Warning Messages¶
When the elevator makes an assumption during the conversion of some content, or is unable to convert the content, a warning message is output.
General¶
| Message | Code | Level |
|---|---|---|
| Results produced by the stix2-elevator may generate warning messages which should be investigated | 201 | info |
| Observable Expressions should not contain placeholders | 202 | error |
| Placeholder id should be resolved | 203 | error |
| Found definition for id | 204 | info |
| At least one PLACEHOLDER idref was not resolved in id | 205 | error |
| At least one observable could not be converted in id | 206 | error |
| Options not initialized | 207 | error |
| EMPTY BUNDLE – No objects created from 1.x input document! | 208 | warn |
| Both console and output log have disabled messages. | 209 | info |
| OSError message | 210 | error |
| silent option is not compatible with a policy | 211 | warn |
| Created Marking Structure for id | 212 | info |
| custom_property_prefix is provided, but the missing policy is not ‘use-custom-properies’. It will be ignored. | 213 | warn |
| type option was not given, but it defaults to true for version 2.1” | 214 | info |
| Custom properties/objects/extensions are deprecated in version 2.1. Suggest using ‘use-extensions’ instead | 215 | info |
| The missing policy option of ‘use-extensions’ cannot be used with version 2.0. ‘use-custom-properies’ is suggested | 216 | error |
| ACS data markings cannot be supported in version 2.0. –acs option is ignored. | 217 | warn |
| Only one of the options –enable and –disable can be used | 218 | error |
| The STIX package header contained no extra information that needed to be generated in STIX 2.x | 219 | info |
| id was created to store the extra STIX package header information | 220 | info |
Handle STIX 1.x Content not supported in STIX 2.x¶
| Message | Code | Level |
|---|---|---|
The Short_Description property is no longer supported in STIX. The text was appended to the description property of id |
301 | info |
| Appended property_name to description of id | 302 | warn |
Title in type used for name, appending exploit_target id title in description property |
303 | info |
Appended confidence property content to description of id |
304 | warn |
Appended Statement type content to description of id |
305 | warn |
Appended Tool type content to description of id |
306 | warn |
| Missing property property_name of id is ignored | 307 | warn |
| Used custom property for property_name of id | 308 | warn |
| Missing property property_name of id is ignored, because there is no description property | 309 | warn |
| The Short_Description property in id is not supported in STIX 2.x. | 310 | info |
| Used an extension for objective of id | 311 | warn |
| No extension-definition was found for STIX 1 type type in id | 312 | warn |
| Used extension property for property_name of id | 313 | warn |
| Property property_name of id is ignored, because it can’t be represented in an extension | 314 | warn |
| New extension-definition id id was generated for type. id | 315 | warn |
| Custom Content property_name of id is ignored | 316 | warn |
| Used object_path for extension property for property_name | 317 | warn |
| Token in control set not recognized: token | 318 | warn |
| Used extensions for ACS data markings. See id | 319 | warn |
| Any extra STIX package header properties are ignored | 320 | warn |
Content not supported in STIX 2.x¶
| Message | Code | Level |
|---|---|---|
Information Source on id is not representable in STIX 2.x |
401 | warn |
Related_Packages type in id not supported in STIX 2.x |
402 | warn |
Campaign/Activity type in id not supported in STIX 2.x |
403 | warn |
| Structured COAs type in id are not supported in STIX 2.x | 404 | warn |
ExploitTarget/Weaknesses type in id not supported in STIX 2.x |
405 | warn |
ExploitTarget/Configurations type in id not supported in STIX 2.x |
406 | warn |
| Indicator id has an observable or indicator composite expression which may not supported correctly in STIX 2.x - please check this pattern | 407 | warn |
TTP/Behavior/Exploits/Exploit in id not supported in STIX 2.x |
408 | warn |
Infrastructure in id not part of STIX 2.0 |
409 | warn |
| IOC indicator in id cannot be converted to a STIX pattern | 410 | warn |
| Relationship rel_name in id for id is not explicitly supported in STIX 2.x. Expression pattern is ANDed | 411 | warn |
| Relationship rel_name in id for id is not explicitly supported in STIX 2.x. %s will be ANDed if/when resolved | 412 | warn |
| Kill Chains type in id not supported in STIX 2.x | 413 | warn |
| Victim Target in id did not yield any STIX 2.x object | 414 | warn |
| TTP id did not generate any STIX 2.x object | 415 | error |
| No STIX 2.x object generated from embedded object id | 416 | warn |
| object did not yield any STIX 2.x object | 417 | warn |
| The property property of STIX 1.x object type is not part of STIX 2.x | 418 | warn |
| id is used as a characteristic in an infrastructure object, therefore it is not included as an observed_data instance | 419 | warn |
| Windows Handles are not a part of STIX 2.x | 420 | warn |
| The address type address is not part of STIX 2.x | 421 | warn |
| No pattern term was created from id | 422 | warn |
| id is used as a pattern, therefore it is not included as an observed_data instance | 423 | warn |
| xxx content is not supported in STIX 2.x | 424 | warn |
| Could not resolve Marking Structure id | 425 | warn |
| MAEC content in id cannot be represented in STIX 2.x | 426 | warn |
| The relationship name relationship involving id is not explicitly supported in STIX 2.x | 427 | warn |
roles is not a property of a 2.x identity (id). Perhaps the roles are associated with a related Threat Actor |
428 | warn |
HTTPServerResponse type is not supported in STIX 2.x |
429 | warn |
| The confidence value value is not found on one of the confidence scales from the specification. No confidence can be inferred | 430 | warn |
| The confidence value value is not between 0 and 100, which is required for STIX 2.1. No confidence can be inferred | 431 | warn |
| The confidence value value cannot be converted | 432 | warn |
| Location with free text address in id not handled yet | 433 | warn |
| Observed Data objects cannot refer to other external objects: property name in type” | 434 | warn |
| CIQ Address information in id is not representable in 2.0 | 435 | warn |
| ACS data markings only supported when –acs option is used. See id | 436 | warn |
| Required property property_name is not populated on id | 437 | warn |
| A placeholder was generated for required property property_name of id | 438 | warn |
Multiple values are not supported in STIX 2.x¶
| Message | Code | Level |
|---|---|---|
| Cannot convert range of ip addr 1 to ip addr 2 in id to a CIDR | 501 | warn |
| Only one person name allowed for id in STIX 2.x, used name_1, name_2 becomes an alias | 502 | warn |
| Only one organization name allowed for id in STIX 2.x, used name_1, name_2 becomes an alias | 503 | warn |
| YARA/SNORT/IOC or other patterns are not supported in STIX 2.0. See id | 504 | warn |
| Only two pdfids are allowed for id, dropping pidid | 505 | warn |
| Only one alternative test mechanism allowed for id in STIX 2.x - used pattern_lang_1, dropped pattern_lang_2 | 506 | warn |
| Only one valid time window allowed for id in STIX 2.x - used first one | 507 | warn |
| Only one name for malware is allowed for id in STIX 2.x - used name_1, dropped name_2 | 508 | warn |
| No STIX 1.x vocab value given for property, using ‘unknown’ | 509 | warn |
| Only one property name allowed in STIX 2.x - used prop_value in id | 510 | warn |
| File size ‘window’ not allowed in top level observable, using first value | 511 | warn |
Only one HTTP_Request_Response used for http-request-ext, using first value |
512 | warn |
Possible issue in original STIX 1.x content¶
| Message | Code | Level |
|---|---|---|
| Dangling source reference source in id | 601 | error |
| Dangling target reference target in id | 602 | error |
| STIX 1.X ID: id was not mapped to STIX 2.x ID | 603 | warn |
| Unable to determine the STIX 2.x type for id | 604 | error |
| Malformed id id. Generated a new uuid | 605 | warn |
| Identity id has organization and person names | 606 | error |
| Dangling kill chain phase id in indicator id | 607 | error |
windows-registry-key is required to have a key property |
608 | error |
| condition was used, but two values were not provided. | 609 | error |
| No object mapped to old_id | 610 | warn |
| Can not associate old_id with None | 611 | error |
| Identity id must have a name, using ‘None’ | 612 | error |
| No type properties found in object | 613 | warn |
| Address direction in id is inconsistent, using ‘src’” | 614 | warn |
No WinProcess properties found in WinProcess |
615 | warn |
No WinService properties found in WinService |
616 | warn |
| The custom property name name does not adhere to the specification rules | 617 | warn |
| No ISO code for value in identifying_info | 618 | warn |
| No start/end time for the first valid time interval is available in id, other time intervals might be more appropriate | 619 | warn |
| Unable to create a pattern from a File object | 620 | warn |
| stix_1.x_property contains no value | 621 | warn |
| No term was yielded for id | 622 | warn |
| Hive property, hive_property_name, is already a prefix of the key property, key property name | 623 | warn |
| The custom property name name contains whitespace, replacing it with underscores | 624 | warn |
| Found duplicate marking structure id | 625 | info |
| hash_string is not a valid hash_type hash | 626 | warn |
| enum_value in id is not a member of the enum_type enumeration | 627 | warn |
| Unknown condition given in id - marked as ‘INVALID_CONDITION’ | 628 | warn |
| Unable to determine the STIX 2.x type for id, which is malformed | 629 | error |
| ‘equals’ allowed in id - should be ‘Equals’ | 630 | warn |
| Multiple administrative areas with multiple countries in id is not handled | 631 | warn |
| Unknown phase_id phase_id in id | 632 | warn |
| File path directory is empty file_path | 633 | warn |
| Any artifact additional artifact info on id is not recoverable | 634 | warn |
| id contains a observable composition, which implies it not an observation, but a pattern and needs to be contained within an indicator. | 635 | warn |
| Address direction in id is not provided, using ‘src’ | 636 | warn |
| cisa-proprietary is only permitted when ais-consent is everyone, so it has been dropped. See id | 637 | warn |
| Indicator id does not contain the information necessary to generate a pattern | 638 | warn |
| This observable id already is associated with cyber observables | 639 | warn |
| Unable to determine the hash type for hash value | 640 | warn |
| Required property property is not provided for ACS data marking | 641 | warn |
| id was created without the xsi:type attribute. Some content might be missing | 642 | warn |
| ACS identifier identifier is not valid | 643 | warn |
| Observable object from pattern cannot be an observed_data_ref of a sighting. See id | 644 | warn |
| Only one of the properties: Hostname and IP_Address is allowed. Dropping Hostname name | 645 | warn |
| Exploit targets are part of STIX 1x TTP id. Assuming they are related | 646 | warn |
STIX Elevator conversion based on assumptions¶
| Message | Code | Level |
|---|---|---|
| Threat Actor identity id being used as basis of attributed-to relationship | 701 | info |
| Found STIX 1.X ID: old_id replaced by new_id | 702 | info |
| old_id is already associated other ids: tuple_of_new_ids | 703 | info |
| Including id of relationship in id of report and added the target_ref target_ref to the report | 704 | warn |
| Including id of relationship in id of report and added the source_ref source_ref to the report | 705 | warn |
| Including id of relationship in id of report although the target_ref is unknown | 706 | warn |
| Including id of relationship in id of report although the source_ref is unknown | 707 | warn |
| Not including id of relationship in id of report because there is no corresponding SDO for target_ref | 708 | warn |
| Not including id of relationship in id of report because there is no corresponding SDO for source_ref | 709 | warn |
| All associated relationship name relationships of id are assumed to not represent STIX 1.2 versioning | 710 | info |
| ciq name found in id, possibly overriding other name | 711 | warn |
| Only one type pattern can be specified in id - using ‘stix’ | 712 | warn |
| id generated an identity associated with a victim | 713 | info |
| No condition given for term in current_observable - assume ‘=’ | 714 | warn |
| Used MATCHES operator for condition | 715 | info |
| Based on CIQ information, id is assumed to be an organization | 716 | warn |
| Threat actor id title is used for name property | 717 | info |
| Using relationship_name for the property of id | 718 | warn |
Using first Threat Actor motivation as primary_motivation value. If more, use secondary_motivation |
719 | info |
The published property is required for STIX 2.x Report id, using the created property |
720 | info |
apply_condition assumed to be ‘ANY’ in id |
721 | warn |
content_type for body_multipart of attachment id is assumed to be ‘text/plain’ |
722 | info |
| The confidence value in value assumed to be a value on a scale between 0 and 100 | 723 | warn |
| The confidence value in value has been converted to an integer so it is valid in STIX 2.1 | 724 | warn |
| port number is assumed to be a destination port | 725 | warn |
| “stix1_id already used, generated new id *stix2_id | 726 | warn |
| Custom property name property has been converted to all lower case | 727 | warn |
| The is_family property of malware instance id is assumed to be true | 728 | info |
| Included parent markings for Relationship id and Location id | 729 | info |
| Number of sightings given is different than sightings_count in id | 730 | warn |
STIX elevator currently doesn’t process this content¶
| Message | Code | Level |
|---|---|---|
| Could not resolve Marking Structure id | 801 | warn |
| STIX 1.x full file paths are not processed, yet | 802 | warn |
| Location id may not contain all aspects of the STIX 1.x CIQAddress object | 803 | warn |
| Object reference id may not be handled correctly | 804 | warn |
| CybOX object object not handled yet | 805 | warn |
| Email property not handled yet | 806 | warn |
file:extended_properties:windows_pebinary_ext:optional_header is not implemented yet |
807 | warn |
| object found in id cannot be converted to a pattern, yet. | 808 | warn |
Related Objects of cyber observables for id are not handled yet. Not currently in use. |
809 | warn |
| Negation of id is not handled yet | 810 | warn |
| Custom object with no name cannot be handled yet | 811 | warn |
| Condition condition on a hive property not handled. | 812 | warn |
| Cannot convert CybOX 2.x class name name to an object_path_root_name | 813 | error |
Not in use |
814 | warn |
| property in id are not handled, yet. | 815 | info |
| Ambiguous file path path was not processed | 816 | warn |
| Pattern expression with STIX 1.x custom objects in id is ignored | 817 | warn |
| Pattern expression with STIX 1.x custom properties in id is ignored | 818 | warn |
Missing Required Timestamp¶
| Message | Code | Level |
|---|---|---|
first_observed and last_observed properties not available directly on id - using timestamp |
901 | info |
| Using parent object timestamp on identifying_info | 902 | info |
| No valid time position information available in id, using parent timestamp | 903 | warn |
No first_seen property on id - using timestamp |
904 | info |
| Timestamp not available for entity, using current time | 905 | warn |