Xiaokui Shu

This will be an important-yet-practical fix for **cross-observation SCO recognition/deduplication**, which is critical to any reasoning/hunting that fetch multiple queries back. For most types of SCOs, such as `ipv4-addr` and...

We can. Some tests I played with a few days ago: https://github.com/opencybersecurityalliance/kestrel-lang/issues/16 This is a try to import `paramstix.lark` from `firepit` and it works. Once we do that, another task...

Great that it is possible to import a custom lark file now: - https://github.com/lark-parser/lark/issues/603 - https://github.com/lark-parser/lark/pull/704 - https://github.com/lark-parser/lark/blob/bd71503e76f25b1feb14736c9eccbd8f83822708/lark-stubs/lark.pyi#L42 We can do the following in our lark garmmer file: ``` %import...

Good catch! We don't have space in the syntax currently. Since the command has more components after `FROM`, and we need to avoid confusion in case of `/a/path/with/a where space/in_the_name/bundle.json`....

confirmed fixed in v1.4.2 with test `tests/test_parser.py::test_quoted_datasource`

Will check #134 for this.

This is caused by prefetch + the non-deterministic process id. Prefetch will query the original data source, e.g., the stix-bundle in this case. The prefetch query will load the bundle...

`pip` supports `extras_require` in `setup.cfg`, and we will find if we can do something like not use some dependencies when doing `pip install`. Reference: - https://stackoverflow.com/questions/41268863/difference-between-extras-require-and-install-requires-in-setup-py

Good point. I think `SET/SHOW` is a better choice. And I suggest we have some ways to distinguish it from normal hunt steps/commands. Otherwise, people may try `SHOW var ...`...

Also we may add the support of adding/changing data source interface on the fly if we have #119 realized. Something like ``` CONFIG SET datasource.stixshifter.host101 = "elastic_ecs" '{"host":"elastic.securitylog.company.com", "port":9200, "indices":"host101"}'...