{ "cells": [ { "cell_type": "code", "execution_count": 1, "metadata": { "nbsphinx": "hidden" }, "outputs": [], "source": [ "# Delete this cell to re-enable tracebacks\n", "import sys\n", "ipython = get_ipython()\n", "\n", "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", " exception_only=False, running_compiled_code=False):\n", " etype, value, tb = sys.exc_info()\n", " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", "\n", "ipython.showtraceback = hide_traceback" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "nbsphinx": "hidden" }, "outputs": [], "source": [ "# JSON output syntax highlighting\n", "from __future__ import print_function\n", "from pygments import highlight\n", "from pygments.lexers import JsonLexer, TextLexer\n", "from pygments.formatters import HtmlFormatter\n", "from IPython.display import display, HTML\n", "from IPython.core.interactiveshell import InteractiveShell\n", "\n", "InteractiveShell.ast_node_interactivity = \"all\"\n", "\n", "def json_print(inpt):\n", " string = str(inpt)\n", " formatter = HtmlFormatter()\n", " if string[0] == '{':\n", " lexer = JsonLexer()\n", " else:\n", " lexer = TextLexer()\n", " return HTML('{}'.format(\n", " formatter.get_style_defs('.highlight'),\n", " highlight(string, lexer, formatter)))\n", "\n", "globals()['print'] = json_print" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Using The Workbench" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The [Workbench API](../api/stix2.workbench.rst) hides most of the complexity of the rest of the library to make it easy to interact with STIX data. To use it, just import everything from ``stix2.workbench``:" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "from stix2.workbench import *" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Retrieving STIX Data\n", "\n", "To get some STIX data to work with, let's set up a DataSource and add it to our workbench." ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "scrolled": true }, "outputs": [], "source": [ "from taxii2client import Collection\n", "\n", "collection = Collection(\"http://127.0.0.1:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/\", user=\"admin\", password=\"Password0\")\n", "tc_source = TAXIICollectionSource(collection)\n", "add_data_source(tc_source)" ] }, { "cell_type": "markdown", "metadata": { "collapsed": true }, "source": [ "Now we can get all of the indicators from the data source." ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [], "source": [ "response = indicators()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Similar functions are available for the other STIX Object types. See the full list [here](../api/stix2.workbench.rst#stix2.workbench.attack_patterns).\n", "\n", "If you want to only retrieve *some* indicators, you can pass in one or more [Filters](../api/datastore/stix2.datastore.filters.rst). This example finds all the indicators created by a specific identity:" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [], "source": [ "response = indicators(filters=Filter('created_by_ref', '=', 'identity--adede3e8-bf44-4e6f-b3c9-1958cbc3b188'))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The objects returned let you easily traverse their relationships. Get all Relationship objects involving that object with ``.relationships()``, all other objects related to this object with ``.related()``, and the Identity object for the creator of the object (if one exists) with ``.created_by()``. For full details on these methods and their arguments, see the [Workbench API](../api/stix2.workbench.rst) documentation." ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
indicator--a932fcc6-e032-476c-826f-cb970a5a1ade\n",
"
indicates\n",
"
malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111\n",
"
{\n",
" "type": "malware",\n",
" "id": "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",\n",
" "created": "2017-01-27T13:49:53.997Z",\n",
" "modified": "2017-01-27T13:49:53.997Z",\n",
" "name": "Poison Ivy",\n",
" "description": "Poison Ivy",\n",
" "labels": [\n",
" "remote-access-trojan"\n",
" ]\n",
"}\n",
"
{\n",
" "type": "indicator",\n",
" "id": "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",\n",
" "created": "2014-05-08T09:00:00.000Z",\n",
" "modified": "2014-05-08T09:00:00.000Z",\n",
" "name": "File hash for Poison Ivy variant",\n",
" "pattern": "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",\n",
" "valid_from": "2014-05-08T09:00:00Z",\n",
" "labels": [\n",
" "file-hash-watchlist"\n",
" ]\n",
"}\n",
"
ACME Threat Intel Co.\n",
"