我一直在研究Threat Feed,最近,我试图将在系统中发现的所有威胁导出为STIX2格式。
我仔细阅读了它的文档,并创建了Stix2捆绑包。现在,我正在尝试找出将所有捆绑包导出到一个文件的方法,以便将该文件用于威胁源,例如splunk是一个允许读取此stix源的工具。
一个捆绑包看起来像这样。
{"type":"bundle","id":"bundle--92bf6237-1b3d-43f9-85d7-e31c0b3f11b7","spec_version":"2.0","objects":[{"id":"indicator--c68d9454-32e3-4f30-8321-a6758df83877","type":"indicator","created":"2017-10-27T00:00:00.000Z","modified":"2017-10-27T00:00:00.000Z","name":"File hash for malware variant","pattern":"[file:hashes.md5 = 'a5ef29d5315111c80a5c1abad14c8972']","valid_from":"2017-10-27T00:00:00.000Z","labels":["malicious-activity"]},{"type":"malware","id":"malware--0e1f009a-0e6c-437e-a1ec-0c003522b1d3","created":"2017-10-27T00:00:00.000Z","modified":"2017-10-27T00:00:00.000Z","name":"Malware","labels":["remote-access-trojan"]},{"type":"relationship","id":"relationship--c17cf161-4ec2-471c-ac58-4a1cf6e0964f","created":"2017-10-27T00:00:00.000Z","modified":"2017-10-27T00:00:00.000Z","relationship_type":"indicates","source_ref":"indicator--c68d9454-32e3-4f30-8321-a6758df83877","target_ref":"malware--0e1f009a-0e6c-437e-a1ec-0c003522b1d3"}]}
现在我有多个捆绑包,如何导出它们?
答案 0 :(得分:0)
在TAXII提要中,每个内容块是一个STIX2捆绑包。您可以使用OpenTAXII服务器(支持TAXII 1.1,并且与内容无关)将提要提供给Splunk实例。
如果您从文件中读取数据,请将每个捆绑存储在单独的JSON文件中。