Add some basic functions in the source

os-threat / Stix-ORM

GNU Affero General Public License v3.0

4 stars 0 forks source link

Add some basic functions in the source #31

Closed priamai closed 10 months ago

priamai commented 10 months ago

Hello, we discuss before to support a full STIX filter function like this but for now I would need just a set of primitives added:

return stix id list by object type (all of them including the base but also our object types like the DOD or the Feeds)
return stix id list by SCO,SDO, SRO macro type
return stix id based on created time stamp with >, < and [] interval dates
return stix id based on modified time stamp with >, < and [] interval dates

Also cherry on the cake if we can combine the filters for example:

return stix id list of type Feeds between creation date A and B
return stix id list of malware type with creation more than A
etc etc

brettforbes commented 10 months ago

@dfjosullivan , can you comment please? I guess these methods underlie the block definitions we want to build. So if we build these methods out first, then it should be pretty useful. Can you advise on the best way to layout queries to underlie the table of block definitions? Like what do i call them, how should all of the methods be organised?

brettforbes commented 10 months ago

Hi I cant understand queries 1 and 2, please provide greater detail.

Also, I can't understand 5, since the same Feed object is continuously updated, and in fact it is the Observed Data and the Threat Sub Objects that have creation dates. Finally, the data observed also has its own created and modified dates. What specifically are your referring to in your query request? We can make anything, but what do you want? Can you be MECE (Mutually Exclusive, Collectively Exhaustive)?

priamai commented 10 months ago

I was thinking something like this approach:

filterme = Conditions(type="campaign",createdgt="2023-01-01",createdlt="2023-03-01")

List_id = source.filter(filterme)

priamai commented 10 months ago

filterme2 = Conditions(stixtype="SDO",library="stix2.1")

To get all the SDO of the standard library.

Filterme3 = Conditions(stixtype="Technique",library="attack")

brettforbes commented 10 months ago

Yes, but its not like this at all, and by not understanding how it works, it is making t hard.

Instead we need to assemble a query to get stix_id's based on certain constraints, like match $sdo isa stix-domain-object, has created $created, has stix-id $stix_id; $created > "2023-01-01"; $created < "2023-03-01"; get $stix_id;

Then we simply run the TypeDBSource.get() method for each of the returned stix_id's

The key is to understand the object variations and constraints well enough so that we can deal with all of them pretty easily. this is why i ask for more detail

priamai commented 10 months ago

At the bone to build the query:

Operators: equal, greater than (greater than equal), less than (less than equal).

The stix fields I want to filter: created modified type (equal only)

Everything else we can build on top of this core function. Well i guess the Mitre technique and subtechniques will be tricky but we can make some syntax magic.

brettforbes commented 10 months ago

completed and pushed, @dfjosullivan is to convert it onto the TypeDB function in Issue #34