string.

func (*TAXIIContentRange) String 

func (cr *TAXIIContentRange) String() string

String returns the Content-Range header string.

func (*TAXIIContentRange) UnmarshalText 

func (cr *TAXIIContentRange) UnmarshalText(data []byte) (int, error)

UnmarshalText implements encoding.TextUnmarshaler.

type TAXIIDiscovery 

type TAXIIDiscovery struct {
	// Title of the TAXII server
	Title string `json:"title"`
	// Description of the TAXII server
	Description string `json:"description,omitempty"`
	// Contact email or information
	Contact string `json:"contact,omitempty"`
	// Default value for a default collection
	Default string `json:"default,omitempty"`
	// APIRoots available on this server
	APIRoots []string `json:"api_roots,omitempty"`
}

TAXIIDiscovery represents a TAXII Discovery Response.

type TAXIIEnvelopes 

type TAXIIEnvelopes struct {
	// Objects in this envelope
	Objects []json.RawMessage `json:"objects"`
}

TAXIIEnvelopes represents a TAXII envelope containing STIX objects.

type TAXIIError 

type TAXIIError struct {
	Title           string              `json:"title"`
	Description     string              `json:"description,omitempty"`
	ErrorCode       int                 `json:"error_code,omitempty"`
	ExternalDetails string              `json:"external_details,omitempty"`
	HTTPHeaders     map[string][]string `json:"-"`
}

TAXIIError represents a TAXII error response.

func (*TAXIIError) Error 

func (e *TAXIIError) Error() string

Error implements the error interface.

func (*TAXIIError) IsRetryable 

func (e *TAXIIError) IsRetryable() bool

IsRetryable returns true if the error is retryable.

type TAXIIGetObjectsRequest 

type TAXIIGetObjectsRequest struct {
	// AddedAfter filters objects added after this time
	AddedAfter time.Time `json:"added_after,omitempty"`
	// IDs filters by specific object IDs
	IDs []string `json:"ids,omitempty"`
	// Types filters by object types
	Types []string `json:"types,omitempty"`
	// Versions specifies which versions to retrieve
	Versions []string `json:"versions,omitempty"`
	// Match specifies property matching criteria
	Match map[string]interface{} `json:"match,omitempty"`
}

TAXIIGetObjectsRequest represents a request to get objects from a collection.

type TAXIIManifest 

type TAXIIManifest struct {
	// Objects in the manifest
	Objects []TAXIIManifestEntry `json:"objects"`
}

TAXIIManifest represents a collection manifest.

type TAXIIManifestEntry 

type TAXIIManifestEntry struct {
	// ID of the object
	ID string `json:"id"`
	// DateAdded to the collection
	DateAdded time.Time `json:"date_added"`
	// Version of the object
	Version string `json:"version"`
	// MediaTypes for this object
	MediaTypes []string `json:"media_types,omitempty"`
}

TAXIIManifestEntry represents an entry in a collection manifest.

type TAXIIRateLimiter 

type TAXIIRateLimiter struct {
	// contains filtered or unexported fields
}

TAXIIRateLimiter implements rate limiting for TAXII requests.

func NewTAXIIRateLimiter 

func NewTAXIIRateLimiter(rate int) *TAXIIRateLimiter

NewTAXIIRateLimiter creates a new rate limiter.

func (*TAXIIRateLimiter) Stop 

func (rl *TAXIIRateLimiter) Stop()

Stop stops the rate limiter.

func (*TAXIIRateLimiter) Wait 

func (rl *TAXIIRateLimiter) Wait(ctx context.Context) error

Wait waits for a token to be available.

type TAXIISession 

type TAXIISession struct {
	// SessionID is the unique session identifier
	SessionID string `json:"session_id"`
	// ServerURL is the TAXII server URL
	ServerURL string `json:"server_url"`
	// Username for the session
	Username string `json:"username,omitempty"`
	// Token for authentication
	Token string `json:"token,omitempty"`
	// ExpiresAt is when the session expires
	ExpiresAt time.Time `json:"expires_at,omitempty"`
}

TAXIISession represents an active TAXII session.

type TLSConfig 

type TLSConfig struct {
	// Enable TLS
	Enabled bool `json:"enabled"`
	// Skip certificate verification (insecure)
	InsecureSkipVerify bool `json:"insecure_skip_verify"`
	// CA certificate file
	CAFile string `json:"ca_file,omitempty"`
	// Client certificate file
	CertFile string `json:"cert_file,omitempty"`
	// Client key file
	KeyFile string `json:"key_file,omitempty"`
	// Server name for SNI
	ServerName string `json:"server_name,omitempty"`
	// Minimum TLS version
	MinVersion string `json:"min_version,omitempty"`
}

TLSConfig contains TLS settings.

type ThreatActor 

type ThreatActor struct {
	BaseObject
	// Name of the threat actor
	Name string `json:"name"`
	// Description of the threat actor
	Description string `json:"description,omitempty"`
	// ThreatActorTypes categorizes the actor
	ThreatActorTypes []ThreatActorType `json:"threat_actor_types,omitempty"`
	// Aliases for this threat actor
	Aliases []string `json:"aliases,omitempty"`
	// FirstSeen timestamp
	FirstSeen time.Time `json:"first_seen,omitempty"`
	// LastSeen timestamp
	LastSeen time.Time `json:"last_seen,omitempty"`
	// Goals of the threat actor
	Goals []string `json:"goals,omitempty"`
	// ResourceLevel of the actor
	ResourceLevel string `json:"resource_level,omitempty"`
	// PrimaryMotivation of the actor
	PrimaryMotivation string `json:"primary_motivation,omitempty"`
	// SecondaryMotivations of the actor
	SecondaryMotivations []string `json:"secondary_motivations,omitempty"`
	// Sophistication level
	Sophistication string `json:"sophistication,omitempty"`
	// KillChainPhases associated with the actor
	KillChainPhases []KillChainPhase `json:"kill_chain_phases,omitempty"`
	// ExternalReferences to external sources
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the threat actor attribution
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
}

ThreatActor represents a STIX Threat Actor Object. Threat actors are individuals, groups, or organizations believed to be malicious.

func NewThreatActor 

func NewThreatActor(id, name string) *ThreatActor

NewThreatActor creates a new ThreatActor.

type ThreatActorOptions 

type ThreatActorOptions struct {
	// Name of the threat actor
	Name string
	// Description
	Description string
	// Threat actor types
	Types []ThreatActorType
	// Aliases
	Aliases []string
	// Goals
	Goals []string
	// Resource level
	ResourceLevel string
	// Primary motivation
	PrimaryMotivation string
	// Sophistication level
	Sophistication string
	// Labels
	Labels []string
	// Confidence
	Confidence int
}

ThreatActorOptions contains options for threat actor generation.

type ThreatActorType 

type ThreatActorType string

ThreatActorType represents the type of threat actor. 

const (
	ThreatActorTypeNationState    ThreatActorType = "nation-state"
	ThreatActorTypeCrimeSyndicate ThreatActorType = "crime-syndicate"
	ThreatActorTypeHacker         ThreatActorType = "hacker"
	ThreatActorTypeInsider        ThreatActorType = "insider"
	ThreatActorTypeUnknown        ThreatActorType = "unknown"
)

type URL 

type URL struct {
	Type        STIXType `json:"type"`
	ID          string   `json:"id,omitempty"`
	SpecVersion string   `json:"spec_version,omitempty"`
	// Value is the URL
	Value string `json:"value"`
}

URL represents a STIX URL Object.

func NewURL 

func NewURL(id, value string) *URL

NewURL creates a new URL observable.

func (*URL) GetCreated 

func (u *URL) GetCreated() time.Time

GetCreated returns the creation timestamp (zero time for observables).

func (*URL) GetID 

func (u *URL) GetID() string

GetID returns the identifier.

func (*URL) GetModified 

func (u *URL) GetModified() time.Time

GetModified returns the modification timestamp (zero time for observables).

func (*URL) GetType 

func (u *URL) GetType() STIXType

GetType returns the STIX type.

type Vulnerability 

type Vulnerability struct {
	BaseObject
	// Name of the vulnerability
	Name string `json:"name"`
	// Description of the vulnerability
	Description string `json:"description,omitempty"`
	// ExternalReferences (CVE IDs, etc.)
	ExternalReferences []ExternalReference `json:"external_references,omitempty"`
	// CreatedByRef references the identity that created this
	CreatedByRef string `json:"created_by_ref,omitempty"`
	// Confidence in the vulnerability assessment
	Confidence int `json:"confidence,omitempty"`
	// Labels for tagging
	Labels []string `json:"labels,omitempty"`
}

Vulnerability represents a STIX Vulnerability Object.

func NewVulnerability 

func NewVulnerability(id, name string) *Vulnerability

NewVulnerability creates a new Vulnerability.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.