SlideShare a Scribd company logo

Python + STIX = Awesome

S
stixproject

This document introduces python-stix, an open-source Python library for working with STIX (Structured Threat Information Expression) documents. It allows users to easily generate and parse STIX XML by mapping STIX objects to Python objects. The document provides examples of using python-stix to create a STIX package, add indicators and related objects, load and access data from an existing STIX file, and dereference relationships between objects.

Technology
1 of 15
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
python-stix primer Ben Schmoker github.com/bschmoker
What is python-stix? • Developer friendly – Python objects > raw XML • Re-usable – Open-source libraries • Plug-in ready – Integrate with existing tools github.com/STIXProject/python-stix
Let's get started! • Install Python 2.7 and dependencies apt-get install python-dev python-pip apt-get install libxml2-dev libxslt-dev apt-get install zlib1g-dev pip install stix github.com/STIXProject/python-stix
Create a STIX document github.com/STIXProject/python-stix $ cat > write.py from stix.core import STIXPackage, STIXHeader header = STIXHeader () header.title = "My first document!" pkg = STIXPackage() pkg.stix_header = header print pkg.to_xml() // output XML
Generate a STIX Indicator • The following slides will reference this example code github.com/STIXProject/python-stix
Create IP Address Indicator github.com/STIXProject/python-stix $ cat >> write.py ind = Indicator() ind.title="malicious IP" ind.add_indicator_type("IP Watchlist") // set value addr = Address() addr.address_value="10.0.0.0" addr.category = 'ipv4-addr' addr.condition = "Equals" // add to package ind.add_observable(addr) stix_package.add_indicator(ind)
Add optional fields github.com/STIXProject/python-stix $ cat >> write.py // add a type of malicious activity activity = TTP(title="C2 Behavior") stix_package.add_ttp(activity) //link indicator to activity ind.add_indicated_ttp(TTP(idref = activity.id_) )
Parsing STIX • The following slides will reference this example code github.com/STIXProject/python-stix
Load a STIX document $ curl http://tiny.cc/samplestix > in.xml $ python from stix.core import STIXPackage, STIXHeader myfile = open('in.xml') pkg = STIXPackage.from_xml(myfile) github.com/STIXProject/python-stix
Access Data Elements $cat in.xml <stix:STIX_Package <stix:Package_Intent>Incident <stix:Description>Sample breach report </> $ cat >> read.py print pkg.stix_header.description github.com/STIXProject/python-stix
Iterate Lists $cat in.xml <stix:Incident> <incident:Title>Breach of Cyber Tech Dynamics </> $ cat >> read.py for inc in pkg.incidents: print inc.title github.com/STIXProject/python-stix
Parsing STIX (Advanced) • The following slides will reference this example code github.com/STIXProject/python-stix
$curl http://tiny.cc/samplestixobs > in.xml <stix:Indicator> <indicator:Observable> <cybox:Object> <cybox:Properties> <FileObj:Hashes> <cyboxCommon:Hash>d3adb33f </> $ cat > read.py for ind in pkg.indicators: for obs in ind.observables: for digest in obs.object_.properties.hashes: print digest Examine Observables github.com/STIXProject/python-stix
Dereference Links github.com/STIXProject/python-stix $cat in.xml <stix:TTPs> <stix:TTP id="id_value"> [...] </> <stix:Indicator> <indicator:Indicated_TTP> <stixCommon:TTP idref="id_value"> </> $ cat >> read.py relationship_dict = {} for ttp in package.ttps.ttps: relationship_dict [ttp.id_] = ttp # assign object to dictionary value, with I as key for rel_ttp in indicator.indicated_ttps: if rel_ttp.item.idref in ttps: # look up object by ID print relationship_dict[rel_ttp.item.idref].title
Further Reading • Sample code and use cases – stixproject.github.io/documentation/idioms • Python documentation – stix.readthedocs.org github.com/STIXProject/python-stix

More Related Content

What's hot (20)

PDF
Linux: LVM
Michal Sedlak
 
PDF
Terraform -- Infrastructure as Code
Martin Schütte
 
PPTX
Kafka Intro With Simple Java Producer Consumers
Jean-Paul Azar
 
PDF
Open shift 4 infra deep dive
Winton Winton
 
PDF
Docker
Mokhless Hachicha
 
PDF
Terraform
Christophe Marchal
 
PDF
Kvm performance optimization for ubuntu
Sim Janghoon
 
PDF
Rover: Implementing Landing Zone Using Docker Container
Sujay Pillai
 
PDF
How to write a Dockerfile
Knoldus Inc.
 
PDF
Terraform
Diego Pacheco
 
PDF
Monitoring kubernetes with prometheus
Brice Fernandes
 
PDF
Terraform
Otto Jongerius
 
PPTX
Microsoft Azure IaaS and Terraform
Alex Mags
 
PDF
Kubernetes security
Thomas Fricke
 
PPTX
Final terraform
Gourav Varma
 
PPTX
Proxmox Clustering with CEPH
FahadIbrar5
 
PDF
Web Assembly (on the server)
Massimo Ferre'
 
PPTX
Docker introduction &amp; benefits
Amit Manwade
 
PPT
Nfs
tmavroidis
 
PDF
Introduction to docker
Walid Ashraf
 
Linux: LVM
Michal Sedlak
 
Terraform -- Infrastructure as Code
Martin Schütte
 
Kafka Intro With Simple Java Producer Consumers
Jean-Paul Azar
 
Open shift 4 infra deep dive
Winton Winton
 
Docker
Mokhless Hachicha
 
Terraform
Christophe Marchal
 
Kvm performance optimization for ubuntu
Sim Janghoon
 
Rover: Implementing Landing Zone Using Docker Container
Sujay Pillai
 
How to write a Dockerfile
Knoldus Inc.
 
Terraform
Diego Pacheco
 
Monitoring kubernetes with prometheus
Brice Fernandes
 
Terraform
Otto Jongerius
 
Microsoft Azure IaaS and Terraform
Alex Mags
 
Kubernetes security
Thomas Fricke
 
Final terraform
Gourav Varma
 
Proxmox Clustering with CEPH
FahadIbrar5
 
Web Assembly (on the server)
Massimo Ferre'
 
Docker introduction &amp; benefits
Amit Manwade
 
Nfs
tmavroidis
 
Introduction to docker
Walid Ashraf
 

Viewers also liked (8)

PPTX
Introduction to STIX 101
stixproject
 
PPTX
Everything about TAXII
stixproject
 
PDF
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
Priyanka Aash
 
PDF
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
PDF
セキュリティオペレーション自動化に向けた、基盤技術と共通インターフェースの構築 [ISOC-JP workshop, 2016/05/20]
Takeshi Takahashi
 
PDF
מצגת החברות המשתתפות בתערוכת מיליפול 2013
Israel Export Institute_מכון היצוא
 
PPT
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
PDF
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Introduction to STIX 101
stixproject
 
Everything about TAXII
stixproject
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
Priyanka Aash
 
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
セキュリティオペレーション自動化に向けた、基盤技術と共通インターフェースの構築 [ISOC-JP workshop, 2016/05/20]
Takeshi Takahashi
 
מצגת החברות המשתתפות בתערוכת מיליפול 2013
Israel Export Institute_מכון היצוא
 
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Ad

Similar to Python + STIX = Awesome (8)

PPTX
STIX Patterning: Viva la revolución!
treyka
 
PDF
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
PDF
Data science for infrastructure dev week 2022
ZainAsgar1
 
PPT
Sri monthly presentation 2015
Akash Rajguru
 
PDF
breed_python_tx_redacted
Ryan Breed
 
PPTX
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
PDF
Russ Savage [Ngrok] | InfluxDB QuickStart | InfluxDays NA 2021
InfluxData
 
ODP
Zabbix API at FISL12 by Takanori Suzuki
takanori suzuki
 
STIX Patterning: Viva la revolución!
treyka
 
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
Data science for infrastructure dev week 2022
ZainAsgar1
 
Sri monthly presentation 2015
Akash Rajguru
 
breed_python_tx_redacted
Ryan Breed
 
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
Russ Savage [Ngrok] | InfluxDB QuickStart | InfluxDays NA 2021
InfluxData
 
Zabbix API at FISL12 by Takanori Suzuki
takanori suzuki
 
Ad

Recently uploaded (20)

PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 

Python + STIX = Awesome

  • 2. What is python-stix? • Developer friendly – Python objects > raw XML • Re-usable – Open-source libraries • Plug-in ready – Integrate with existing tools github.com/STIXProject/python-stix
  • 3. Let's get started! • Install Python 2.7 and dependencies apt-get install python-dev python-pip apt-get install libxml2-dev libxslt-dev apt-get install zlib1g-dev pip install stix github.com/STIXProject/python-stix
  • 4. Create a STIX document github.com/STIXProject/python-stix $ cat > write.py from stix.core import STIXPackage, STIXHeader header = STIXHeader () header.title = "My first document!" pkg = STIXPackage() pkg.stix_header = header print pkg.to_xml() // output XML
  • 5. Generate a STIX Indicator • The following slides will reference this example code github.com/STIXProject/python-stix
  • 6. Create IP Address Indicator github.com/STIXProject/python-stix $ cat >> write.py ind = Indicator() ind.title="malicious IP" ind.add_indicator_type("IP Watchlist") // set value addr = Address() addr.address_value="10.0.0.0" addr.category = 'ipv4-addr' addr.condition = "Equals" // add to package ind.add_observable(addr) stix_package.add_indicator(ind)
  • 7. Add optional fields github.com/STIXProject/python-stix $ cat >> write.py // add a type of malicious activity activity = TTP(title="C2 Behavior") stix_package.add_ttp(activity) //link indicator to activity ind.add_indicated_ttp(TTP(idref = activity.id_) )
  • 8. Parsing STIX • The following slides will reference this example code github.com/STIXProject/python-stix
  • 9. Load a STIX document $ curl http://tiny.cc/samplestix > in.xml $ python from stix.core import STIXPackage, STIXHeader myfile = open('in.xml') pkg = STIXPackage.from_xml(myfile) github.com/STIXProject/python-stix
  • 10. Access Data Elements $cat in.xml <stix:STIX_Package <stix:Package_Intent>Incident <stix:Description>Sample breach report </> $ cat >> read.py print pkg.stix_header.description github.com/STIXProject/python-stix
  • 11. Iterate Lists $cat in.xml <stix:Incident> <incident:Title>Breach of Cyber Tech Dynamics </> $ cat >> read.py for inc in pkg.incidents: print inc.title github.com/STIXProject/python-stix
  • 12. Parsing STIX (Advanced) • The following slides will reference this example code github.com/STIXProject/python-stix
  • 13. $curl http://tiny.cc/samplestixobs > in.xml <stix:Indicator> <indicator:Observable> <cybox:Object> <cybox:Properties> <FileObj:Hashes> <cyboxCommon:Hash>d3adb33f </> $ cat > read.py for ind in pkg.indicators: for obs in ind.observables: for digest in obs.object_.properties.hashes: print digest Examine Observables github.com/STIXProject/python-stix
  • 14. Dereference Links github.com/STIXProject/python-stix $cat in.xml <stix:TTPs> <stix:TTP id="id_value"> [...] </> <stix:Indicator> <indicator:Indicated_TTP> <stixCommon:TTP idref="id_value"> </> $ cat >> read.py relationship_dict = {} for ttp in package.ttps.ttps: relationship_dict [ttp.id_] = ttp # assign object to dictionary value, with I as key for rel_ttp in indicator.indicated_ttps: if rel_ttp.item.idref in ttps: # look up object by ID print relationship_dict[rel_ttp.item.idref].title
  • 15. Further Reading • Sample code and use cases – stixproject.github.io/documentation/idioms • Python documentation – stix.readthedocs.org github.com/STIXProject/python-stix