[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Help with python-stix
Hi Nick, python-stix (for STIX 1.x) does not automatically resolve ID references for you, even for objects within the same STIX Package. STIX 1.x allows some “related” objects to be “embedded” in other objects (vs. being “references” to external objects); python-stix will create these relationships for you. For non-“embedded” relationships, python-stix will only create a relationship to a “stub” object that contains the idref. One approach I’ve seen useful is to keep a dictionary mapping IDs to the full python-stix objects, and use that dictionary to look objects up by ID. (pseudo-code, untested) id_map = {} for incident in stix_package.incidents: id_map[incident.id_] = incident for ttp in stix_package.ttps: id_map[ttp.id_] = indicator … if indicator.related_ttps[0].id_: # embedded ttp = indicator.related_ttps[0] else: # referenced ttp = id_map.get(indicator.related_ttps[0].idref) Keep in mind that the referenced object may occur later in the same XML document (which is why it’s better to parse the entire document before attempting to resolve any IDs), or may not even occur in any of the XML documents. The difficulties in the approach from STIX 1 is one of the reasons that STIX 2 uses references for all relationships. python-stix2 will provide mechanisms for more easily resolving these references, but it will still be semi-manual. If you have any more questions, feel free to ask. Greg On 2017-03-27, 4:44 AM, "cti-users@lists.oasis-open.org on behalf of Nicholas George" <cti-users@lists.oasis-open.org on behalf of nick.george@countersight.co> wrote: Hi cti-users, Python is not my strong point, I am trying to use the python-stix library to consume many stix packages from hailataxii. I have created an array of STIXPackages and am trying to iterate through them. What I don't get is how references (idref) between indicators, ttps, observables can work between packages. Will libstix magically link everything up for me? Or do I need to manually resolve idref references? I have attempted to see if it will 'just work' but am failing. I find the consumer examples on the stixproject website to be too trivial, are there any good examples of stix consumers that pull together lots of observables, indicators and ttps from a source like Hailataxii? Kind regards, Nick This publicly archived list provides a forum for asking questions, offering answers, and discussing topics of interest on STIX, TAXII, and CybOX. Users and developers of solutions that leverage STIX, TAXII and CybOX are invited to participate. In order to verify user consent to OASIS mailing list guidelines and to minimize spam in the list archive, subscription is required before posting. Subscribe: cti-users-subscribe@lists.oasis-open.org Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org Post: cti-users@lists.oasis-open.org List help: cti-users-help@lists.oasis-open.org List archive: http://lists.oasis-open.org/archives/cti-users/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php CTI Technical Committee: https://www.oasis-open.org/committees/cti/ Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]