cti-python-stix2
cti-python-stix2 copied to clipboard
oasis-open
How to create a Grouping with context?
Hi there, need some help creating a Grouping
from stix2 import Grouping
from stix2.properties import OpenVocabProperty
from stix2 import IPv4Address
ip4 = IPv4Address(
value="177.60.40.7",
resolves_to_refs=["mac-addr--43f380fd-37c6-476d-8643-60849bf9240e"]
)
group = Grouping(name='alert',description='ciao',context=OpenVocabProperty('grouping-context-ov'),labels=['ciao'],object_refs=[ip4.id])
Reading the documentation:
What corresponding object should I use for the context?
You can use any string you want since it's an open vocab. The spec-defined values are included in a module stix2.v21.vocab. E.g. stix2.v21.vocab.GROUPING_CONTEXT_SUSPICIOUS_ACTIVITY.
Hi @chisholm that was easier than expected. Since we are in topic:
Leverage a formally defined default vocabulary extended from the stixCommon:ControlledVocabularyStringType data type. STIX v1.2 defines a collection of default vocabularies and associated enumerations that are based on input from the STIX community; however, not all vocabulary properties have an assigned formally defined default vocabulary.
· Formally define a custom vocabulary by extending the stixCommon:ControlledVocabularyStringType data type. Because this is an extension of the STIX Vocabularies data model, producers and consumers MUST have access to the addition to the data model for successful use in the sharing of STIX documents.
· Reference an externally-defined, custom vocabulary using the stixCommon:UnenforcedVocabularyStringType data type to constrain the set of values. Externally-defined vocabularies are explicitly defined, but have not been included as formally specified vocabularies within the STIX Vocabularies data model using the stixCommon:ControlledVocabularyStringType data type. In this case, it is sufficient to specify the name of the vocabulary and a URL to a definition of that vocabulary.
· Choose an arbitrary and unconstrained value using the stixCommon:VocabularyStringType data type.
Can you give me an example for the last 2 points?
@priamai that looks like it is from the STIX version 1.2 specification. This library is for STIX version 2, which works differently. In STIX 2, open vocabularies can hold any string (thus being called "open"). The specification contains a list of values for the vocabulary as a starting point, and values from that list "should" be used as much as possible for interoperability, but any "arbitrary and unconstrained" string value could be used. There's not really a codified way to reference an externally defined custom vocabulary.
Hello @clenk you are totally right, I must have followed some links and didn't realised was indeed stix version 1.2.1
I am reading this now: https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_vbsdt43uxrv0 For more context::
STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used.
STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used.
@priamai The latest version of the 2.1 STIX specification (OASIS standard) is found here: https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html. You were looking at the older Committee Specification 01 which was a precursor to the final approved version.
The section you were referencing is here: https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_vbsdt43uxrv0 Good news is there's no difference in text, just wanted to make sure you had the latest!
