SlideShare a Scribd company logo

Python + STIX = Awesome

S
stixproject

This document introduces python-stix, an open-source Python library for working with STIX (Structured Threat Information Expression) documents. It allows users to easily generate and parse STIX XML by mapping STIX objects to Python objects. The document provides examples of using python-stix to create a STIX package, add indicators and related objects, load and access data from an existing STIX file, and dereference relationships between objects.

Technology
Related topics:
Threat Intelligence
1 of 15
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
python-stix primer Ben Schmoker github.com/bschmoker
What is python-stix? • Developer friendly – Python objects > raw XML • Re-usable – Open-source libraries • Plug-in ready – Integrate with existing tools github.com/STIXProject/python-stix
Let's get started! • Install Python 2.7 and dependencies apt-get install python-dev python-pip apt-get install libxml2-dev libxslt-dev apt-get install zlib1g-dev pip install stix github.com/STIXProject/python-stix
Create a STIX document github.com/STIXProject/python-stix $ cat > write.py from stix.core import STIXPackage, STIXHeader header = STIXHeader () header.title = "My first document!" pkg = STIXPackage() pkg.stix_header = header print pkg.to_xml() // output XML
Generate a STIX Indicator • The following slides will reference this example code github.com/STIXProject/python-stix
Create IP Address Indicator github.com/STIXProject/python-stix $ cat >> write.py ind = Indicator() ind.title="malicious IP" ind.add_indicator_type("IP Watchlist") // set value addr = Address() addr.address_value="10.0.0.0" addr.category = 'ipv4-addr' addr.condition = "Equals" // add to package ind.add_observable(addr) stix_package.add_indicator(ind)
Add optional fields github.com/STIXProject/python-stix $ cat >> write.py // add a type of malicious activity activity = TTP(title="C2 Behavior") stix_package.add_ttp(activity) //link indicator to activity ind.add_indicated_ttp(TTP(idref = activity.id_) )
Parsing STIX • The following slides will reference this example code github.com/STIXProject/python-stix
Load a STIX document $ curl http://tiny.cc/samplestix > in.xml $ python from stix.core import STIXPackage, STIXHeader myfile = open('in.xml') pkg = STIXPackage.from_xml(myfile) github.com/STIXProject/python-stix
Access Data Elements $cat in.xml <stix:STIX_Package <stix:Package_Intent>Incident <stix:Description>Sample breach report </> $ cat >> read.py print pkg.stix_header.description github.com/STIXProject/python-stix
Iterate Lists $cat in.xml <stix:Incident> <incident:Title>Breach of Cyber Tech Dynamics </> $ cat >> read.py for inc in pkg.incidents: print inc.title github.com/STIXProject/python-stix
Parsing STIX (Advanced) • The following slides will reference this example code github.com/STIXProject/python-stix
$curl http://tiny.cc/samplestixobs > in.xml <stix:Indicator> <indicator:Observable> <cybox:Object> <cybox:Properties> <FileObj:Hashes> <cyboxCommon:Hash>d3adb33f </> $ cat > read.py for ind in pkg.indicators: for obs in ind.observables: for digest in obs.object_.properties.hashes: print digest Examine Observables github.com/STIXProject/python-stix
Dereference Links github.com/STIXProject/python-stix $cat in.xml <stix:TTPs> <stix:TTP id="id_value"> [...] </> <stix:Indicator> <indicator:Indicated_TTP> <stixCommon:TTP idref="id_value"> </> $ cat >> read.py relationship_dict = {} for ttp in package.ttps.ttps: relationship_dict [ttp.id_] = ttp # assign object to dictionary value, with I as key for rel_ttp in indicator.indicated_ttps: if rel_ttp.item.idref in ttps: # look up object by ID print relationship_dict[rel_ttp.item.idref].title
Further Reading • Sample code and use cases – stixproject.github.io/documentation/idioms • Python documentation – stix.readthedocs.org github.com/STIXProject/python-stix

More Related Content

PPTX
Using Wildcards with rsyslog's File Monitor imfile
Rainer Gerhards
 
PDF
Best Practices for Middleware and Integration Architecture Modernization with...
Claus Ibsen
 
PDF
El core de Alfresco 4.2
Ematiz Tecnología, S.L.
 
PDF
SGX Trusted Execution Environment
Kernel TLV
 
PDF
Kamailio :: A Quick Introduction
Olle E Johansson
 
PDF
Kafka slideshare
wonyong hwang
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
PDF
Active MQ
Kris Jeong
 
Using Wildcards with rsyslog's File Monitor imfile
Rainer Gerhards
 
Best Practices for Middleware and Integration Architecture Modernization with...
Claus Ibsen
 
El core de Alfresco 4.2
Ematiz Tecnología, S.L.
 
SGX Trusted Execution Environment
Kernel TLV
 
Kamailio :: A Quick Introduction
Olle E Johansson
 
Kafka slideshare
wonyong hwang
 
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Active MQ
Kris Jeong
 

What's hot (20)

PDF
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
PDF
cilium-public.pdf
Sanjeev Rampal
 
PPTX
SSL/TLS 101
Chul-Woong Yang
 
PPTX
NGINX Installation and Tuning
NGINX, Inc.
 
PDF
Spring Boot
Jaran Flaath
 
PDF
TLS/SSL Internet Security Talk
Nisheed KM
 
PPTX
Smart Contract Testing
Dilum Bandara
 
PPTX
Apache Camel K - Copenhagen v2
Claus Ibsen
 
PDF
Kafka Summit NYC 2017 - Singe Message Transforms are not the Transformations ...
confluent
 
PDF
LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경
Mintak Son
 
PDF
Solidity- Error Handling
Tutorials Diary
 
PDF
Open Standards in Identity Management
Prabath Siriwardena
 
PPTX
Docker-Dasar.pptx
SamsulAlam41
 
PPTX
Network policy @ k8s day
Chia-Chun Shih
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
PPTX
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Cheng-Chun William Tu
 
PPTX
Vault - Secret and Key Management
Anthony Ikeda
 
PPTX
Ssh tunnel
Amandeep Singh
 
PPTX
Kong
Troublemaker Khunpech
 
PPTX
secure socket layer
Amar Shah
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
cilium-public.pdf
Sanjeev Rampal
 
SSL/TLS 101
Chul-Woong Yang
 
NGINX Installation and Tuning
NGINX, Inc.
 
Spring Boot
Jaran Flaath
 
TLS/SSL Internet Security Talk
Nisheed KM
 
Smart Contract Testing
Dilum Bandara
 
Apache Camel K - Copenhagen v2
Claus Ibsen
 
Kafka Summit NYC 2017 - Singe Message Transforms are not the Transformations ...
confluent
 
LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경
Mintak Son
 
Solidity- Error Handling
Tutorials Diary
 
Open Standards in Identity Management
Prabath Siriwardena
 
Docker-Dasar.pptx
SamsulAlam41
 
Network policy @ k8s day
Chia-Chun Shih
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Fast Userspace OVS with AF_XDP, OVS CONF 2018
Cheng-Chun William Tu
 
Vault - Secret and Key Management
Anthony Ikeda
 
Ssh tunnel
Amandeep Singh
 
Kong
Troublemaker Khunpech
 
secure socket layer
Amar Shah
 
Ad

Viewers also liked (8)

PPTX
Introduction to STIX 101
stixproject
 
PPTX
Everything about TAXII
stixproject
 
PDF
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
Priyanka Aash
 
PDF
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
PDF
セキュリティオペレーション自動化に向けた、基盤技術と共通インターフェースの構築 [ISOC-JP workshop, 2016/05/20]
Takeshi Takahashi
 
PDF
מצגת החברות המשתתפות בתערוכת מיליפול 2013
Israel Export Institute_מכון היצוא
 
PPT
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
PDF
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Introduction to STIX 101
stixproject
 
Everything about TAXII
stixproject
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
Priyanka Aash
 
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
セキュリティオペレーション自動化に向けた、基盤技術と共通インターフェースの構築 [ISOC-JP workshop, 2016/05/20]
Takeshi Takahashi
 
מצגת החברות המשתתפות בתערוכת מיליפול 2013
Israel Export Institute_מכון היצוא
 
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash
 
Ad

Similar to Python + STIX = Awesome (8)

PPTX
STIX Patterning: Viva la revolución!
treyka
 
PDF
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
PDF
Data science for infrastructure dev week 2022
ZainAsgar1
 
PPT
Sri monthly presentation 2015
Akash Rajguru
 
PDF
breed_python_tx_redacted
Ryan Breed
 
PPTX
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
PDF
Russ Savage [Ngrok] | InfluxDB QuickStart | InfluxDays NA 2021
InfluxData
 
ODP
Zabbix API at FISL12 by Takanori Suzuki
takanori suzuki
 
STIX Patterning: Viva la revolución!
treyka
 
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
Data science for infrastructure dev week 2022
ZainAsgar1
 
Sri monthly presentation 2015
Akash Rajguru
 
breed_python_tx_redacted
Ryan Breed
 
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
Russ Savage [Ngrok] | InfluxDB QuickStart | InfluxDays NA 2021
InfluxData
 
Zabbix API at FISL12 by Takanori Suzuki
takanori suzuki
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KodekX | Application Modernization Development
KodekX
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 

Python + STIX = Awesome

  • 2. What is python-stix? • Developer friendly – Python objects > raw XML • Re-usable – Open-source libraries • Plug-in ready – Integrate with existing tools github.com/STIXProject/python-stix
  • 3. Let's get started! • Install Python 2.7 and dependencies apt-get install python-dev python-pip apt-get install libxml2-dev libxslt-dev apt-get install zlib1g-dev pip install stix github.com/STIXProject/python-stix
  • 4. Create a STIX document github.com/STIXProject/python-stix $ cat > write.py from stix.core import STIXPackage, STIXHeader header = STIXHeader () header.title = "My first document!" pkg = STIXPackage() pkg.stix_header = header print pkg.to_xml() // output XML
  • 5. Generate a STIX Indicator • The following slides will reference this example code github.com/STIXProject/python-stix
  • 6. Create IP Address Indicator github.com/STIXProject/python-stix $ cat >> write.py ind = Indicator() ind.title="malicious IP" ind.add_indicator_type("IP Watchlist") // set value addr = Address() addr.address_value="10.0.0.0" addr.category = 'ipv4-addr' addr.condition = "Equals" // add to package ind.add_observable(addr) stix_package.add_indicator(ind)
  • 7. Add optional fields github.com/STIXProject/python-stix $ cat >> write.py // add a type of malicious activity activity = TTP(title="C2 Behavior") stix_package.add_ttp(activity) //link indicator to activity ind.add_indicated_ttp(TTP(idref = activity.id_) )
  • 8. Parsing STIX • The following slides will reference this example code github.com/STIXProject/python-stix
  • 9. Load a STIX document $ curl http://tiny.cc/samplestix > in.xml $ python from stix.core import STIXPackage, STIXHeader myfile = open('in.xml') pkg = STIXPackage.from_xml(myfile) github.com/STIXProject/python-stix
  • 10. Access Data Elements $cat in.xml <stix:STIX_Package <stix:Package_Intent>Incident <stix:Description>Sample breach report </> $ cat >> read.py print pkg.stix_header.description github.com/STIXProject/python-stix
  • 11. Iterate Lists $cat in.xml <stix:Incident> <incident:Title>Breach of Cyber Tech Dynamics </> $ cat >> read.py for inc in pkg.incidents: print inc.title github.com/STIXProject/python-stix
  • 12. Parsing STIX (Advanced) • The following slides will reference this example code github.com/STIXProject/python-stix
  • 13. $curl http://tiny.cc/samplestixobs > in.xml <stix:Indicator> <indicator:Observable> <cybox:Object> <cybox:Properties> <FileObj:Hashes> <cyboxCommon:Hash>d3adb33f </> $ cat > read.py for ind in pkg.indicators: for obs in ind.observables: for digest in obs.object_.properties.hashes: print digest Examine Observables github.com/STIXProject/python-stix
  • 14. Dereference Links github.com/STIXProject/python-stix $cat in.xml <stix:TTPs> <stix:TTP id="id_value"> [...] </> <stix:Indicator> <indicator:Indicated_TTP> <stixCommon:TTP idref="id_value"> </> $ cat >> read.py relationship_dict = {} for ttp in package.ttps.ttps: relationship_dict [ttp.id_] = ttp # assign object to dictionary value, with I as key for rel_ttp in indicator.indicated_ttps: if rel_ttp.item.idref in ttps: # look up object by ID print relationship_dict[rel_ttp.item.idref].title
  • 15. Further Reading • Sample code and use cases – stixproject.github.io/documentation/idioms • Python documentation – stix.readthedocs.org github.com/STIXProject/python-stix