Skip to content

STIX2

Introduction

The stix2 module allows to use the RisklistMgr, LookupMgr and AnalystNoteMgr and transform their output into STIX2 compatible format.

See the API Reference for internal details of the module.

Examples

Warning

Below are some examples of usage of the module. Consider adding error handling as necessary. All the errors that can be raised by each method or function are specified in the API Reference page.

Also, you need to configure the RF_TOKEN environment variable before starting. See Learn.

Example 1: Transform an analyst note as STIX RFBundle.

In this example we are taking an analyst note with ID o6_lui using the AnalystNoteMgr.lookup method, fetching the attachment with the AnalystNoteMgr.fetch_attachment method and we create the bundle with the RFBundle.from_analyst_note method.

This create an object that can be serialized with the serialize method and written to file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
from pathlib import Path

from psengine.analyst_notes import AnalystNoteMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path(__file__).parent / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

note_id = 'o6_lui'
out_file = OUTPUT_DIR / f'note_bundle_{note_id}.json'

note_mgr = AnalystNoteMgr()

attachment = None
note = note_mgr.lookup(note_id)
if note.attributes.attachment:
    attachment, attachment_type = note_mgr.fetch_attachment(note.id_)

note_bundle = RFBundle.from_analyst_note(note, attachment)
out_file.write_text(note_bundle.serialize())

Example 2: Transform a risklist as STIX RFBundle.

Similar to example 1, in this example we are using the RisklistMgr.fetch_risklist method to fetch the IP risklist recentLinkedToAPT. We validate the entries returned with the validate argument and the risklist returned is generates the bundle with RFBundle.from_default_risklist.

The bundle is then saved to file after being serialized.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
from pathlib import Path

from psengine.risklists import DefaultRiskList, RisklistMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path(__file__).parent / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

rsm = RisklistMgr()
risklist = list(rsm.fetch_risklist('recentLinkedToAPT', 'ip', validate=DefaultRiskList))
risklist_bundle = RFBundle.from_default_risklist(risklist, 'ip')

out_file = OUTPUT_DIR / 'risklist_ip_recentLinkedToAPT_bundle.json'
out_file.write_text(risklist_bundle.serialize())

Example 3: Transform enriched IOCs as STIX RFBundles.

In this example we use the LookupMgr to enrich 4 IOCs using the links, riskMapping and aiInsights fields. For each IOC, if it has been eneriched, an EnrichedIndicator object is created, and the related bundle is saved to file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
from pathlib import Path

from psengine.risklists import DefaultRiskList, RisklistMgr
from psengine.stix2 import RFBundle

OUTPUT_DIR = Path(__file__).parent / 'bundles'
OUTPUT_DIR.mkdir(exist_ok=True)

rsm = RisklistMgr()
risklist = list(rsm.fetch_risklist('recentLinkedToAPT', 'ip', validate=DefaultRiskList))
risklist_bundle = RFBundle.from_default_risklist(risklist, 'ip')

out_file = OUTPUT_DIR / 'risklist_ip_recentLinkedToAPT_bundle.json'
out_file.write_text(risklist_bundle.serialize())