ReddRadar
Agent skill
implementing-security-information-sharing-with-stix2
Create, validate, and share STIX 2.1 threat intelligence objects using the stix2 Python library. Covers indicators, malware, campaigns, relationships, bundles, and TAXII 2.1 publishing.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/implementing-security-information-sharing-with-stix2
SKILL.md
Implementing Security Information Sharing with STIX 2.1
Build and share structured threat intelligence using STIX 2.1 objects with the stix2 Python library and TAXII 2.1 transport protocol.
When to Use
- Building a threat intelligence platform that exchanges IOCs with partner organizations
- Automating ingestion and export of indicators from MISP, OpenCTI, or other TIP platforms
- Creating machine-readable intelligence reports for ISAC/ISAO sharing communities
- Publishing threat data to a TAXII 2.1 server for downstream consumption by SIEMs and SOARs
- Converting unstructured threat reports into standardized STIX 2.1 bundles
- Enriching detection rules with context by linking indicators to malware, campaigns, and threat actors
Do not use for sharing simple IP blocklists or CSV-based IOC feeds that do not require relationship context; plain-text feeds with simpler formats like CSV or OpenIOC may be more efficient in those cases.
Prerequisites
- Python 3.8+ with
stix2library (pip install stix2) taxii2-clientfor consuming TAXII feeds (pip install taxii2-client)- A TAXII 2.1 server endpoint for publishing (e.g., OpenTAXII, Medallion, or MISP TAXII service)
- Familiarity with STIX 2.1 SDO types: Indicator, Malware, Threat Actor, Campaign, Attack Pattern, Identity
- Familiarity with STIX 2.1 SRO types: Relationship, Sighting
- Optional: OpenCTI or MISP instance for end-to-end integration testing
Workflow
Step 1: Install Dependencies
pip install stix2 taxii2-client requests
Step 2: Create STIX 2.1 Domain Objects (SDOs)
Create core intelligence objects that describe threats, actors, and campaigns:
from stix2 import (
Indicator, Malware, ThreatActor, Campaign,
AttackPattern, Identity, Relationship, Bundle,
ExternalReference
)
from datetime import datetime
# Create a producer identity
producer = Identity(
name="ACME Threat Intel Team",
identity_class="organization",
sectors=["technology"],
contact_information="threatintel@acme.example.com"
)
# Create a malware object
emotet_malware = Malware(
name="Emotet",
description="Banking trojan turned modular botnet loader. "
"Distributed via malspam with macro-enabled Office documents.",
malware_types=["trojan", "bot"],
is_family=True,
created_by_ref=producer.id
)
# Create an attack pattern referencing MITRE ATT&CK
spearphishing_pattern = AttackPattern(
name="Spearphishing Attachment",
description="Adversaries send spearphishing emails with a malicious attachment.",
external_references=[
ExternalReference(
source_name="mitre-attack",
external_id="T1566.001",
url="https://attack.mitre.org/techniques/T1566/001/"
)
],
created_by_ref=producer.id
)
# Create a threat actor
threat_actor = ThreatActor(
name="Mummy Spider",
description="Cybercriminal group operating the Emotet botnet infrastructure.",
threat_actor_types=["crime-syndicate"],
aliases=["TA542", "Gold Crestwood"],
primary_motivation="personal-gain",
created_by_ref=producer.id
)
# Create a campaign
campaign = Campaign(
name="Emotet Q1 2026 Resurgence",
description="Renewed Emotet distribution campaign using thread-hijacked "
"reply-chain emails with OneNote lure attachments.",
first_seen="2026-01-15T00:00:00Z",
created_by_ref=producer.id
)
print(f"Created malware SDO: {emotet_malware.id}")
print(f"Created threat actor SDO: {threat_actor.id}")
print(f"Created campaign SDO: {campaign.id}")
Step 3: Create STIX Indicators with Patterns
Define detection patterns using the STIX Patterning Language:
# File hash indicator
hash_indicator = Indicator(
name="Emotet dropper hash",
description="SHA-256 hash of Emotet first-stage dropper observed in Jan 2026 campaign.",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern="[file:hashes.'SHA-256' = 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2']",
valid_from="2026-01-15T00:00:00Z",
created_by_ref=producer.id
)
# Network indicator for C2 domain
c2_indicator = Indicator(
name="Emotet C2 domain",
description="Command and control domain observed in Emotet tier-1 botnet infrastructure.",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern="[domain-name:value = 'malicious-c2.example.com']",
valid_from="2026-01-20T00:00:00Z",
created_by_ref=producer.id
)
# Compound pattern: process spawning with suspicious command line
process_indicator = Indicator(
name="Emotet PowerShell download cradle",
description="PowerShell execution pattern used by Emotet to download next-stage payload.",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern=(
"[process:command_line MATCHES 'powershell.*-enc.*' "
"AND process:parent_ref.name = 'winword.exe']"
),
valid_from="2026-01-15T00:00:00Z",
created_by_ref=producer.id
)
# Email subject indicator
email_indicator = Indicator(
name="Emotet phishing subject line pattern",
description="Subject line pattern seen in thread-hijacked Emotet phishing emails.",
indicator_types=["malicious-activity"],
pattern_type="stix",
pattern="[email-message:subject MATCHES '^RE:.*Invoice.*[0-9]{6}']",
valid_from="2026-01-15T00:00:00Z",
created_by_ref=producer.id
)
print(f"Created {4} indicator objects")
Step 4: Build Relationships Between Objects
Link SDOs together using Relationship objects to express how threats are connected:
# Malware uses attack pattern
rel_malware_attack = Relationship(
relationship_type="uses",
source_ref=emotet_malware.id,
target_ref=spearphishing_pattern.id,
description="Emotet is distributed via spearphishing attachments.",
created_by_ref=producer.id
)
# Threat actor uses malware
rel_actor_malware = Relationship(
relationship_type="uses",
source_ref=threat_actor.id,
target_ref=emotet_malware.id,
description="Mummy Spider operates the Emotet malware infrastructure.",
created_by_ref=producer.id
)
# Indicator indicates malware
rel_indicator_malware = Relationship(
relationship_type="indicates",
source_ref=hash_indicator.id,
target_ref=emotet_malware.id,
description="File hash indicator for Emotet dropper binary.",
created_by_ref=producer.id
)
# Campaign uses malware
rel_campaign_malware = Relationship(
relationship_type="uses",
source_ref=campaign.id,
target_ref=emotet_malware.id,
created_by_ref=producer.id
)
# Threat actor attributed to campaign
rel_actor_campaign = Relationship(
relationship_type="attributed-to",
source_ref=campaign.id,
target_ref=threat_actor.id,
created_by_ref=producer.id
)
print(f"Created {5} relationship objects linking threat intelligence")
Step 5: Assemble and Serialize a STIX Bundle
Package all objects into a bundle for sharing:
import json
bundle = Bundle(
objects=[
producer,
emotet_malware,
spearphishing_pattern,
threat_actor,
campaign,
hash_indicator,
c2_indicator,
process_indicator,
email_indicator,
rel_malware_attack,
rel_actor_malware,
rel_indicator_malware,
rel_campaign_malware,
rel_actor_campaign,
]
)
# Serialize to JSON
bundle_json = bundle.serialize(pretty=True)
# Write bundle to file for sharing
with open("emotet_campaign_bundle.json", "w") as f:
f.write(bundle_json)
print(f"Bundle {bundle.id} contains {len(bundle.objects)} objects")
print(f"Written to emotet_campaign_bundle.json")
# Validate the bundle by re-parsing
from stix2 import parse
parsed = parse(bundle_json, allow_custom=False)
print(f"Bundle validation passed: {len(parsed.objects)} objects parsed successfully")
Step 6: Consume Intelligence from a TAXII 2.1 Server
Retrieve published threat intelligence from a TAXII feed:
from taxii2client.v21 import Server, Collection, as_pages
import json
# Connect to a TAXII 2.1 server
taxii_server = Server(
"https://taxii.example.com/taxii2/",
user="readonly",
password="readonly_password"
)
# Discover API roots and collections
api_root = taxii_server.api_roots[0]
print(f"API Root: {api_root.title}")
for collection in api_root.collections:
print(f" Collection: {collection.title} (ID: {collection.id})")
# Fetch indicators from a specific collection
target_collection = Collection(
f"https://taxii.example.com/taxii2/collections/{api_root.collections[0].id}/",
user="readonly",
password="readonly_password"
)
# Retrieve objects with filtering
response = target_collection.get_objects(
added_after="2026-01-01T00:00:00Z",
type=["indicator", "malware"]
)
stix_data = json.loads(response.text)
print(f"Retrieved {len(stix_data.get('objects', []))} objects from TAXII server")
# Process each retrieved object
for obj in stix_data.get("objects", []):
if obj["type"] == "indicator":
print(f" Indicator: {obj['name']} | Pattern: {obj['pattern'][:60]}...")
elif obj["type"] == "malware":
print(f" Malware: {obj['name']} | Family: {obj.get('is_family', False)}")
Step 7: Publish Intelligence to a TAXII 2.1 Server
Push your STIX bundle to a writable TAXII collection:
import requests
import json
TAXII_URL = "https://taxii.example.com/taxii2/collections/COLLECTION_ID/objects/"
TAXII_USER = "publisher"
TAXII_PASS = "publisher_password"
headers = {
"Content-Type": "application/taxii+json;version=2.1",
"Accept": "application/taxii+json;version=2.1"
}
# Read the bundle we created earlier
with open("emotet_campaign_bundle.json", "r") as f:
bundle_data = f.read()
response = requests.post(
TAXII_URL,
headers=headers,
auth=(TAXII_USER, TAXII_PASS),
data=bundle_data,
timeout=30
)
if response.status_code in (200, 201, 202):
status = response.json()
print(f"Published successfully. Status ID: {status.get('id')}")
print(f" Total count: {status.get('total_count')}")
print(f" Success count: {status.get('success_count')}")
print(f" Failure count: {status.get('failure_count')}")
else:
print(f"Publishing failed: {response.status_code} - {response.text}")
Step 8: Validate and Lint STIX Objects
Ensure objects comply with the STIX 2.1 specification:
from stix2 import parse, exceptions
import json
def validate_stix_bundle(bundle_path):
"""Validate all objects in a STIX bundle against the 2.1 spec."""
with open(bundle_path, "r") as f:
raw = json.load(f)
errors = []
valid_count = 0
for obj in raw.get("objects", []):
try:
parsed = parse(json.dumps(obj), allow_custom=False)
valid_count += 1
except (exceptions.InvalidValueError, exceptions.MissingPropertiesError) as e:
errors.append({
"object_id": obj.get("id", "unknown"),
"object_type": obj.get("type", "unknown"),
"error": str(e)
})
print(f"Validation results: {valid_count} valid, {len(errors)} errors")
for err in errors:
print(f" ERROR in {err['object_type']} ({err['object_id']}): {err['error']}")
return len(errors) == 0
validate_stix_bundle("emotet_campaign_bundle.json")
Verification
- Confirm all STIX objects serialize to valid JSON and include required properties (
type,id,created,modified) - Verify relationship
source_refandtarget_refpoint to existing object IDs within the bundle - Validate indicator patterns parse correctly using the STIX patterning grammar
- Test TAXII publishing returns a success status with
success_countmatching the number of objects sent - Re-retrieve published objects from the TAXII server and confirm they round-trip without data loss
- Check that consuming systems (SIEM, SOAR, TIP) can ingest the bundle and create corresponding detection rules or enrichment data
- Run
stix2-validatorCLI tool against exported bundles:stix2_validator emotet_campaign_bundle.json
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?