OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Help with python-stix


Hi Nick,

python-stix (for STIX 1.x) does not automatically resolve ID references for you, even for objects within the same STIX Package. STIX 1.x allows some “related” objects to be “embedded” in other objects (vs. being “references” to external objects); python-stix will create these relationships for you. For non-“embedded” relationships, python-stix will only create a relationship to a “stub” object that contains the idref. 

One approach I’ve seen useful is to keep a dictionary mapping IDs to the full python-stix objects, and use that dictionary to look objects up by ID.

(pseudo-code, untested)
id_map = {}
for incident in stix_package.incidents:
    id_map[incident.id_] = incident
for ttp in stix_package.ttps:
    id_map[ttp.id_] = indicator
…
if indicator.related_ttps[0].id_:   # embedded
     ttp = indicator.related_ttps[0]
else:   # referenced
     ttp = id_map.get(indicator.related_ttps[0].idref)

Keep in mind that the referenced object may occur later in the same XML document (which is why it’s better to parse the entire document before attempting to resolve any IDs), or may not even occur in any of the XML documents.

The difficulties in the approach from STIX 1 is one of the reasons that STIX 2 uses references for all relationships. python-stix2 will provide mechanisms for more easily resolving these references, but it will still be semi-manual.

If you have any more questions, feel free to ask.

Greg

On 2017-03-27, 4:44 AM, "cti-users@lists.oasis-open.org on behalf of Nicholas George" <cti-users@lists.oasis-open.org on behalf of nick.george@countersight.co> wrote:

    Hi cti-users,
    
    Python is not my strong point, I am trying to use the python-stix
    library to consume many stix packages from hailataxii.
    
    I have created an array of STIXPackages and am trying to iterate
    through them. What I don't get is how references (idref) between
    indicators, ttps, observables can work between packages. Will libstix
    magically link everything up for me? Or do I need to manually resolve
    idref references? I have attempted to see if it will 'just work' but
    am failing.
    
    I find the consumer examples on the stixproject website to be too
    trivial, are there any good examples of stix consumers that pull
    together lots of observables, indicators and ttps from a source like
    Hailataxii?
    
    Kind regards,
    Nick
    
    This publicly archived list provides a forum for asking questions,
    offering answers, and discussing topics of interest on STIX,
    TAXII, and CybOX.  Users and developers of solutions that leverage
    STIX, TAXII and CybOX are invited to participate.
    
    In order to verify user consent to OASIS mailing list guidelines
    and to minimize spam in the list archive, subscription is required
    before posting.
    
    Subscribe: cti-users-subscribe@lists.oasis-open.org
    Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
    Post: cti-users@lists.oasis-open.org
    List help: cti-users-help@lists.oasis-open.org
    List archive: http://lists.oasis-open.org/archives/cti-users/
    List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
    CTI Technical Committee: https://www.oasis-open.org/committees/cti/
    Join OASIS: http://www.oasis-open.org/join/
    
    



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]