1{ 2 "cells": [ 3 { 4 "cell_type": "code", 5 "execution_count": 1, 6 "metadata": { 7 "nbsphinx": "hidden" 8 }, 9 "outputs": [], 10 "source": [ 11 "# Delete this cell to re-enable tracebacks\n", 12 "import sys\n", 13 "ipython = get_ipython()\n", 14 "\n", 15 "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", 16 " exception_only=False, running_compiled_code=False):\n", 17 " etype, value, tb = sys.exc_info()\n", 18 " value.__cause__ = None # suppress chained exceptions\n", 19 " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", 20 "\n", 21 "ipython.showtraceback = hide_traceback" 22 ] 23 }, 24 { 25 "cell_type": "code", 26 "execution_count": 2, 27 "metadata": { 28 "nbsphinx": "hidden" 29 }, 30 "outputs": [], 31 "source": [ 32 "# JSON output syntax highlighting\n", 33 "from __future__ import print_function\n", 34 "from pygments import highlight\n", 35 "from pygments.lexers import JsonLexer, TextLexer\n", 36 "from pygments.formatters import HtmlFormatter\n", 37 "from IPython.display import display, HTML\n", 38 "from IPython.core.interactiveshell import InteractiveShell\n", 39 "\n", 40 "InteractiveShell.ast_node_interactivity = \"all\"\n", 41 "\n", 42 "def json_print(inpt):\n", 43 " string = str(inpt)\n", 44 " formatter = HtmlFormatter()\n", 45 " if string[0] == '{':\n", 46 " lexer = JsonLexer()\n", 47 " else:\n", 48 " lexer = TextLexer()\n", 49 " return HTML('<style type=\"text/css\">{}</style>{}'.format(\n", 50 " formatter.get_style_defs('.highlight'),\n", 51 " highlight(string, lexer, formatter)))\n", 52 "\n", 53 "globals()['print'] = json_print" 54 ] 55 }, 56 { 57 "cell_type": "markdown", 58 "metadata": {}, 59 "source": [ 60 "## FileSystem \n", 61 "\n", 62 "The FileSystem suite contains [FileSystemStore](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemStore), [FileSystemSource](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource) and [FileSystemSink](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSink). Under the hood, all FileSystem objects point to a file directory (on disk) that contains STIX 2 content. \n", 63 "\n", 64 "The directory and file structure of the intended STIX 2 content should be:\n", 65 "\n", 66 "```\n", 67 "stix2_content/\n", 68 " /STIX2 Domain Object type\n", 69 " STIX2 Domain Object\n", 70 " STIX2 Domain Object\n", 71 " .\n", 72 " .\n", 73 " .\n", 74 " /STIX2 Domain Object type\n", 75 " STIX2 Domain Object\n", 76 " STIX2 Domain Object\n", 77 " .\n", 78 " .\n", 79 " .\n", 80 " .\n", 81 " .\n", 82 " .\n", 83 " /STIX2 Domain Object type\n", 84 "```\n", 85 "\n", 86 "The master STIX 2 content directory contains subdirectories, each of which aligns to a STIX 2 domain object type (i.e. \"attack-pattern\", \"campaign\", \"malware\", etc.). Within each STIX 2 domain object subdirectory are JSON files that are STIX 2 domain objects of the specified type. The name of the json files correspond to the ID of the STIX 2 domain object found within that file. A real example of the FileSystem directory structure:\n", 87 "\n", 88 "```\n", 89 "stix2_content/\n", 90 " /attack-pattern\n", 91 " attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6.json\n", 92 " attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json\n", 93 " attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec.json\n", 94 " /campaign\n", 95 " /course-of-action\n", 96 " course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b.json\n", 97 " course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739.json\n", 98 " /identity\n", 99 " identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json\n", 100 " /indicator\n", 101 " /intrusion-set\n", 102 " /malware\n", 103 " malware--1d808f62-cf63-4063-9727-ff6132514c22.json\n", 104 " malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee.json\n", 105 " /observed-data\n", 106 " /report\n", 107 " /threat-actor\n", 108 " /vulnerability\n", 109 "```\n", 110 "\n", 111 "[FileSystemStore](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemStore) is intended for use cases where STIX 2 content is retrieved and pushed to the same file directory. As [FileSystemStore](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemStore) is just a wrapper around a paired [FileSystemSource](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource) and [FileSystemSink](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSink) that point the same file directory.\n", 112 "\n", 113 "For use cases where STIX 2 content will only be retrieved or pushed, then a [FileSystemSource](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource) and [FileSystemSink](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSink) can be used individually. They can also be used individually when STIX 2 content will be retrieved from one distinct file directory and pushed to another.\n", 114 "\n", 115 "### FileSystem API\n", 116 "\n", 117 "A note on [get()](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource.get), [all_versions()](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource.all_versions), and [query()](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSource.query): The format of the STIX2 content targeted by the FileSystem suite is JSON files. When the [FileSystemStore](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemStore) retrieves STIX 2 content (in JSON) from disk, it will attempt to parse the content into full-featured python-stix2 objects and returned as such. \n", 118 "\n", 119 "A note on [add()](../api/datastore/stix2.datastore.filesystem.rst#stix2.datastore.filesystem.FileSystemSink.add): When STIX content is added (pushed) to the file system, the STIX content can be supplied in the following forms: Python STIX objects, Python dictionaries (of valid STIX objects or Bundles), JSON-encoded strings (of valid STIX objects or Bundles), or a (Python) list of any of the previously listed types. Any of the previous STIX content forms will be converted to a STIX JSON object (in a STIX Bundle) and written to disk. \n", 120 "\n", 121 "### FileSystem Examples\n", 122 "\n", 123 "#### FileSystemStore\n", 124 "\n", 125 "Use the FileSystemStore when you want to both retrieve STIX content from the file system and push STIX content to it, too." 126 ] 127 }, 128 { 129 "cell_type": "code", 130 "execution_count": 7, 131 "metadata": {}, 132 "outputs": [ 133 { 134 "data": { 135 "text/html": [ 136 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 137 ".highlight { background: #f8f8f8; }\n", 138 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 139 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 140 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 141 ".highlight .o { color: #666666 } /* Operator */\n", 142 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 143 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 144 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 145 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 146 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 147 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 148 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 149 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 150 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 151 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 152 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 153 ".highlight .go { color: #888888 } /* Generic.Output */\n", 154 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 155 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 156 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 157 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 158 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 159 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 160 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 161 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 162 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 163 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 164 ".highlight .m { color: #666666 } /* Literal.Number */\n", 165 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 166 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 167 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 168 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 169 ".highlight .no { color: #880000 } /* Name.Constant */\n", 170 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 171 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 172 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 173 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 174 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 175 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 176 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 177 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 178 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 179 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 180 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 181 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 182 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 183 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 184 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 185 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 186 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 187 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 188 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 189 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 190 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 191 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 192 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 193 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 194 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 195 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 196 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 197 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 198 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 199 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 200 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 201 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 202 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 203 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 204 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n", 205 " <span class=\"nt\">"type"</span><span class=\"p\">:</span> <span class=\"s2\">"malware"</span><span class=\"p\">,</span>\n", 206 " <span class=\"nt\">"spec_version"</span><span class=\"p\">:</span> <span class=\"s2\">"2.1"</span><span class=\"p\">,</span>\n", 207 " <span class=\"nt\">"id"</span><span class=\"p\">:</span> <span class=\"s2\">"malware--92ec0cbd-2c30-44a2-b270-73f4ec949841"</span><span class=\"p\">,</span>\n", 208 " <span class=\"nt\">"created_by_ref"</span><span class=\"p\">:</span> <span class=\"s2\">"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"</span><span class=\"p\">,</span>\n", 209 " <span class=\"nt\">"created"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-05-31T21:33:26.565Z"</span><span class=\"p\">,</span>\n", 210 " <span class=\"nt\">"modified"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-05-31T21:33:26.565Z"</span><span class=\"p\">,</span>\n", 211 " <span class=\"nt\">"name"</span><span class=\"p\">:</span> <span class=\"s2\">"RTM"</span><span class=\"p\">,</span>\n", 212 " <span class=\"nt\">"description"</span><span class=\"p\">:</span> <span class=\"s2\">"RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]"</span><span class=\"p\">,</span>\n", 213 " <span class=\"nt\">"malware_types"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 214 " <span class=\"s2\">"malware"</span>\n", 215 " <span class=\"p\">],</span>\n", 216 " <span class=\"nt\">"is_family"</span><span class=\"p\">:</span> <span class=\"kc\">false</span><span class=\"p\">,</span>\n", 217 " <span class=\"nt\">"external_references"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 218 " <span class=\"p\">{</span>\n", 219 " <span class=\"nt\">"source_name"</span><span class=\"p\">:</span> <span class=\"s2\">"mitre-attack"</span><span class=\"p\">,</span>\n", 220 " <span class=\"nt\">"url"</span><span class=\"p\">:</span> <span class=\"s2\">"https://attack.mitre.org/wiki/Software/S0148"</span><span class=\"p\">,</span>\n", 221 " <span class=\"nt\">"external_id"</span><span class=\"p\">:</span> <span class=\"s2\">"S0148"</span>\n", 222 " <span class=\"p\">},</span>\n", 223 " <span class=\"p\">{</span>\n", 224 " <span class=\"nt\">"source_name"</span><span class=\"p\">:</span> <span class=\"s2\">"ESET RTM Feb 2017"</span><span class=\"p\">,</span>\n", 225 " <span class=\"nt\">"description"</span><span class=\"p\">:</span> <span class=\"s2\">"Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."</span><span class=\"p\">,</span>\n", 226 " <span class=\"nt\">"url"</span><span class=\"p\">:</span> <span class=\"s2\">"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"</span>\n", 227 " <span class=\"p\">}</span>\n", 228 " <span class=\"p\">],</span>\n", 229 " <span class=\"nt\">"object_marking_refs"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 230 " <span class=\"s2\">"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"</span>\n", 231 " <span class=\"p\">]</span>\n", 232 "<span class=\"p\">}</span>\n", 233 "</pre></div>\n" 234 ], 235 "text/plain": [ 236 "<IPython.core.display.HTML object>" 237 ] 238 }, 239 "execution_count": 7, 240 "metadata": {}, 241 "output_type": "execute_result" 242 } 243 ], 244 "source": [ 245 "from stix2 import FileSystemStore\n", 246 "\n", 247 "# create FileSystemStore\n", 248 "fs = FileSystemStore(\"/tmp/stix2_store\")\n", 249 "\n", 250 "# retrieve STIX2 content from FileSystemStore\n", 251 "ap = fs.get(\"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22\")\n", 252 "mal = fs.get(\"malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\")\n", 253 "\n", 254 "# for visual purposes\n", 255 "print(mal)" 256 ] 257 }, 258 { 259 "cell_type": "code", 260 "execution_count": 8, 261 "metadata": {}, 262 "outputs": [], 263 "source": [ 264 "from stix2 import ThreatActor, Indicator\n", 265 "\n", 266 "# create new STIX threat-actor\n", 267 "ta = ThreatActor(name=\"Adjective Bear\",\n", 268 " sophistication=\"innovator\",\n", 269 " resource_level=\"government\",\n", 270 " goals=[\n", 271 " \"compromising media outlets\",\n", 272 " \"water-hole attacks geared towards political, military targets\",\n", 273 " \"intelligence collection\"\n", 274 " ])\n", 275 "\n", 276 "# create new indicators\n", 277 "ind = Indicator(description=\"Crusades C2 implant\",\n", 278 " pattern_type=\"stix\",\n", 279 " pattern=\"[file:hashes.'SHA-256' = '54b7e05e39a59428743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n", 280 "\n", 281 "ind1 = Indicator(description=\"Crusades C2 implant 2\",\n", 282 " pattern_type=\"stix\",\n", 283 " pattern=\"[file:hashes.'SHA-256' = '64c7e05e40a59511743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n", 284 "\n", 285 "# add STIX object (threat-actor) to FileSystemStore\n", 286 "fs.add(ta)\n", 287 "\n", 288 "# can also add multiple STIX objects to FileSystemStore in one call\n", 289 "fs.add([ind, ind1])" 290 ] 291 }, 292 { 293 "cell_type": "markdown", 294 "metadata": {}, 295 "source": [ 296 "#### FileSystemSource\n", 297 "\n", 298 "Use the FileSystemSource when you only want to retrieve STIX content from the file system." 299 ] 300 }, 301 { 302 "cell_type": "code", 303 "execution_count": 9, 304 "metadata": {}, 305 "outputs": [ 306 { 307 "data": { 308 "text/html": [ 309 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 310 ".highlight { background: #f8f8f8; }\n", 311 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 312 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 313 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 314 ".highlight .o { color: #666666 } /* Operator */\n", 315 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 316 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 317 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 318 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 319 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 320 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 321 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 322 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 323 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 324 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 325 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 326 ".highlight .go { color: #888888 } /* Generic.Output */\n", 327 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 328 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 329 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 330 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 331 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 332 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 333 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 334 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 335 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 336 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 337 ".highlight .m { color: #666666 } /* Literal.Number */\n", 338 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 339 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 340 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 341 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 342 ".highlight .no { color: #880000 } /* Name.Constant */\n", 343 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 344 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 345 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 346 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 347 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 348 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 349 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 350 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 351 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 352 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 353 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 354 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 355 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 356 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 357 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 358 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 359 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 360 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 361 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 362 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 363 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 364 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 365 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 366 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 367 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 368 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 369 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 370 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 371 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 372 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 373 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 374 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 375 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 376 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 377 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span><span class=\"p\">{</span>\n", 378 " <span class=\"nt\">"type"</span><span class=\"p\">:</span> <span class=\"s2\">"attack-pattern"</span><span class=\"p\">,</span>\n", 379 " <span class=\"nt\">"spec_version"</span><span class=\"p\">:</span> <span class=\"s2\">"2.1"</span><span class=\"p\">,</span>\n", 380 " <span class=\"nt\">"id"</span><span class=\"p\">:</span> <span class=\"s2\">"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"</span><span class=\"p\">,</span>\n", 381 " <span class=\"nt\">"created_by_ref"</span><span class=\"p\">:</span> <span class=\"s2\">"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"</span><span class=\"p\">,</span>\n", 382 " <span class=\"nt\">"created"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-05-31T21:30:19.735Z"</span><span class=\"p\">,</span>\n", 383 " <span class=\"nt\">"modified"</span><span class=\"p\">:</span> <span class=\"s2\">"2017-05-31T21:30:19.735Z"</span><span class=\"p\">,</span>\n", 384 " <span class=\"nt\">"name"</span><span class=\"p\">:</span> <span class=\"s2\">"Credential Dumping"</span><span class=\"p\">,</span>\n", 385 " <span class=\"nt\">"description"</span><span class=\"p\">:</span> <span class=\"s2\">"Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\\n\\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\\n\\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \\n\\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\\n\\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\\n\\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\\n\\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs"</span><span class=\"p\">,</span>\n", 386 " <span class=\"nt\">"kill_chain_phases"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 387 " <span class=\"p\">{</span>\n", 388 " <span class=\"nt\">"kill_chain_name"</span><span class=\"p\">:</span> <span class=\"s2\">"mitre-attack"</span><span class=\"p\">,</span>\n", 389 " <span class=\"nt\">"phase_name"</span><span class=\"p\">:</span> <span class=\"s2\">"credential-access"</span>\n", 390 " <span class=\"p\">}</span>\n", 391 " <span class=\"p\">],</span>\n", 392 " <span class=\"nt\">"external_references"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 393 " <span class=\"p\">{</span>\n", 394 " <span class=\"nt\">"source_name"</span><span class=\"p\">:</span> <span class=\"s2\">"mitre-attack"</span><span class=\"p\">,</span>\n", 395 " <span class=\"nt\">"url"</span><span class=\"p\">:</span> <span class=\"s2\">"https://attack.mitre.org/wiki/Technique/T1003"</span><span class=\"p\">,</span>\n", 396 " <span class=\"nt\">"external_id"</span><span class=\"p\">:</span> <span class=\"s2\">"T1003"</span>\n", 397 " <span class=\"p\">},</span>\n", 398 " <span class=\"p\">{</span>\n", 399 " <span class=\"nt\">"source_name"</span><span class=\"p\">:</span> <span class=\"s2\">"Github Mimikatz Module sekurlsa"</span><span class=\"p\">,</span>\n", 400 " <span class=\"nt\">"description"</span><span class=\"p\">:</span> <span class=\"s2\">"Delpy, B. (2014, September 14). Mimikatz module ~ sekurlsa. Retrieved January 10, 2016."</span><span class=\"p\">,</span>\n", 401 " <span class=\"nt\">"url"</span><span class=\"p\">:</span> <span class=\"s2\">"https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa"</span>\n", 402 " <span class=\"p\">},</span>\n", 403 " <span class=\"p\">{</span>\n", 404 " <span class=\"nt\">"source_name"</span><span class=\"p\">:</span> <span class=\"s2\">"Powersploit"</span><span class=\"p\">,</span>\n", 405 " <span class=\"nt\">"description"</span><span class=\"p\">:</span> <span class=\"s2\">"PowerSploit. (n.d.). Retrieved December 4, 2014."</span><span class=\"p\">,</span>\n", 406 " <span class=\"nt\">"url"</span><span class=\"p\">:</span> <span class=\"s2\">"https://github.com/mattifestation/PowerSploit"</span>\n", 407 " <span class=\"p\">}</span>\n", 408 " <span class=\"p\">],</span>\n", 409 " <span class=\"nt\">"object_marking_refs"</span><span class=\"p\">:</span> <span class=\"p\">[</span>\n", 410 " <span class=\"s2\">"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"</span>\n", 411 " <span class=\"p\">]</span>\n", 412 "<span class=\"p\">}</span>\n", 413 "</pre></div>\n" 414 ], 415 "text/plain": [ 416 "<IPython.core.display.HTML object>" 417 ] 418 }, 419 "execution_count": 9, 420 "metadata": {}, 421 "output_type": "execute_result" 422 } 423 ], 424 "source": [ 425 "from stix2 import FileSystemSource\n", 426 "\n", 427 "# create FileSystemSource\n", 428 "fs_source = FileSystemSource(\"/tmp/stix2_source\")\n", 429 "\n", 430 "# retrieve STIX 2 objects\n", 431 "ap = fs_source.get(\"attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22\")\n", 432 "\n", 433 "# for visual purposes\n", 434 "print(ap)" 435 ] 436 }, 437 { 438 "cell_type": "code", 439 "execution_count": 10, 440 "metadata": {}, 441 "outputs": [ 442 { 443 "data": { 444 "text/html": [ 445 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 446 ".highlight { background: #f8f8f8; }\n", 447 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 448 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 449 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 450 ".highlight .o { color: #666666 } /* Operator */\n", 451 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 452 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 453 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 454 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 455 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 456 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 457 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 458 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 459 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 460 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 461 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 462 ".highlight .go { color: #888888 } /* Generic.Output */\n", 463 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 464 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 465 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 466 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 467 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 468 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 469 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 470 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 471 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 472 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 473 ".highlight .m { color: #666666 } /* Literal.Number */\n", 474 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 475 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 476 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 477 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 478 ".highlight .no { color: #880000 } /* Name.Constant */\n", 479 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 480 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 481 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 482 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 483 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 484 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 485 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 486 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 487 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 488 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 489 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 490 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 491 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 492 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 493 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 494 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 495 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 496 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 497 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 498 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 499 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 500 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 501 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 502 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 503 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 504 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 505 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 506 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 507 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 508 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 509 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 510 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 511 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 512 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 513 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\n", 514 "</pre></div>\n" 515 ], 516 "text/plain": [ 517 "<IPython.core.display.HTML object>" 518 ] 519 }, 520 "execution_count": 10, 521 "metadata": {}, 522 "output_type": "execute_result" 523 }, 524 { 525 "data": { 526 "text/html": [ 527 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 528 ".highlight { background: #f8f8f8; }\n", 529 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 530 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 531 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 532 ".highlight .o { color: #666666 } /* Operator */\n", 533 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 534 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 535 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 536 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 537 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 538 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 539 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 540 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 541 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 542 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 543 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 544 ".highlight .go { color: #888888 } /* Generic.Output */\n", 545 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 546 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 547 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 548 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 549 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 550 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 551 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 552 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 553 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 554 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 555 ".highlight .m { color: #666666 } /* Literal.Number */\n", 556 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 557 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 558 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 559 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 560 ".highlight .no { color: #880000 } /* Name.Constant */\n", 561 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 562 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 563 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 564 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 565 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 566 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 567 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 568 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 569 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 570 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 571 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 572 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 573 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 574 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 575 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 576 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 577 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 578 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 579 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 580 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 581 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 582 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 583 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 584 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 585 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 586 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 587 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 588 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 589 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 590 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 591 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 592 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 593 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 594 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 595 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--b42378e0-f147-496f-992a-26a49705395b\n", 596 "</pre></div>\n" 597 ], 598 "text/plain": [ 599 "<IPython.core.display.HTML object>" 600 ] 601 }, 602 "execution_count": 10, 603 "metadata": {}, 604 "output_type": "execute_result" 605 }, 606 { 607 "data": { 608 "text/html": [ 609 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 610 ".highlight { background: #f8f8f8; }\n", 611 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 612 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 613 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 614 ".highlight .o { color: #666666 } /* Operator */\n", 615 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 616 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 617 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 618 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 619 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 620 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 621 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 622 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 623 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 624 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 625 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 626 ".highlight .go { color: #888888 } /* Generic.Output */\n", 627 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 628 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 629 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 630 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 631 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 632 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 633 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 634 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 635 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 636 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 637 ".highlight .m { color: #666666 } /* Literal.Number */\n", 638 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 639 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 640 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 641 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 642 ".highlight .no { color: #880000 } /* Name.Constant */\n", 643 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 644 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 645 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 646 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 647 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 648 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 649 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 650 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 651 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 652 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 653 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 654 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 655 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 656 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 657 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 658 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 659 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 660 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 661 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 662 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 663 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 664 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 665 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 666 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 667 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 668 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 669 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 670 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 671 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 672 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 673 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 674 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 675 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 676 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 677 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--96b08451-b27a-4ff6-893f-790e26393a8e\n", 678 "</pre></div>\n" 679 ], 680 "text/plain": [ 681 "<IPython.core.display.HTML object>" 682 ] 683 }, 684 "execution_count": 10, 685 "metadata": {}, 686 "output_type": "execute_result" 687 }, 688 { 689 "data": { 690 "text/html": [ 691 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 692 ".highlight { background: #f8f8f8; }\n", 693 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 694 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 695 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 696 ".highlight .o { color: #666666 } /* Operator */\n", 697 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 698 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 699 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 700 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 701 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 702 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 703 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 704 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 705 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 706 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 707 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 708 ".highlight .go { color: #888888 } /* Generic.Output */\n", 709 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 710 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 711 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 712 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 713 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 714 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 715 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 716 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 717 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 718 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 719 ".highlight .m { color: #666666 } /* Literal.Number */\n", 720 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 721 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 722 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 723 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 724 ".highlight .no { color: #880000 } /* Name.Constant */\n", 725 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 726 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 727 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 728 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 729 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 730 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 731 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 732 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 733 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 734 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 735 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 736 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 737 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 738 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 739 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 740 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 741 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 742 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 743 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 744 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 745 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 746 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 747 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 748 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 749 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 750 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 751 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 752 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 753 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 754 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 755 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 756 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 757 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 758 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 759 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 760 "</pre></div>\n" 761 ], 762 "text/plain": [ 763 "<IPython.core.display.HTML object>" 764 ] 765 }, 766 "execution_count": 10, 767 "metadata": {}, 768 "output_type": "execute_result" 769 }, 770 { 771 "data": { 772 "text/html": [ 773 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 774 ".highlight { background: #f8f8f8; }\n", 775 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 776 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 777 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 778 ".highlight .o { color: #666666 } /* Operator */\n", 779 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 780 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 781 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 782 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 783 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 784 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 785 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 786 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 787 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 788 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 789 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 790 ".highlight .go { color: #888888 } /* Generic.Output */\n", 791 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 792 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 793 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 794 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 795 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 796 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 797 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 798 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 799 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 800 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 801 ".highlight .m { color: #666666 } /* Literal.Number */\n", 802 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 803 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 804 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 805 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 806 ".highlight .no { color: #880000 } /* Name.Constant */\n", 807 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 808 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 809 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 810 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 811 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 812 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 813 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 814 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 815 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 816 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 817 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 818 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 819 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 820 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 821 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 822 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 823 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 824 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 825 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 826 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 827 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 828 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 829 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 830 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 831 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 832 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 833 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 834 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 835 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 836 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 837 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 838 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 839 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 840 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 841 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 842 "</pre></div>\n" 843 ], 844 "text/plain": [ 845 "<IPython.core.display.HTML object>" 846 ] 847 }, 848 "execution_count": 10, 849 "metadata": {}, 850 "output_type": "execute_result" 851 }, 852 { 853 "data": { 854 "text/html": [ 855 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 856 ".highlight { background: #f8f8f8; }\n", 857 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 858 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 859 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 860 ".highlight .o { color: #666666 } /* Operator */\n", 861 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 862 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 863 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 864 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 865 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 866 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 867 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 868 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 869 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 870 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 871 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 872 ".highlight .go { color: #888888 } /* Generic.Output */\n", 873 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 874 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 875 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 876 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 877 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 878 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 879 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 880 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 881 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 882 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 883 ".highlight .m { color: #666666 } /* Literal.Number */\n", 884 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 885 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 886 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 887 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 888 ".highlight .no { color: #880000 } /* Name.Constant */\n", 889 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 890 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 891 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 892 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 893 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 894 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 895 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 896 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 897 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 898 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 899 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 900 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 901 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 902 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 903 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 904 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 905 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 906 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 907 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 908 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 909 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 910 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 911 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 912 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 913 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 914 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 915 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 916 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 917 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 918 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 919 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 920 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 921 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 922 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 923 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 924 "</pre></div>\n" 925 ], 926 "text/plain": [ 927 "<IPython.core.display.HTML object>" 928 ] 929 }, 930 "execution_count": 10, 931 "metadata": {}, 932 "output_type": "execute_result" 933 }, 934 { 935 "data": { 936 "text/html": [ 937 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 938 ".highlight { background: #f8f8f8; }\n", 939 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 940 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 941 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 942 ".highlight .o { color: #666666 } /* Operator */\n", 943 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 944 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 945 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 946 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 947 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 948 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 949 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 950 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 951 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 952 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 953 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 954 ".highlight .go { color: #888888 } /* Generic.Output */\n", 955 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 956 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 957 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 958 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 959 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 960 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 961 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 962 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 963 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 964 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 965 ".highlight .m { color: #666666 } /* Literal.Number */\n", 966 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 967 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 968 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 969 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 970 ".highlight .no { color: #880000 } /* Name.Constant */\n", 971 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 972 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 973 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 974 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 975 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 976 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 977 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 978 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 979 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 980 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 981 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 982 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 983 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 984 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 985 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 986 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 987 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 988 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 989 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 990 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 991 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 992 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 993 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 994 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 995 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 996 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 997 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 998 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 999 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 1000 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 1001 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 1002 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 1003 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 1004 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 1005 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 1006 "</pre></div>\n" 1007 ], 1008 "text/plain": [ 1009 "<IPython.core.display.HTML object>" 1010 ] 1011 }, 1012 "execution_count": 10, 1013 "metadata": {}, 1014 "output_type": "execute_result" 1015 } 1016 ], 1017 "source": [ 1018 "from stix2 import Filter\n", 1019 "\n", 1020 "# create filter for type=malware\n", 1021 "query = [Filter(\"type\", \"=\", \"malware\")]\n", 1022 "\n", 1023 "# query on the filter\n", 1024 "mals = fs_source.query(query)\n", 1025 "\n", 1026 "for mal in mals:\n", 1027 " print(mal.id)" 1028 ] 1029 }, 1030 { 1031 "cell_type": "code", 1032 "execution_count": 11, 1033 "metadata": {}, 1034 "outputs": [ 1035 { 1036 "data": { 1037 "text/html": [ 1038 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 1039 ".highlight { background: #f8f8f8; }\n", 1040 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 1041 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 1042 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 1043 ".highlight .o { color: #666666 } /* Operator */\n", 1044 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 1045 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 1046 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 1047 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 1048 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 1049 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 1050 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 1051 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 1052 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 1053 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 1054 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 1055 ".highlight .go { color: #888888 } /* Generic.Output */\n", 1056 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 1057 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 1058 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 1059 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 1060 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 1061 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 1062 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 1063 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 1064 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 1065 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 1066 ".highlight .m { color: #666666 } /* Literal.Number */\n", 1067 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 1068 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 1069 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 1070 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 1071 ".highlight .no { color: #880000 } /* Name.Constant */\n", 1072 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 1073 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 1074 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 1075 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 1076 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 1077 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 1078 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 1079 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 1080 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 1081 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 1082 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 1083 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 1084 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 1085 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 1086 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 1087 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 1088 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 1089 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 1090 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 1091 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 1092 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 1093 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 1094 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 1095 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 1096 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 1097 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 1098 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 1099 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 1100 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 1101 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 1102 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 1103 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 1104 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 1105 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 1106 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--92ec0cbd-2c30-44a2-b270-73f4ec949841\n", 1107 "</pre></div>\n" 1108 ], 1109 "text/plain": [ 1110 "<IPython.core.display.HTML object>" 1111 ] 1112 }, 1113 "execution_count": 11, 1114 "metadata": {}, 1115 "output_type": "execute_result" 1116 }, 1117 { 1118 "data": { 1119 "text/html": [ 1120 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 1121 ".highlight { background: #f8f8f8; }\n", 1122 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 1123 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 1124 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 1125 ".highlight .o { color: #666666 } /* Operator */\n", 1126 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 1127 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 1128 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 1129 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 1130 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 1131 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 1132 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 1133 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 1134 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 1135 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 1136 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 1137 ".highlight .go { color: #888888 } /* Generic.Output */\n", 1138 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 1139 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 1140 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 1141 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 1142 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 1143 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 1144 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 1145 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 1146 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 1147 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 1148 ".highlight .m { color: #666666 } /* Literal.Number */\n", 1149 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 1150 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 1151 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 1152 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 1153 ".highlight .no { color: #880000 } /* Name.Constant */\n", 1154 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 1155 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 1156 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 1157 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 1158 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 1159 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 1160 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 1161 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 1162 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 1163 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 1164 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 1165 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 1166 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 1167 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 1168 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 1169 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 1170 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 1171 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 1172 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 1173 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 1174 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 1175 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 1176 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 1177 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 1178 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 1179 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 1180 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 1181 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 1182 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 1183 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 1184 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 1185 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 1186 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 1187 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 1188 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 1189 "</pre></div>\n" 1190 ], 1191 "text/plain": [ 1192 "<IPython.core.display.HTML object>" 1193 ] 1194 }, 1195 "execution_count": 11, 1196 "metadata": {}, 1197 "output_type": "execute_result" 1198 }, 1199 { 1200 "data": { 1201 "text/html": [ 1202 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 1203 ".highlight { background: #f8f8f8; }\n", 1204 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 1205 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 1206 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 1207 ".highlight .o { color: #666666 } /* Operator */\n", 1208 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 1209 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 1210 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 1211 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 1212 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 1213 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 1214 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 1215 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 1216 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 1217 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 1218 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 1219 ".highlight .go { color: #888888 } /* Generic.Output */\n", 1220 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 1221 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 1222 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 1223 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 1224 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 1225 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 1226 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 1227 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 1228 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 1229 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 1230 ".highlight .m { color: #666666 } /* Literal.Number */\n", 1231 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 1232 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 1233 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 1234 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 1235 ".highlight .no { color: #880000 } /* Name.Constant */\n", 1236 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 1237 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 1238 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 1239 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 1240 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 1241 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 1242 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 1243 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 1244 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 1245 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 1246 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 1247 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 1248 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 1249 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 1250 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 1251 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 1252 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 1253 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 1254 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 1255 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 1256 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 1257 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 1258 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 1259 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 1260 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 1261 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 1262 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 1263 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 1264 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 1265 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 1266 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 1267 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 1268 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 1269 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 1270 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 1271 "</pre></div>\n" 1272 ], 1273 "text/plain": [ 1274 "<IPython.core.display.HTML object>" 1275 ] 1276 }, 1277 "execution_count": 11, 1278 "metadata": {}, 1279 "output_type": "execute_result" 1280 }, 1281 { 1282 "data": { 1283 "text/html": [ 1284 "<style type=\"text/css\">.highlight .hll { background-color: #ffffcc }\n", 1285 ".highlight { background: #f8f8f8; }\n", 1286 ".highlight .c { color: #408080; font-style: italic } /* Comment */\n", 1287 ".highlight .err { border: 1px solid #FF0000 } /* Error */\n", 1288 ".highlight .k { color: #008000; font-weight: bold } /* Keyword */\n", 1289 ".highlight .o { color: #666666 } /* Operator */\n", 1290 ".highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */\n", 1291 ".highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */\n", 1292 ".highlight .cp { color: #BC7A00 } /* Comment.Preproc */\n", 1293 ".highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */\n", 1294 ".highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */\n", 1295 ".highlight .cs { color: #408080; font-style: italic } /* Comment.Special */\n", 1296 ".highlight .gd { color: #A00000 } /* Generic.Deleted */\n", 1297 ".highlight .ge { font-style: italic } /* Generic.Emph */\n", 1298 ".highlight .gr { color: #FF0000 } /* Generic.Error */\n", 1299 ".highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */\n", 1300 ".highlight .gi { color: #00A000 } /* Generic.Inserted */\n", 1301 ".highlight .go { color: #888888 } /* Generic.Output */\n", 1302 ".highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */\n", 1303 ".highlight .gs { font-weight: bold } /* Generic.Strong */\n", 1304 ".highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */\n", 1305 ".highlight .gt { color: #0044DD } /* Generic.Traceback */\n", 1306 ".highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */\n", 1307 ".highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */\n", 1308 ".highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */\n", 1309 ".highlight .kp { color: #008000 } /* Keyword.Pseudo */\n", 1310 ".highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */\n", 1311 ".highlight .kt { color: #B00040 } /* Keyword.Type */\n", 1312 ".highlight .m { color: #666666 } /* Literal.Number */\n", 1313 ".highlight .s { color: #BA2121 } /* Literal.String */\n", 1314 ".highlight .na { color: #7D9029 } /* Name.Attribute */\n", 1315 ".highlight .nb { color: #008000 } /* Name.Builtin */\n", 1316 ".highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */\n", 1317 ".highlight .no { color: #880000 } /* Name.Constant */\n", 1318 ".highlight .nd { color: #AA22FF } /* Name.Decorator */\n", 1319 ".highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */\n", 1320 ".highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */\n", 1321 ".highlight .nf { color: #0000FF } /* Name.Function */\n", 1322 ".highlight .nl { color: #A0A000 } /* Name.Label */\n", 1323 ".highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */\n", 1324 ".highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */\n", 1325 ".highlight .nv { color: #19177C } /* Name.Variable */\n", 1326 ".highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */\n", 1327 ".highlight .w { color: #bbbbbb } /* Text.Whitespace */\n", 1328 ".highlight .mb { color: #666666 } /* Literal.Number.Bin */\n", 1329 ".highlight .mf { color: #666666 } /* Literal.Number.Float */\n", 1330 ".highlight .mh { color: #666666 } /* Literal.Number.Hex */\n", 1331 ".highlight .mi { color: #666666 } /* Literal.Number.Integer */\n", 1332 ".highlight .mo { color: #666666 } /* Literal.Number.Oct */\n", 1333 ".highlight .sa { color: #BA2121 } /* Literal.String.Affix */\n", 1334 ".highlight .sb { color: #BA2121 } /* Literal.String.Backtick */\n", 1335 ".highlight .sc { color: #BA2121 } /* Literal.String.Char */\n", 1336 ".highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */\n", 1337 ".highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */\n", 1338 ".highlight .s2 { color: #BA2121 } /* Literal.String.Double */\n", 1339 ".highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */\n", 1340 ".highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */\n", 1341 ".highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */\n", 1342 ".highlight .sx { color: #008000 } /* Literal.String.Other */\n", 1343 ".highlight .sr { color: #BB6688 } /* Literal.String.Regex */\n", 1344 ".highlight .s1 { color: #BA2121 } /* Literal.String.Single */\n", 1345 ".highlight .ss { color: #19177C } /* Literal.String.Symbol */\n", 1346 ".highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */\n", 1347 ".highlight .fm { color: #0000FF } /* Name.Function.Magic */\n", 1348 ".highlight .vc { color: #19177C } /* Name.Variable.Class */\n", 1349 ".highlight .vg { color: #19177C } /* Name.Variable.Global */\n", 1350 ".highlight .vi { color: #19177C } /* Name.Variable.Instance */\n", 1351 ".highlight .vm { color: #19177C } /* Name.Variable.Magic */\n", 1352 ".highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style><div class=\"highlight\"><pre><span></span>malware--6b616fc1-1505-48e3-8b2c-0d19337bff38\n", 1353 "</pre></div>\n" 1354 ], 1355 "text/plain": [ 1356 "<IPython.core.display.HTML object>" 1357 ] 1358 }, 1359 "execution_count": 11, 1360 "metadata": {}, 1361 "output_type": "execute_result" 1362 } 1363 ], 1364 "source": [ 1365 "# add more filters to the query\n", 1366 "query.append(Filter(\"modified\", \">\" , \"2017-05-31T21:33:10.772474Z\"))\n", 1367 "\n", 1368 "mals = fs_source.query(query)\n", 1369 "\n", 1370 "# for visual purposes\n", 1371 "for mal in mals:\n", 1372 " print(mal.id)" 1373 ] 1374 }, 1375 { 1376 "cell_type": "markdown", 1377 "metadata": {}, 1378 "source": [ 1379 "#### FileSystemSink\n", 1380 "\n", 1381 "Use the FileSystemSink when you only want to push STIX content to the file system." 1382 ] 1383 }, 1384 { 1385 "cell_type": "code", 1386 "execution_count": 13, 1387 "metadata": {}, 1388 "outputs": [], 1389 "source": [ 1390 "from stix2 import FileSystemSink, Campaign, Indicator\n", 1391 "\n", 1392 "# create FileSystemSink\n", 1393 "fs_sink = FileSystemSink(\"/tmp/stix2_sink\")\n", 1394 "\n", 1395 "# create STIX objects and add to sink\n", 1396 "camp = Campaign(name=\"The Crusades\",\n", 1397 " objective=\"Infiltrating Israeli, Iranian and Palestinian digital infrastructure and government systems.\",\n", 1398 " aliases=[\"Desert Moon\"])\n", 1399 "\n", 1400 "ind = Indicator(description=\"Crusades C2 implant\",\n", 1401 " pattern_type=\"stix\",\n", 1402 " pattern=\"[file:hashes.'SHA-256' = '54b7e05e39a59428743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n", 1403 "\n", 1404 "ind1 = Indicator(description=\"Crusades C2 implant\",\n", 1405 " pattern_type=\"stix\",\n", 1406 " pattern=\"[file:hashes.'SHA-256' = '54b7e05e39a59428743635242e4a867c932140a999f52a1e54fa7ee6a440c73b']\")\n", 1407 "\n", 1408 "# add Campaign object to FileSystemSink\n", 1409 "fs_sink.add(camp)\n", 1410 "\n", 1411 "# can also add STIX objects to FileSystemSink in on call\n", 1412 "fs_sink.add([ind, ind1])" 1413 ] 1414 } 1415 ], 1416 "metadata": { 1417 "kernelspec": { 1418 "display_name": "Python 3", 1419 "language": "python", 1420 "name": "python3" 1421 }, 1422 "language_info": { 1423 "codemirror_mode": { 1424 "name": "ipython", 1425 "version": 3 1426 }, 1427 "file_extension": ".py", 1428 "mimetype": "text/x-python", 1429 "name": "python", 1430 "nbconvert_exporter": "python", 1431 "pygments_lexer": "ipython3", 1432 "version": "3.9.0a6" 1433 } 1434 }, 1435 "nbformat": 4, 1436 "nbformat_minor": 2 1437} 1438