updating docs
=
parent
54e917110e
commit
815d0e2794
|
|
@ -12,7 +12,6 @@
|
|||
"* **get()** - search/retrieve most current STIX SDO/SRO via its ID\n",
|
||||
"* **all_versions()** - search/retrieve all versions of STIX SDO/SRO via its id\n",
|
||||
"* **query()** - search/retrieve STIX SDO/SRO(s) via search filters\n",
|
||||
"* **add_filters()** - attach filter(s) to the DataSource\n",
|
||||
" \n",
|
||||
"### DataSink API (snapshot)\n",
|
||||
"* **add()** - add a set of STIX SDO/SRO to a target endpoint.\n",
|
||||
|
|
@ -23,7 +22,6 @@
|
|||
"* **get()**\n",
|
||||
"* **all_versions()**\n",
|
||||
"* **query()**\n",
|
||||
"* **add_filters()**\n",
|
||||
"* **add()**\n",
|
||||
"\n",
|
||||
"The DataStore, DataSource, DataSink (referred to as \"DataStore suite\") APIs are not referenced directly by a user but are used as base classes, which are then sublcassed into real DataStore suite(s). CTI Python STIX2 provides for the DataStore suites of **FileSystem**, **Memory**, and **TAXII**. Users are also encrouraged subclassing the base Data suite and creating their own custom DataStore suites."
|
||||
|
|
@ -51,7 +49,6 @@
|
|||
"* **query()** - search/retrieve from CompositeDataSource STIX object(s) via search filters\n",
|
||||
"* **add_data_source()** - Attach a DataSource to the CompositeDataSource\n",
|
||||
"* **remove_data_source()** - Remove DataSource from the CompositeDataSource\n",
|
||||
"* **add_filters()** - attach filter(s) to the CompositeDataSource\n",
|
||||
"\n",
|
||||
"### CompositeDataSource Examples\n"
|
||||
]
|
||||
|
|
@ -59,7 +56,9 @@
|
|||
{
|
||||
"cell_type": "code",
|
||||
"execution_count": 1,
|
||||
"metadata": {},
|
||||
"metadata": {
|
||||
"collapsed": true
|
||||
},
|
||||
"outputs": [],
|
||||
"source": [
|
||||
"import sys\n",
|
||||
|
|
@ -79,9 +78,13 @@
|
|||
"source": [
|
||||
"## Filters\n",
|
||||
"\n",
|
||||
"The CTI Python STIX2 **DataStore** suites, to include **FileSystem**, **Memory** and **TAXII** all use the **Filters** module to allow for the querying of STIX content. The basic functionality is that filters can be created and supplied everytime to calls to **query()**, and/or attached to a **DataStore** so that every future query placed to that **DataStore** is evaluated against the attached filters, supplemented with any further filters supplied with the query call. Attached filters can also be removed from **DataStores**.\n",
|
||||
"The CTI Python STIX2 **DataStore** suites - **FileSystem**, **Memory** and **TAXII** - all use the **Filters** module to allow for the querying of STIX content. The basic functionality is that filters can be created and supplied everytime to calls to **query()**, and/or attached to a **DataStore** so that every future query placed to that **DataStore** is evaluated against the attached filters, supplemented with any further filters supplied with the query call. Attached filters can also be removed from **DataStores**.\n",
|
||||
"\n",
|
||||
"Filters are very simple, as they consist of a STIX object common property name, comparison operator and an object property value (i.e. value to compare to). Currently, CTI Python STIX2 supports **ONLY** STIX 2 object common properties:\n",
|
||||
"Filters are very simple, as they consist of a field name, comparison operator and an object property value (i.e. value to compare to). Currently, CTI Python STIX2 supports **ONLY** STIX 2 object common properties and TAXII2 Filtering parameters for fields to filter on:\n",
|
||||
"\n",
|
||||
"Fields\n",
|
||||
"\n",
|
||||
"(STIX2 Object Common Properties)\n",
|
||||
"\n",
|
||||
"* created\n",
|
||||
"* created_by_ref\n",
|
||||
|
|
@ -98,7 +101,14 @@
|
|||
"* revoked\n",
|
||||
"* type\n",
|
||||
"\n",
|
||||
"Supported operators on these properties:\n",
|
||||
"(TAXII2)\n",
|
||||
"\n",
|
||||
"* added_after\n",
|
||||
"* match[id]\n",
|
||||
"* match[type]\n",
|
||||
"* match[version]\n",
|
||||
"\n",
|
||||
"Supported operators on above properties:\n",
|
||||
"\n",
|
||||
"* =\n",
|
||||
"* !=\n",
|
||||
|
|
@ -108,7 +118,7 @@
|
|||
"* ```>=```\n",
|
||||
"* <=\n",
|
||||
"\n",
|
||||
"To align with STIX 2 object common properties, the value types of the common property values must be one of these (python) types:\n",
|
||||
"Value types of the common property values must be one of these (python) types:\n",
|
||||
"\n",
|
||||
"* bool\n",
|
||||
"* dict\n",
|
||||
|
|
@ -124,12 +134,12 @@
|
|||
{
|
||||
"cell_type": "code",
|
||||
"execution_count": 2,
|
||||
"metadata": {},
|
||||
"metadata": {
|
||||
"collapsed": true
|
||||
},
|
||||
"outputs": [],
|
||||
"source": [
|
||||
"import sys\n",
|
||||
"sys.path.append(\"/home/michael/oasis-python-stix2/cti-python-stix2/\")\n",
|
||||
"sys.path\n",
|
||||
"from stix2 import Filter\n",
|
||||
"\n",
|
||||
"# create filter for STIX objects that have external references to MITRE ATT&CK framework\n",
|
||||
|
|
@ -158,7 +168,9 @@
|
|||
{
|
||||
"cell_type": "code",
|
||||
"execution_count": 3,
|
||||
"metadata": {},
|
||||
"metadata": {
|
||||
"collapsed": true
|
||||
},
|
||||
"outputs": [],
|
||||
"source": [
|
||||
"from stix2 import MemoryStore, FileSystemStore, FileSystemSource\n",
|
||||
|
|
@ -167,24 +179,24 @@
|
|||
"fs_source = FileSystemSource(\"/home/michael/Desktop/sample_stix2_data\")\n",
|
||||
"\n",
|
||||
"# attach filter to FileSystemStore\n",
|
||||
"fs.add_filters(f)\n",
|
||||
"fs.source.filters.add(f)\n",
|
||||
"\n",
|
||||
"# attach multiple filters to FileSystemStore\n",
|
||||
"fs.add_filters([f1,f2])\n",
|
||||
"fs.source.filters.update([f1,f2])\n",
|
||||
"\n",
|
||||
"# can also attach filters to a Source\n",
|
||||
"# attach multiple filters to FileSystemSource\n",
|
||||
"fs_source.add_filters([f3, f4])\n",
|
||||
"fs_source.filters.update([f3, f4])\n",
|
||||
"\n",
|
||||
"\n",
|
||||
"mem = MemoryStore()\n",
|
||||
"\n",
|
||||
"# As it is impractical to only use MemorySink or MemorySource,\n",
|
||||
"# attach a filter to a MemoryStore\n",
|
||||
"mem.add_filters(f)\n",
|
||||
"mem.source.filter.add(f)\n",
|
||||
"\n",
|
||||
"# attach multiple filters to a MemoryStore\n",
|
||||
"mem.add_filters([f1,f2])"
|
||||
"mem.source.filters.update([f1,f2])"
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -66,7 +66,6 @@
|
|||
"* **get()** - search/retrieve most current STIX SDO/SRO via its ID\n",
|
||||
"* **all_versions()** - search/retrieve all versions of STIX SDO/SRO via its id\n",
|
||||
"* **query()** - search/retrieve STIX SDO/SRO(s) via search filters\n",
|
||||
"* **add_filters()** - attach filter(s) to the FileSystemSource\n",
|
||||
" \n",
|
||||
"### FileSystemSink (snapshot)\n",
|
||||
"* **add()** - add STIX SDO/SRO to a target file system endpoint.\n",
|
||||
|
|
@ -77,7 +76,6 @@
|
|||
"* **get()**\n",
|
||||
"* **all_versions()**\n",
|
||||
"* **query()**\n",
|
||||
"* **add_filters()**\n",
|
||||
"* **add()**\n",
|
||||
"\n",
|
||||
"A note on **get()**, **all_versions()**, and **query()**. The format of the STIX2 content targeted by the FileSystem suite is json files. When STIX2 content (in json) is retrieved by the **FileSystemStore** from disk, the content will attempt to be parsed into full-featured python STIX2 objects and returned as such. \n",
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@
|
|||
"* **all_versions()** - search/retrieve from memory all versions of STIX SDO/SRO via its id\n",
|
||||
"* **query()** - search/retrieve from memory STIX SDO/SRO(s) via search filters\n",
|
||||
"* **load_from_file()** - load STIX content into memory from file\n",
|
||||
"* **add_filters()** - attach filter(s) to the MemorySource\n",
|
||||
" \n",
|
||||
"### MemorySink (snapshot)\n",
|
||||
"* **add()** - add a set of STIX SDO/SRO(s) to memory\n",
|
||||
|
|
@ -30,7 +29,6 @@
|
|||
"* **query()**\n",
|
||||
"* **load_from_file()**\n",
|
||||
"* **save_to_file()**\n",
|
||||
"* **add_filters()**\n",
|
||||
"* **add()**\n",
|
||||
"\n",
|
||||
"A note on **load_from_file()** and **save()**. These methods both add STIX content to an internal dictionary (maintained by MemoryStore). STIX content that is to be added can be in the following forms: python STIX objects, python dicts (of valid STIX objects or Bundles), json-encoded strings (of valid STIX objects or Bundles), or a (python)list of any of the previously listed types. **MemoryStore** actually stores STIX content either as python STIX objects or as python dictionaries, reducing and converting any of the aforementioned types to one of those; and whatever form the STIX object is stored as , is what it will be returned as when queried or retrieved. Python STIX objects, and json-encoded strings (of STIX content) are stored as python STIX objects. Python dicts (of STIX objects) are stored as python dictionaries. This is done, as can be efficiently supported, in order to return STIX content in the form it was added to the **MemoryStore**. Also, for **load_from_file()**, STIX content is assumed to be in json form within the file, individually or in a Bundle. \n",
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@
|
|||
"* **get()** - search/retrieve most current STIX SDO/SRO via its ID\n",
|
||||
"* **all_versions()** - search/retrieve all versions of STIX SDO/SRO via its id\n",
|
||||
"* **query()** - search/retrieve STIX SDO/SRO(s) via search filters\n",
|
||||
"* **add_filters()** - attach filter(s) to the TAXIICollectionSource\n",
|
||||
"\n",
|
||||
"### TAXIICollectionSink\n",
|
||||
"* **add()** - add a set of STIX SDO/SRO to a TAXII Collection endpoint.\n",
|
||||
|
|
@ -28,7 +27,6 @@
|
|||
"* **all_versions()**\n",
|
||||
"* **query()**\n",
|
||||
"* **add()**\n",
|
||||
"* **add_filters()**\n",
|
||||
"\n",
|
||||
"### TAXIICollection Examples\n",
|
||||
"\n",
|
||||
|
|
|
|||
Loading…
Reference in New Issue