2017-11-01 15:01:41 +01:00
{
"cells": [
2017-11-09 21:42:59 +01:00
{
"cell_type": "code",
"execution_count": 1,
"metadata": {
"collapsed": true,
"nbsphinx": "hidden"
},
"outputs": [],
"source": [
"# Delete this cell to re-enable tracebacks\n",
"import sys\n",
"ipython = get_ipython()\n",
"\n",
"def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
" exception_only=False, running_compiled_code=False):\n",
" etype, value, tb = sys.exc_info()\n",
" return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
"\n",
"ipython.showtraceback = hide_traceback"
]
},
{
"cell_type": "code",
2018-04-05 22:44:44 +02:00
"execution_count": 1,
2017-11-09 21:42:59 +01:00
"metadata": {
"nbsphinx": "hidden"
},
"outputs": [],
"source": [
"# JSON output syntax highlighting\n",
"from __future__ import print_function\n",
"from pygments import highlight\n",
2018-04-05 22:44:44 +02:00
"from pygments.lexers import JsonLexer, TextLexer\n",
2017-11-09 21:42:59 +01:00
"from pygments.formatters import HtmlFormatter\n",
2018-04-05 22:44:44 +02:00
"from IPython.display import display, HTML\n",
"from IPython.core.interactiveshell import InteractiveShell\n",
2017-11-09 21:42:59 +01:00
"\n",
2018-04-05 22:44:44 +02:00
"InteractiveShell.ast_node_interactivity = \"all\"\n",
2017-11-09 21:42:59 +01:00
"\n",
"def json_print(inpt):\n",
" string = str(inpt)\n",
2018-04-05 22:44:44 +02:00
" formatter = HtmlFormatter()\n",
2017-11-09 21:42:59 +01:00
" if string[0] == '{':\n",
2018-04-05 22:44:44 +02:00
" lexer = JsonLexer()\n",
2017-11-09 21:42:59 +01:00
" else:\n",
2018-04-05 22:44:44 +02:00
" lexer = TextLexer()\n",
" return HTML('<style type=\"text/css\">{}</style>{}'.format(\n",
" formatter.get_style_defs('.highlight'),\n",
" highlight(string, lexer, formatter)))\n",
2017-11-09 21:42:59 +01:00
"\n",
2018-04-05 22:44:44 +02:00
"globals()['print'] = json_print"
2017-11-09 21:42:59 +01:00
]
},
2017-11-01 15:01:41 +01:00
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Technical Specification Support\n",
"\n",
2018-04-09 19:29:53 +02:00
"### How imports work\n",
2017-11-01 15:01:41 +01:00
"\n",
"Imports can be used in different ways depending on the use case and support levels.\n",
"\n",
2017-11-09 21:42:59 +01:00
"People who want to support the latest version of STIX 2.X without having to make changes, can implicitly use the latest version:"
2017-11-01 15:01:41 +01:00
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"import stix2\n",
"\n",
"stix2.Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"or,"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"from stix2 import Indicator\n",
"\n",
"Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
2017-11-09 21:42:59 +01:00
"People who want to use an explicit version:"
2017-11-01 15:01:41 +01:00
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"import stix2.v20\n",
"\n",
"stix2.v20.Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"or,"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"from stix2.v20 import Indicator\n",
"\n",
"Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"or even,"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"import stix2.v20 as stix2\n",
"\n",
"stix2.Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The last option makes it easy to update to a new version in one place per file, once you've made the deliberate action to do this.\n",
"\n",
"People who want to use multiple versions in a single file:"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"import stix2\n",
"\n",
"stix2.v20.Indicator()\n",
"stix2.v21.Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"or,"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"from stix2 import v20, v21\n",
"\n",
"v20.Indicator()\n",
"v21.Indicator()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"or (less preferred):"
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"from stix2.v20 import Indicator as Indicator_v20\n",
"from stix2.v21 import Indicator as Indicator_v21\n",
"\n",
"Indicator_v20()\n",
"Indicator_v21()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
2018-04-09 19:29:53 +02:00
"### How parsing works\n",
2018-10-31 18:39:09 +01:00
"If the ``version`` positional argument is not provided. The library will make the best attempt using the \"spec_version\" property found on a Bundle, SDOs, and SROs.\n",
2017-11-01 15:01:41 +01:00
"\n",
2017-11-09 21:42:59 +01:00
"You can lock your [parse()](../api/stix2.core.rst#stix2.core.parse) method to a specific STIX version by:"
2017-11-01 15:01:41 +01:00
]
},
{
"cell_type": "code",
2018-04-05 22:44:44 +02:00
"execution_count": 2,
2017-11-03 19:22:15 +01:00
"metadata": {},
"outputs": [
{
2017-11-09 21:42:59 +01:00
"data": {
"text/html": [
"<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n",
".highlight { background: #f8f8f8; }\n",
".highlight .c { color: #408080; font-style: italic } /* Comment */\n",
".highlight .err { border: 1px solid #FF0000 } /* Error */\n",
".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n",
".highlight .o { color: #666666 } /* Operator */\n",
".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n",
".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n",
".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n",
".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n",
".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n",
".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n",
".highlight .gd { color: #A00000 } /* Generic.Deleted */\n",
".highlight .ge { font-style: italic } /* Generic.Emph */\n",
".highlight .gr { color: #FF0000 } /* Generic.Error */\n",
".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n",
".highlight .gi { color: #00A000 } /* Generic.Inserted */\n",
".highlight .go { color: #888888 } /* Generic.Output */\n",
".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n",
".highlight .gs { font-weight: bold } /* Generic.Strong */\n",
".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n",
".highlight .gt { color: #0044DD } /* Generic.Traceback */\n",
".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n",
".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n",
".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n",
".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n",
".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n",
".highlight .kt { color: #B00040 } /* Keyword.Type */\n",
".highlight .m { color: #666666 } /* Literal.Number */\n",
".highlight .s { color: #BA2121 } /* Literal.String */\n",
".highlight .na { color: #7D9029 } /* Name.Attribute */\n",
".highlight .nb { color: #008000 } /* Name.Builtin */\n",
".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n",
".highlight .no { color: #880000 } /* Name.Constant */\n",
".highlight .nd { color: #AA22FF } /* Name.Decorator */\n",
".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n",
".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n",
".highlight .nf { color: #0000FF } /* Name.Function */\n",
".highlight .nl { color: #A0A000 } /* Name.Label */\n",
".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n",
".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n",
".highlight .nv { color: #19177C } /* Name.Variable */\n",
".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n",
".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n",
".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n",
".highlight .mf { color: #666666 } /* Literal.Number.Float */\n",
".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n",
".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n",
".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n",
".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n",
".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n",
".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n",
".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n",
".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n",
".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n",
".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n",
".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n",
".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n",
".highlight .sx { color: #008000 } /* Literal.String.Other */\n",
".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n",
".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n",
".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n",
".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n",
".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n",
".highlight .vc { color: #19177C } /* Name.Variable.Class */\n",
".highlight .vg { color: #19177C } /* Name.Variable.Global */\n",
".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n",
".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n",
".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n",
" <span class=\"nt\">"type"</span><span class=\"p\">:</span> <span class=\"s2\">"indicator"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"id"</span><span class=\"p\">:</span> <span class=\"s2\">"indicator--dbcbd659-c927-4f9a-994f-0a2632274394"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"created"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-09-26T23:33:39.829Z"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"modified"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-09-26T23:33:39.829Z"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"name"</span><span class=\"p\">:</span> <span class=\"s2\">"File hash for malware variant"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"pattern"</span><span class=\"p\">:</span> <span class=\"s2\">"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"valid_from"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-09-26T23:33:39.829952Z"</span><span class=\"p\">,</span>\n",
" <span class=\"nt\">"labels"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n",
" <span class=\"s2\">"malicious-activity"</span>\n",
" <span class=\"p\">]</span>\n",
"<span class=\"p\">}</span>\n",
"</pre></div>\n"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
2018-04-05 22:44:44 +02:00
"execution_count": 2,
2017-11-09 21:42:59 +01:00
"metadata": {},
"output_type": "execute_result"
2017-11-03 19:22:15 +01:00
}
],
2017-11-01 15:01:41 +01:00
"source": [
"from stix2 import parse\n",
"\n",
"indicator = parse(\"\"\"{\n",
" \"type\": \"indicator\",\n",
" \"id\": \"indicator--dbcbd659-c927-4f9a-994f-0a2632274394\",\n",
" \"created\": \"2017-09-26T23:33:39.829Z\",\n",
" \"modified\": \"2017-09-26T23:33:39.829Z\",\n",
" \"labels\": [\n",
" \"malicious-activity\"\n",
" ],\n",
" \"name\": \"File hash for malware variant\",\n",
" \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n",
" \"valid_from\": \"2017-09-26T23:33:39.829952Z\"\n",
"}\"\"\", version=\"2.0\")\n",
"print(indicator)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Keep in mind that if a 2.1 or higher object is parsed, the operation will fail."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
2018-04-09 19:29:53 +02:00
"### How custom content works\n",
2017-11-01 15:01:41 +01:00
"\n",
2019-09-30 19:16:06 +02:00
"[CustomObject](../api/v20/stix2.v20.sdo.rst#stix2.v20.sdo.CustomObject), [CustomObservable](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomObservable), [CustomMarking](../api/v20/stix2.v20.common.rst#stix2.v20.common.CustomMarking) and [CustomExtension](../api/v20/stix2.v20.observables.rst#stix2.v20.observables.CustomExtension) must be registered explicitly by STIX version. This is a design decision since properties or requirements may change as the STIX Technical Specification advances.\n",
2017-11-01 15:01:41 +01:00
"\n",
2017-11-09 21:42:59 +01:00
"You can perform this by:"
2017-11-01 15:01:41 +01:00
]
},
{
"cell_type": "code",
"execution_count": null,
2017-11-09 21:42:59 +01:00
"metadata": {
"collapsed": true
},
2017-11-01 15:01:41 +01:00
"outputs": [],
"source": [
"import stix2\n",
"\n",
"# Make my custom observable available in STIX 2.0\n",
"@stix2.v20.CustomObservable('x-new-object-type',\n",
" ((\"prop\", stix2.properties.BooleanProperty())))\n",
"class NewObject2(object):\n",
" pass\n",
"\n",
"\n",
"# Make my custom observable available in STIX 2.1\n",
"@stix2.v21.CustomObservable('x-new-object-type',\n",
" ((\"prop\", stix2.properties.BooleanProperty())))\n",
"class NewObject2(object):\n",
" pass"
]
}
],
2017-11-09 21:42:59 +01:00
"metadata": {
"kernelspec": {
2018-04-05 22:44:44 +02:00
"display_name": "Python 3",
2017-11-09 21:42:59 +01:00
"language": "python",
2018-04-05 22:44:44 +02:00
"name": "python3"
2017-11-09 21:42:59 +01:00
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
2018-04-05 22:44:44 +02:00
"version": 3
2017-11-09 21:42:59 +01:00
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
2018-04-05 22:44:44 +02:00
"pygments_lexer": "ipython3",
"version": "3.6.3"
2017-11-09 21:42:59 +01:00
}
},
2017-11-01 15:01:41 +01:00
"nbformat": 4,
2017-11-09 21:42:59 +01:00
"nbformat_minor": 1
2017-11-01 15:01:41 +01:00
}