# STIX2 Tooling Tutorial

STIX2 tooling described here is all available via open source repositories. Most are OASIS Open, some are not.

[OASIS CTI Repositories](https://github.com/oasis-open?q=cti)

## Requirements

```pip install stix2 stix2-patterns stix2-viz stix2-validator```

## Getting data via TAXII

Use [python-stix2](https://github.com/oasis-open/cti-python-stix2) to connect to a TAXII server:

In [10]:
# import the stix2 library and the taxii2client libraries
from stix2 import TAXIICollectionSource, Filter
from taxii2client import Collection

# establish TAXII2 Collection instance
collection = Collection("https://limo.anomali.com/api/v1/taxii2/feeds/collections/107/", user="guest", password="guest")

# supply the TAXII2 collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)

# build your filter -- kinda seems broken now
# f1 = Filter("type","=", "indicator")

#retrieve the STIX objects
results = tc_source.query()

print("Retrieving...")
print("Got {} results".format(len(results)))

HTTPError: 500 Server Error: INTERNAL SERVER ERROR for url: https://limo.anomali.com/api/v1/taxii2/feeds/collections/107/objects/?match%5Bfilters%5D=match%5Btype%5D

## Making sure you can use the data

Next we can take the indicators that come back and actually do something with them. In this case, we'll inspect what types of objects and comparisons are contained in the pattern.

In [3]:
# Import the pattern inspector
from stix2patterns.pattern import Pattern

# In this case, just get the first indicator
indicator = results[0]

# Print some basic information
print("Name: " + indicator.name)
print("Pattern: {}\n".format(indicator.pattern))

parsed_pattern = Pattern(indicator.pattern)

print("Pattern inspection: " + str(parsed_pattern.inspect()))

Name: phish_url: http://www.srbiohealth.com/London1/Eruku/nD/index.php
Pattern: [url:value = 'http://www.srbiohealth.com/London1/Eruku/nD/index.php']

Pattern inspection: pattern_data(comparisons={'url': [(['value'], '=', "'http://www.srbiohealth.com/London1/Eruku/nD/index.php'")]}, observation_ops=set(), qualifiers=set())


## Creating a Sighting

While actually matching the pattern is out scope for this tutorial, let's assume that the pattern matched and create a Sighting with the result.

In [4]:
# Import the Sighting object to use it
from stix2 import Sighting
from datetime import datetime

sighting = Sighting(
    sighting_of_ref=indicator.id,
    first_seen=datetime.now(),
    last_seen=datetime.now(),
    count=1
)

print("Sighting:\n{}".format(str(sighting)))

Sighting:
{
    "type": "sighting",
    "id": "sighting--0e08d5a5-a585-490d-b682-88190372cd71",
    "created": "2017-12-01T05:34:21.297Z",
    "modified": "2017-12-01T05:34:21.297Z",
    "first_seen": "2017-11-30T22:34:21.297744Z",
    "last_seen": "2017-11-30T22:34:21.297748Z",
    "count": 1,
    "sighting_of_ref": "indicator--c9068319-9865-4b31-9d95-384a6ec24940"
}


## Updating the Sighting

What if we saw a couple more sightings? Let's update it!

In [5]:
updated_sighting = sighting.new_version(
    count=3,
    last_seen=datetime.now()
)

print("Sighting:\n{}".format(str(updated_sighting)))

Sighting:
{
    "type": "sighting",
    "id": "sighting--0e08d5a5-a585-490d-b682-88190372cd71",
    "created": "2017-12-01T05:34:21.297Z",
    "modified": "2017-12-01T05:34:24.088Z",
    "first_seen": "2017-11-30T22:34:21.297744Z",
    "last_seen": "2017-11-30T22:34:24.088628Z",
    "count": 3,
    "sighting_of_ref": "indicator--c9068319-9865-4b31-9d95-384a6ec24940"
}


## Giving the indicator context

What if we know what malware instance the indicator detects? Well, let's create it and add the relationship.

In [6]:
from stix2 import Malware, Relationship

# Create the malware...just some basic details for now
wannacry = Malware(name="WannaCry", description="No, I don't really", labels=['ransomware'])

# Then relate the indicator to it
rel = Relationship(indicator, 'indicates', wannacry)

print("Malware:\n{}".format(str(wannacry)))
print("Relationship:\n{}".format(str(rel)))


Malware:
{
    "type": "malware",
    "id": "malware--0930713c-8d91-4112-8812-676b0c8fb6f6",
    "created": "2017-12-01T05:34:26.578Z",
    "modified": "2017-12-01T05:34:26.578Z",
    "name": "WannaCry",
    "description": "No, I don't really",
    "labels": [
        "ransomware"
    ]
}
Relationship:
{
    "type": "relationship",
    "id": "relationship--047d5784-b53f-4848-909d-cda221e15a61",
    "created": "2017-12-01T05:34:26.579Z",
    "modified": "2017-12-01T05:34:26.579Z",
    "relationship_type": "indicates",
    "source_ref": "indicator--c9068319-9865-4b31-9d95-384a6ec24940",
    "target_ref": "malware--0930713c-8d91-4112-8812-676b0c8fb6f6"
}


## What does this stuff look like?

Next, we can use the visualizer to see what the relationship diagram looks like.

In [9]:
from stix2 import Bundle
import stix2viz # This is Jupyter notebook-specific

bundle = Bundle(indicator, wannacry, rel, sighting)

stix2viz.display(str(bundle))