{ "cells": [ { "cell_type": "code", "execution_count": 1, "metadata": { "nbsphinx": "hidden" }, "outputs": [], "source": [ "# Delete this cell to re-enable tracebacks\n", "import sys\n", "ipython = get_ipython()\n", "\n", "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", " exception_only=False, running_compiled_code=False):\n", " etype, value, tb = sys.exc_info()\n", " value.__cause__ = None # suppress chained exceptions\n", " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", "\n", "ipython.showtraceback = hide_traceback" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "nbsphinx": "hidden" }, "outputs": [], "source": [ "# JSON output syntax highlighting\n", "from __future__ import print_function\n", "from pygments import highlight\n", "from pygments.lexers import JsonLexer, TextLexer\n", "from pygments.formatters import HtmlFormatter\n", "from IPython.display import display, HTML\n", "from IPython.core.interactiveshell import InteractiveShell\n", "\n", "InteractiveShell.ast_node_interactivity = \"all\"\n", "\n", "def json_print(inpt):\n", " string = str(inpt)\n", " formatter = HtmlFormatter()\n", " if string[0] == '{':\n", " lexer = JsonLexer()\n", " else:\n", " lexer = TextLexer()\n", " return HTML('{}'.format(\n", " formatter.get_style_defs('.highlight'),\n", " highlight(string, lexer, formatter)))\n", "\n", "globals()['print'] = json_print" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Parsing STIX Content" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Parsing STIX content is as easy as calling the [parse()](../api/stix2.core.rst#stix2.core.parse) function on a JSON string, dictionary, or file-like object. It will automatically determine the type of the object. The STIX objects within `bundle` objects, and any cyber observables contained within `observed-data` objects will be parsed as well.\n", "\n", "**Parsing a string**" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
<class 'stix2.v21.sdo.ObservedData'>\n",
"
{\n",
" "type": "observed-data",\n",
" "spec_version": "2.1",\n",
" "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",\n",
" "created": "2016-04-06T19:58:16.000Z",\n",
" "modified": "2016-04-06T19:58:16.000Z",\n",
" "first_observed": "2015-12-21T19:00:00Z",\n",
" "last_observed": "2015-12-21T19:00:00Z",\n",
" "number_observed": 50,\n",
" "objects": {\n",
" "0": {\n",
" "type": "file",\n",
" "id": "file--5d0833b7-065e-571f-8bf2-657cb9569570",\n",
" "spec_version": "2.1",\n",
" "hashes": {\n",
" "SHA-256": "0969de02ecf8a5f003e3f6d063d848c8a193aada092623f8ce408c15bcb5f038"\n",
" }\n",
" }\n",
" }\n",
"}\n",
"
<class 'stix2.v21.sdo.Identity'>\n",
"
{\n",
" "type": "identity",\n",
" "spec_version": "2.1",\n",
" "id": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",\n",
" "created": "2015-12-21T19:59:11.000Z",\n",
" "modified": "2015-12-21T19:59:11.000Z",\n",
" "name": "Cole Powers",\n",
" "identity_class": "individual"\n",
"}\n",
"
<class 'stix2.v21.sdo.CourseOfAction'>\n",
"
{\n",
" "type": "course-of-action",\n",
" "spec_version": "2.1",\n",
" "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd",\n",
" "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",\n",
" "created": "2017-05-31T21:30:41.022Z",\n",
" "modified": "2017-05-31T21:30:41.022Z",\n",
" "name": "Data from Network Shared Drive Mitigation",\n",
" "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]"\n",
"}\n",
"