Skip to main content

Utilities to upgrade STIX and CybOX content to 2.0

Project description

NOTE: This is an OASIS Open Repository. See the Governance section for more information.

The stix-elevator is a software tool for converting STIX 1.x XML to STIX 2.0 JSON. Due to the differences between STIX 1.x and STIX 2.0, this conversion is best-effort only, and stix-elevator cannot convert from STIX 2.0 JSON back to STIX 1.x XML. During the conversion, stix-elevator provides information on the assumptions it needs to make to produce valid STIX 2.0 JSON, and what information was not able to be converted.

The stix-elevator is a work-in-progress. It should be used to explore how existing STIX 1.x would potentially be represented in STIX 2.0. Using the current version of the elevator will provide insight to issues that might need to be mitigated to convert your STIX 1.x content.

It should not be used in a production environment, and should not be considered final.

STIX 1.x Composite Indicator Expressions and CybOX 2.x Composite Observable Expressions allow a level of flexibility not present in STIX 2 patterns. These composite expressions can frequently have ambiguous interpretations, so STIX 2 Indicators created by the stix-elevator from STIX 1.x Indicators containing composite expressions should be inspected to ensure the STIX 2 Indicator has the intended meaning.

Please enter any comments on how to improve it into the issue tracker.


  • Python 2.6, 2.7, or 3.3+

  • python-stix and its dependencies

  • stix2-validator >= 0.4.0 and its dependencies

  • pycountry >= 1.20


Install with pip:

$ pip install stix2-elevator

This will install all necessary dependencies, including the latest version of python-stix.

If you need to support older STIX 1.1.1 content, install python-stix 1.1.1.x first:

$ pip install stix<1.2
$ pip install stix2-elevator

You can also install the stix-elevator from GitHub to get the latest (unstable) version:

$ pip install git+


As A Script

The elevator comes with a bundled script which you can use to elevate STIX 1.1.1 - 1.2.1 content to STIX 2.0 content:

usage: stix2_elevator [-h] [--incidents] [--no-squirrel-gaps] [--infrastructure]
          [--package-created-by-id PACKAGE_CREATED_BY_ID]
          [--default-timestamp DEFAULT_TIMESTAMP]
          [--validator-args VALIDATOR_ARGS] [-e ENABLE] [-d DISABLE] [-s]
          [--message-log-directory MESSAGE_LOG_DIRECTORY]
          [--log-level {DEBUG,INFO,WARN,ERROR,CRITICAL}]
          [-p {no_policy,strict_policy}]

stix2-elevator v1.0.0

The stix2-elevator is a work-in-progress. It should be used to explore how
existing STIX 1.x would potentially be represented in STIX 2.0. Using the
current version of the stix2-elevator will provide insight to issues that might need
to be mitigated to convert your STIX 1.x content.

positional arguments:
  file                  The input STIX 1.x document to be elevated.

optional arguments:
  -h, --help            show this help message and exit

  --incidents           Incidents will be included in the conversion.

  --no-squirrel-gaps    Do not include STIX 1.x content that cannot be
                        represented directly in STIX 2.0 using the description

  --infrastructure      Infrastructure will be included in the conversion.

  --package-created-by-id PACKAGE_CREATED_BY_ID
                        Use provided identifier for "created_by_ref"
                        properties.Example: --package-created-by-id "identity

  --default-timestamp DEFAULT_TIMESTAMP
                        Use provided timestamp for properties that require a
                        timestamp. Example: --default-timestamp

  --validator-args VALIDATOR_ARGS
                        Arguments to pass stix-validator. Default: --strict-
                        types Example: <file> --validator-
                        args "-v --strict-types -d 212"

  -e ENABLE, --enable ENABLE
                        A comma-separated list of the stix2-elevator messages
                        to enable. If the --disable option is not used, no
                        other messages will be shown. Example:
               <file> --enable 250

  -d DISABLE, --disable DISABLE
                        A comma-separated list of the stix2-elevator messages
                        to disable. Example: <file>
                        --disable 212,220

  -s, --silent          If this flag is set. All stix2-elevator messages will
                        be disabled.

 --message-log-directory MESSAGE_LOG_DIRECTORY
                        If this flag is set. All stix2-elevator messages will
                        be saved to file. The name of the file will be the
                        input file with extension .log in the specified
                        directory. Note, make surethe directory already
                        exists. Example: <file> --message-
                        log-directory "..\logs"

                        The logging output level.

  -p {no_policy,strict_policy}, --policy {no_policy,strict_policy}
                        The policy to dealt with errors

The following table shows all stix2-elevator messages. Use the associate code number to –enable or –disable a message. By default, the stix2-elevator displays all messages. Note: disabling the message does not disable the functionality.

Refer to elevator_log_messages.xlsx for error codes.

As A Library

You can also use this library to integrate STIX elevation into your own tools. You can elevate a STIX 1.x file:

from stix2elevator import elevate_file
from stix2elevator.options import initialize_options

results = elevate_file("stix_file.xml")

Additionally, a similar method exists to accept a string as an argument:

from stix2elevator import elevate_string
from stix2elevator.options import initialize_options

results = elevate_string("...")

To set options, use set_option_value, found in


This GitHub public repository ( ) was proposed and approved [bis] by the OASIS Cyber Threat Intelligence (CTI) TC as an OASIS Open Repository to support development of open source resources related to Technical Committee work.

While this Open Repository remains associated with the sponsor TC, its development priorities, leadership, intellectual property terms, participation rules, and other matters of governance are separate and distinct from the OASIS TC Process and related policies.

All contributions made to this Open Repository are subject to open source license terms expressed in the BSD-3-Clause License. That license was selected as the declared “Applicable License” when the Open Repository was created.

As documented in “Public Participation Invited”, contributions to this OASIS Open Repository are invited from all parties, whether affiliated with OASIS or not. Participants must have a GitHub account, but no fees or OASIS membership obligations are required. Participation is expected to be consistent with the OASIS Open Repository Guidelines and Procedures, the open source LICENSE designated for this particular repository, and the requirement for an Individual Contributor License Agreement that governs intellectual property.


Open Repository Maintainers are responsible for oversight of this project’s community development activities, including evaluation of GitHub pull requests and preserving open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences.

Initially, the associated TC members have designated one or more persons to serve as Maintainer(s); subsequently, participating community members may select additional or substitute Maintainers, per consensus agreements.

Current Maintainers of this Open Repository

About OASIS Open Repositories


Questions or comments about this Open Repository’s activities should be composed as GitHub issues or comments. If use of an issue/comment is not possible or appropriate, questions may be directed by email to the Maintainer(s) listed above. Please send general questions about Open Repository participation to OASIS Staff at and any specific CLA-related questions to

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release. See tutorial on generating distribution archives.

Built Distribution

stix2_elevator-1.0.0-py2.py3-none-any.whl (56.1 kB view hashes)

Uploaded py2 py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page