Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Vaticle TypeDB through OASIS Stix2 Python Library - How to? #1246

Open
brettforbes opened this issue Dec 16, 2022 · 1 comment
Open

Integrate Vaticle TypeDB through OASIS Stix2 Python Library - How to? #1246

brettforbes opened this issue Dec 16, 2022 · 1 comment

Comments

@brettforbes
Copy link

brettforbes commented Dec 16, 2022
edited
Loading

Hi,

Vaticle TypeDB is an open-source knowledge graph (https://vaticle.com/), where data is fully normalised (i.e. each ip address only written once, all usages link to it), and you can easily write deductive rules.

There is an existing Stix 2.1 prototype, however we are just releasing next month a full and complete upgrade as a STIX-ORM for the OASIS Stix2 library. We pass every single Stix Certification Test, and are an add-on for the OASIS Stix2 Python Library, as a built-in datastore type (https://stix2.readthedocs.io/en/latest/guide/datastore.html). Thus, by using the OASIS Stix2 Python library you can add, delete and query for data within the knowledge graph. We also support ATT&CK, and plan to support CACAO and CSAFv2.

We are using our capability to build two systems:

  • a public threat database that pulls MISP, TAXII and other feeds
  • a threat hunters database, with STIX 2.1 storage of data, case management, pivoting, and Kestrel threat hunting

We need to build a Stix Pattern capability for the OASIS Stix2 Library compatibility and would like to also build a connector to Stix-Shifter system. We wonder if we can build one common Stix Pattern interface.

We notice that Stix-Shifter seems focused on security/network/host kit, and thereby Kestrel mostly does Pivoting and searching external sources like MISP/TAXII through external functions. However, we would like to build them in through our system, since we already pull some of those sources (e.g. MISP/TAXII). This would necessitate having either multiple connector (e.g. TypeDB-MISP, TypeDB-TAXII-NATO etc.), or some kind of sub field on the connector to indicate the sub-source.

Has this kind of setup been thought about, and does it seem useful? We are keen to integrate with your environment and understand how we can best work with you guys. We would appreciate some feedback on how to go about it.

Thanks a lot
@delliott90
Copy link
Collaborator

This sounds interesting. Would you be looking for the connectors to return observed-data objects or other STIX SDOs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@delliott90 @brettforbes