[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Help with python-stix
Hi Nick,
python-stix (for STIX 1.x) does not automatically resolve ID references for you, even for objects within the same STIX Package. STIX 1.x allows some “related” objects to be “embedded” in other objects (vs. being “references” to external objects); python-stix will create these relationships for you. For non-“embedded” relationships, python-stix will only create a relationship to a “stub” object that contains the idref.
One approach I’ve seen useful is to keep a dictionary mapping IDs to the full python-stix objects, and use that dictionary to look objects up by ID.
(pseudo-code, untested)
id_map = {}
for incident in stix_package.incidents:
id_map[incident.id_] = incident
for ttp in stix_package.ttps:
id_map[ttp.id_] = indicator
…
if indicator.related_ttps[0].id_: # embedded
ttp = indicator.related_ttps[0]
else: # referenced
ttp = id_map.get(indicator.related_ttps[0].idref)
Keep in mind that the referenced object may occur later in the same XML document (which is why it’s better to parse the entire document before attempting to resolve any IDs), or may not even occur in any of the XML documents.
The difficulties in the approach from STIX 1 is one of the reasons that STIX 2 uses references for all relationships. python-stix2 will provide mechanisms for more easily resolving these references, but it will still be semi-manual.
If you have any more questions, feel free to ask.
Greg
On 2017-03-27, 4:44 AM, "cti-users@lists.oasis-open.org on behalf of Nicholas George" <cti-users@lists.oasis-open.org on behalf of nick.george@countersight.co> wrote:
Hi cti-users,
Python is not my strong point, I am trying to use the python-stix
library to consume many stix packages from hailataxii.
I have created an array of STIXPackages and am trying to iterate
through them. What I don't get is how references (idref) between
indicators, ttps, observables can work between packages. Will libstix
magically link everything up for me? Or do I need to manually resolve
idref references? I have attempted to see if it will 'just work' but
am failing.
I find the consumer examples on the stixproject website to be too
trivial, are there any good examples of stix consumers that pull
together lots of observables, indicators and ttps from a source like
Hailataxii?
Kind regards,
Nick
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.
In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.
Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]