Skip to content

STIX2

Introduction

The stix2 module allows you to use the RisklistMgr, LookupMgr, and AnalystNoteMgr and transform their output into a STIX2-compatible format.

See the API Reference for internal details of the module.

Examples

Warning

The following examples demonstrate how to use this module. Be sure to add appropriate error handling as needed; all possible errors for each method or function are listed in the API Reference page.

Additionally, you must configure the RF_TOKEN environment variable before getting started. For instructions, see Learn.

1: Transform an analyst note into a STIX RFBundle

In this example, we take an analyst note with ID o6_lui using the AnalystNoteMgr.lookup method, fetch the attachment with the AnalystNoteMgr.fetch_attachment method, and create the bundle with the RFBundle.from_analyst_note method.

This creates an object that can be serialized with the serialize method and written to a file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pathlib import Path

from psengine.analyst_notes import AnalystNoteMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path.cwd() / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

note_id = 'o6_lui'
out_file = OUTPUT_DIR / f'note_bundle_{note_id}.json'

note_mgr = AnalystNoteMgr()

attachment = None
note = note_mgr.lookup(note_id)
if note.attributes.attachment:
    attachment, attachment_type = note_mgr.fetch_attachment(
        note.id_
    )

note_bundle = RFBundle.from_analyst_note(note, attachment)
out_file.write_text(note_bundle.serialize())

2: Transform a risklist into a STIX RFBundle

Similar to the example above, here we use the RisklistMgr.fetch_risklist method to fetch the IP risklist recentLinkedToAPT. We validate the entries returned with the validate argument, and the risklist returned generates the bundle with RFBundle.from_default_risklist.

The bundle is then saved to a file after being serialized.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pathlib import Path

from psengine.risklists import DefaultRiskList, RisklistMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path.cwd() / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

rsm = RisklistMgr()
risklist = list(
    rsm.fetch_risklist(
        'recentLinkedToAPT', 'ip', validate=DefaultRiskList
    )
)
risklist_bundle = RFBundle.from_default_risklist(
    risklist, 'ip'
)

out_file = (
    OUTPUT_DIR / 'risklist_ip_recentLinkedToAPT_bundle.json'
)
out_file.write_text(risklist_bundle.serialize())

3: Transform enriched IOCs into STIX RFBundles

In this example, we use the LookupMgr to enrich 4 IOCs using the links, riskMapping, and aiInsights fields. For each IOC, if it has been enriched, an EnrichedIndicator object is created, and the related bundle is saved to a file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pathlib import Path

from psengine.risklists import DefaultRiskList, RisklistMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path.cwd() / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

rsm = RisklistMgr()
risklist = list(
    rsm.fetch_risklist(
        'recentLinkedToAPT', 'ip', validate=DefaultRiskList
    )
)
risklist_bundle = RFBundle.from_default_risklist(
    risklist, 'ip'
)

out_file = (
    OUTPUT_DIR / 'risklist_ip_recentLinkedToAPT_bundle.json'
)
out_file.write_text(risklist_bundle.serialize())