Welcome to stix2-elevator’s documentation!¶
The stix2-elevator is a software tool for converting STIX 1.x XML to STIX 2.0 JSON. Due to the differences between STIX 1.x and STIX 2.0, this conversion is best-effort only, and stix2-elevator cannot convert from STIX 2.0 JSON back to STIX 1.x XML. During the conversion, stix2-elevator provides information on the assumptions it needs to make to produce valid STIX 2.0 JSON, and what information was not able to be converted.
STIX Elevator Log Messages¶
Use the following table for reference. You can also enable or disable certain
messages using the -e or -d flags. Refer to the elevator help
or README for more information on how to handle logging messages.
| Message | Category | Code | Level | Location | Notes |
|---|---|---|---|---|---|
| Results produced by the stix2-elevator are not for production purposes. | General | 201 | warn | elevate_file, elevate_string, elevate_package | Remind that proof of concept is not ready for production purposes |
| Observable Expressions should not contain placeholders | General | 202 | error | ObservableExpression | |
| Placeholder [id] should be resolved | General | 203 | error | IdrefPlaceHolder | |
| Found definition for [id] | General | 204 | info | find_definition | |
| At least one PLACEHOLDER idref was not resolved in [id] | General | 205 | warn | finalize_bundle | |
| At least one observable could not be converted in [id] | General | 206 | warn | finalize_bundle | |
| Options not initialized | General | 207 | error | set_option_value | |
| EMPTY BUNDLE – No objects created from 1.x input document! | General | 208 | warn | finalize_bundle There should be no empty bundles. | No content could be elevated into STIX 2.0 |
| Both console and output log have disabled messages. | General | 209 | warn | ElevatorOptions.__init__() | |
| OSError [message] | General | 210 | error | elevate_file, elevate_string, elevate_package | |
| silent option is not compatible with a policy | General | 211 | warn | ElevatorOptions.__init__() | |
| The Short_Description property is no longer supported in STIX. The text was appended to the description property of [id] | Content not supported in STIX 2.0 - Adding to Description | 301 | warn | process_description_and_short_description | Bundles don’t have properties to represent STIX 1.x Information Source content |
| Appended [property_name] to description of [id] | Content not supported in STIX 2.0 - Adding to Description | 302 | warn | add_string_property_to_description | |
| Title [title] used for name, appending exploit_target [id] title in description property | Content not supported in STIX 2.0 - Adding to Description | 303 | info | process_et_properties | |
| Appended confidence property content to description of [id] | Content not supported in STIX 2.0 - Adding to Description | 304 | warn | add_confidence_property_to_description | |
| Appended Statement type content to description of [id] | Content not supported in STIX 2.0 - Adding to Description | 305 | warn | add_statement_type_to_description | |
| Appended Tool type content to description of [id] | Content not supported in STIX 2.0 - Adding to Description | 306 | warn | add_tool_property_to_description | |
| Information Source on [id] is not representable in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 401 | warn | process_information_source | |
| Related_Packages type in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 402 | warn | finish_basic_object, process_ttp_properties | |
| Campaign/Activity type in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 403 | warn | convert_campaign | One ref is in the report, but the other is dangling (not defined) |
| Structured COAs type in [id] are not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 404 | warn | convert_course_of_action | STIX 1.2 versioning not handled |
| ExploitTarget/Weaknesses type in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 405 | warn | convert_exploit_target | |
| ExploitTarget/Configurations type in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 406 | warn | convert_exploit_target | |
| Indicator %s has an observable or indicator composite expression which may not supported correctly in STIX 2.0 - please check this pattern | Content not supported in STIX 2.0 - Dropping | 407 | warn | convert_indicator | |
| TTP/Behavior/Exploits/Exploit in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 408 | warn | convert_behavior | |
| Infrastructure in [id] not part of STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 409 | warn | convert_resources | |
| Targeted systems on [id] are not a victim target in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 410 | warn | convert_victim_targeting | |
| Targeted information on [id] is not a victim target in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 411 | warn | convert_victim_targeting | |
| Targeted technical details on [id] are not a victim target in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 412 | warn | convert_victim_targeting | |
| Kill Chains type in [id] not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 413 | warn | convert_ttp | |
| Victim Target in [id] did not yield any STIX 2.0 object | Content not supported in STIX 2.0 - Dropping | 414 | warn | convert_ttp | |
| TTP [id] did not generate any STIX 2.0 object | Content not supported in STIX 2.0 - Dropping | 415 | warn | convert_ttp | |
| No STIX 2.0 object generated from embedded object [id] | Content not supported in STIX 2.0 - Dropping | 416 | warn | handle_embedded_object | |
| [object type] did not yield any STIX 2.0 object | Content not supported in STIX 2.0 - Dropping | 417 | warn | convert_cybox_object | |
| The exports property of WinExecutableFileObj is not part of STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 418 | warn | convert_windows_executable_file_to_pattern | |
| The imports property of WinExecutableFileObj is not part of STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 419 | warn | convert_windows_executable_file_to_pattern | |
| Windows Handles are not a part of STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 420 | warn | convert_windows_process, convert_windows_process_to_pattern | |
| The address type [address] is not part of STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 421 | warn | convert_address | |
| No pattern term was created from [id] | Content not supported in STIX 2.0 - Dropping | 422 | warn | convert_indicator_composition_to_pattern, convert_object_to_pattern | |
| [id] is used as a pattern, therefore it is not included as an onbserved_data instance | Content not supported in STIX 2.0 - Dropping | 423 | warn | remove_pattern_objects | |
| [xxx] content is not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 424 | warn | convert_network_connection | |
| Could not resolve Marking Structure [id] | Content not supported in STIX 2.0 - Dropping | 425 | warn | convert_marking_specification | If Marking look_up() fails, the marking details cannot be extracted. |
| MAEC content in [id] cannot be represented in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 426 | warn | convert_malware_instance | |
| The [relationship name] relationship involving [id] is not supported in STIX 2.0 | Content not supported in STIX 2.0 - Dropping | 427 | warn | convert_domain_name_to_pattern | |
NO MESSAGE ASSIGNED |
Multiple values are not supported in STIX 2.0 | 501 | Not available |
||
| Only one person name allowed for [id] in STIX 2.0, used first one | Multiple values are not supported in STIX 2.0 | 502 | warn | convert_party_name | |
| Only one organization name allowed for [id] in STIX 2.0, used first one | Multiple values are not supported in STIX 2.0 | 503 | warn | convert_party_name | |
| YARA/SNORT patterns on [id] not supported in STIX 2.0 | Multiple values are not supported in STIX 2.0 | 504 | warn | convert_test_mechanism | |
NO MESSAGE ASSIGNED |
Multiple values are not supported in STIX 2.0 | 505 | Not available |
||
| Only one alternative test mechanism allowed for [id] in STIX 2.0 - used first one, which was [pattern_lang] | Multiple values are not supported in STIX 2.0 | 506 | warn | convert_test_mechanism | A cybox pattern already exists for this indicator, so ignore snort, yara, etc |
| Only one valid time window allowed for [id] in STIX 2.0 - used first one | Multiple values are not supported in STIX 2.0 | 507 | warn | convert_indicator | |
| Only one name for malware is allowed for [id] in STIX 2.0 - used first one | Multiple values are not supported in STIX 2.0 | 508 | warn | convert_malware_instance | |
| No STIX 1.x vocab value given for [property], using ‘unknown’ | Multiple values are not supported in STIX 2.0 | 509 | warn | convert_controlled_vocabs_to_open_vocabs | |
| Only one [property] allowed in STIX 2.0 - used first one | Multiple values are not supported in STIX 2.0 | 510 | warn | convert_controlled_vocabs_to_open_vocabs | |
| File size window not allowed in top level observable, using first value | Multiple values are not supported in STIX 2.0 | 511 | error | convert_file | |
| Only one Layer7_Connections/HTTP_Request_Response used fot http-request-ext, using first value | Multiple values are not supported in STIX 2.0 | 512 | warn | convert_network_connection | |
| Dangling source reference [source] in [id] | Possible issue in original STIX 1.x content | 601 | warn | fix_relationships | |
| Dangling target reference [target] in [id] | Possible issue in original STIX 1.x content | 602 | warn | fix_relationships | |
| 1.X ID: {0} was not mapped to STIX 2.0 ID | Possible issue in original STIX 1.x content | 603 | warn | finalize_bundle | |
| Unable to determine the STIX 2.0 type for [id] | Possible issue in original STIX 1.x content | 604 | error | generate_stix20_id | |
| Malformed id [id]. Generated a new uuid | Possible issue in original STIX 1.x content | 605 | warn | generate_stix20_id | |
| Identity [id] has organization and person names | Possible issue in original STIX 1.x content | 606 | error | convert_party_name | possible contradictory information |
| Dangling kill chain phase id in indicator [id] | Possible issue in original STIX 1.x content | 607 | error | finalize_bundle | |
| windows-registry-key is required to have a key property | Possible issue in original STIX 1.x content | 608 | error | convert_registry_key | |
| [condition] was used, but two values were not provided. | Possible issue in original STIX 1.x content | 609 | error | create_term_with_range | |
| Trying to associate [old_key] with None | Possible issue in original STIX 1.x content | 610 | warn | add_id_value | |
| Could not associate [old_id] with None | Possible issue in original STIX 1.x content | 611 | error | record_ids | |
| Identity [id] must have a name, using ‘None’ | Possible issue in original STIX 1.x content | 612 | error | convert_identity | (handle via validator?) |
| No WinExecutableFile properties found in [WinExeFile] | Possible issue in original STIX 1.x content | 613 | warn | convert_file_to_pattern | |
| No ArchiveFile properties found in [ArchiveFile] | Possible issue in original STIX 1.x content | 614 | warn | convert_file_to_pattern | |
| No WinProcess properties found in [WinProcess] | Possible issue in original STIX 1.x content | 615 | warn | convert_process_to_pattern | |
| No WinService properties found in [WinService] | Possible issue in original STIX 1.x content | 616 | warn | convert_process_to_pattern | |
| The custom property name [property name] does not adhere to the specification rules | Possible issue in original STIX 1.x content | 617 | warn | convert_custom_properties | |
| No ISO code for [value] in [identifying info] | Possible issue in original STIX 1.x content | 618 | warn | convert_ciq_addresses | |
| No start time for the first valid time interval is available in %s, other time intervals might be more appropriate | Possible issue in original STIX 1.x content | 619 | warn | convert_indicator | |
| Unable to create a pattern from a File object | Possible issue in original STIX 1.x content | 620 | warn | convert_file_name_and_path_to_pattern | |
| [stix 1.x property] contains no value | Possible issue in original STIX 1.x content | 621 | warn | convert_email_message_to_pattern | |
| No term was yielded for %s | Possible issue in original STIX 1.x content | 622 | warn | various | |
| Hive property, %s, is already a prefix of the key property, %s | Possible issue in original STIX 1.x content | 623 | warn | convert_registry_key_to_pattern | |
| The custom property name %s contains whitespace, replacing it with underscores | Possible issue in original STIX 1.x content | 624 | warn | convert_custom_properties | |
| Found duplicate marking structure [id] | Possible issue in original STIX 1.x content | 625 | info | convert_marking_specification | Occurs when Markings hash to the same value (internally there equal) |
| ‘[hash_string]’ is not a valid [hash_type] hash | Possible issue in original STIX 1.x content | 626 | warn | convert_hashes_to_pattern | |
| Threat Actor identity [id] being used as basis of attributed-to relationship | Processing based on assumptions | 701 | info | convert_threat_actor | |
| Found STIX 1.X ID: [old_id] replaced by [new_id] | Processing based on assumptions | 702 | info | finalize_bundle mapping ids | |
| [old_id] is already associated other ids: [tuple_of_new_ids] | Processing based on assumptions | 703 | info | record_ids | |
| Including rel[“id”] in rep[“id”] and added the target_ref rel[“target_ref”] to the report | Processing based on assumptions | 704 | warn | add_relationships_to_reports | No definition for the idref in the package |
| Including rel[“id”] in rep[“id”] and added the source_ref rel[“source_ref”] to the report | Processing based on assumptions | 705 | warn | add_relationships_to_reports | No definition for the idref in the package |
| Including rel[“id”] in rep[“id”] although the target_ref is unknown | Processing based on assumptions | 706 | warn | add_relationships_to_reports | one ref is in the report, and the other is a known id |
| Including rel[“id”] in rep[“id”] although the source_ref is unknown | Processing based on assumptions | 707 | warn | add_relationships_to_reports | one ref is in the report, and the other is a known id |
| Not including rel[“id”] in rep[“id”] because there is no corresponding SDO for rel[“target_ref”] | Processing based on assumptions | 708 | warn | add_relationships_to_reports | one ref is in the report, and the other is null |
| Not including rel[“id”] in rep[“id”] because there is no corresponding SDO for rel[“source_ref”] | Processing based on assumptions | 709 | warn | add_relationships_to_reports | one ref is in the report, and the other is null |
| All associated [xxx] relationships of [id] are assumed to not represent STIX 1.2 versioning | Processing based on assumptions | 710 | warn | convert_xxxx | |
| ciq name found in [id], possibly overriding other name | Processing based on assumptions | 711 | warn | convert_identity | |
| Only one type pattern can be specified in [id] - using cybox | Processing based on assumptions | 712 | warn | convert_test_mechanism | |
| [id] generated an identity associated with a victim | Processing based on assumptions | 713 | warn | convert_victim_targeting | use the ttp to create a “targets” relationship with an identity |
| No condition given for [current_observable] - assume ‘=’ | Processing based on assumptions | 714 | warn | convert_condition, add_comparison_expression | |
| Used MATCHES operator for [condition] | Processing based on assumptions | 715 | warn | create_term | |
| Based on CIQ information, [id] is assumed to be an organization | Processing based on assumptions | 716 | warn | convert_identity | |
| Threat actor [id] title is used for name property | Processing based on assumptions | 717 | info | convert_threat_actor | |
| Using related-to for the [xxx] of [id] | Processing based on assumptions | 718 | warn | convert_incident | |
| Using first Threat Actor motivation as primary_motivation. If more, as secondary_motivation | Processing based on assumptions | 719 | info | add_motivation_to_threat_actor | |
| Could not resolve Marking Structure [id] | STIX elevator currently doesn’t process this content | 801 | warn | convert_marking_specification | |
| 1.x full file paths are not processed, yet | STIX elevator currently doesn’t process this content | 802 | warn | convert_file/convert_file_name_and_path_to_pattern | |
| process:startup_info not handled yet | STIX elevator currently doesn’t process this content | 803 | warn | convert_windows_process | |
| WinServiceObject.service_dll is not handled, yet. | STIX elevator currently doesn’t process this content | 804 | warn | convert_windows_service/convert_windows_service_to_pattern | |
| CybOX object [object] not handled yet | STIX elevator currently doesn’t process this content | 805 | warn | convert_cybox_object | |
| Email [property] not handled yet | STIX elevator currently doesn’t process this content | 806 | warn | convert_email_message_to_pattern | |
| file:extended_properties:windows_pebinary_ext:optional_header is not implemented yet | STIX elevator currently doesn’t process this content | 807 | warn | convert_windows_executable_file_to_pattern | |
| [object] found in [id] cannot be converted to a pattern, yet. | STIX elevator currently doesn’t process this content | 808 | warn | convert_object_to_pattern | |
| Related Objects of cyber observables for [id] are not handled yet | STIX elevator currently doesn’t process this content | 809 | warn | convert_cybox_object | |
| Negation of [id] is not handled yet | STIX elevator currently doesn’t process this content | 810 | warn | convert_indicator_to_pattern | |
| Network Connection not implemented, yet. | STIX elevator currently doesn’t process this content | 811 | error | convert_network_connection_to_pattern | |
| Condition on a hive property not handled. | STIX elevator currently doesn’t process this content | 812 | warn | convert_registry_key_to_pattern | |
| Cannot convert CybOX 2.x class name [name] to an object_path_root_name | STIX elevator currently doesn’t process this content | 813 | error | convert_cybox_class_name_to_object_path_root_name | |
| Parameter Observables in [id] are not handled, yet. | STIX elevator currently doesn’t process this content | 814 | warn | convert_course_of_action | |
| [xxx] in [id] are not handled, yet. | STIX elevator currently doesn’t process this content | 815 | info | convert_vulnerability, convert_indicator | |
| Ambiguous file path ‘%s’ was not processed | STIX elevator currently doesn’t process this content | 816 | warn | convert_file_name_and_path_to_pattern | |
| ‘first_observed’ and ‘last_observed’ data not available directly on {id} - using timestamp | Using parent or current timestamp | 901 | info | convert_observed_data | |
| Using parent object timestamp on [identifying info] | Using parent or current timestamp | 902 | info | convert_timestamp, convert_timestamp_string | |
| No valid time position information available in [id], using parent timestamp | Using parent or current timestamp | 903 | warn | convert_indicator | |
| No ‘first_seen’ data on [id] - using timestamp | Using parent or current timestamp | 904 | info | convert_infrastructure | |
| Timestamp not available for [entity], using current time | Using parent or current timestamp | 905 | warn | convert_timestamp |
STIX Elevator 1.1.1 Coverage of CybOX 2.x Object Types¶
The following table associates the CybOX 2.x object types with their STIX 2.0 cyber observable types. For each CybOX object the table also indicates if the elevator is able to convert the CybOX object to STIX 2.0.
CybOX object types not listed have no corresponding STIX 2.0 cyber observable type, and therefore are not converted by the Elevator
| Cybox 2.x Object Type | STIX 2.0 Cyber Observable Type | Converted in version 1.1.1 of the Elevator |
|---|---|---|
| Address | email-addr | yes |
| Address | ipv4-addr | yes |
| Address | ipv6-addr | yes |
| Address | mac-addr | yes |
| ArchiveFile | file:archive-ext | patterns only |
| Artifact | artifact | no |
| AutonomusSystem | autonomous-system | no |
| File | directory | yes |
| DomainName | domain-name | yes |
| DNSQuery | none | no |
| EmailMessage | email-message | yes |
| File | file | yes |
| HTTPClientRequest | network-traffic:http-request-ext | no |
| HTTPSession | network-traffic | no |
| ICMP(v4/v6) | network-traffic:icmp-ext | no |
| ImageFile | file:raster-image-ext | no |
| Link | none | no |
| Mutex | mutex | yes |
| NetworkConnection | network-traffic | yes |
| PDFFile | file:pdf-ext | no |
| Process | process | yes |
| Product | software | no |
| SocketAddress | network-traffic | yes |
| Hostname | domain-name | yes |
| Port | integer | yes |
| TCP | network-traffic:tcp-ext | no |
| URI | url | yes |
| UnixUserAccount | user-account:unix-account-ext | no |
| UserAccount/WinUserAccount | user-account | no |
| WindowsRegistryKey | window-registry-key | yes |
| WinExecutableFile | file:window-pebinary-ext | patterns only |
| WinFile | ntfs-ext | no |
| WinProcess | process:windows-process-ext | observables only |
| WinService | process:windows-service-ext | yes |
| X509Certificate | x509-certificate | no |
| X509V3Extensions | x509-certificate:x509-v3-extensions-type | no |