Processes STIX 2.1 bundles from TAXII 2.1 servers, validates objects against OASIS spec, normalizes to native formats, and routes to SIEM/TIP like MISP/OpenCTI. For TAXII integrations and CTI pipelines.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
在以下情况使用本技能:
Processes STIX 2.1 bundles from TAXII 2.1 servers: discovers collections, fetches paginated data, validates/normalizes objects, routes to MISP, OpenCTI, Splunk.
Processes STIX 2.1 bundles from TAXII 2.1 servers, normalizes objects to native schemas, routes to SIEMs or TIPs like MISP. For onboarding feeds, bi-directional sharing, bundle validation.
Implements Python STIX/TAXII 2.1 feed consumers/producers: TAXII server discovery, collection polling, STIX object parsing with stix2, SIEM/TIP integration. For threat intel pipelines.
Share bugs, ideas, or general feedback.
在以下情况使用本技能:
不适用于 Recorded Future JSON、CrowdStrike IOC 列表等专有厂商情报格式(需要厂商专属解析器而非 STIX 处理)。
stix2 库(pip install stix2)和 taxii2-client 库from taxii2client.v21 import Server, as_pages
server = Server("https://cti.example.com/taxii/",
user="apiuser", password="apikey")
api_root = server.api_roots[0]
for collection in api_root.collections:
print(collection.id, collection.title, collection.can_read)
选择与您威胁画像相关的集合。CISA AIS 提供按行业分段的集合(金融、能源、医疗)。
from taxii2client.v21 import Collection
from datetime import datetime, timedelta, timezone
collection = Collection(
"https://cti.example.com/taxii/api1/collections/<id>/objects/",
user="apiuser", password="apikey")
# 仅获取过去 24 小时内新增的对象
added_after = datetime.now(timezone.utc) - timedelta(hours=24)
for bundle_page in as_pages(collection.get_objects,
added_after=added_after, per_request=100):
process_bundle(bundle_page)
import stix2
def process_bundle(bundle_dict):
bundle = stix2.parse(bundle_dict, allow_custom=True)
for obj in bundle.objects:
if obj.type == "indicator":
validate_indicator(obj)
elif obj.type == "threat-actor":
upsert_threat_actor(obj)
elif obj.type == "relationship":
link_objects(obj)
def validate_indicator(indicator):
required = ["id", "type", "spec_version", "created",
"modified", "pattern", "pattern_type", "valid_from"]
for field in required:
if not hasattr(indicator, field):
raise ValueError(f"缺少必填字段: {field}")
# 检查置信度范围
if hasattr(indicator, "confidence"):
assert 0 <= indicator.confidence <= 100
将 STIX 对象类型映射到目标系统:
indicator 对象 → SIEM 查询表和防火墙封锁列表malware 对象 → EDR 威胁情报库threat-actor / campaign 对象 → TIP 用于分析师上下文course-of-action 对象 → 安全团队 Wiki 或 SOAR 剧本触发器使用 TLP 标记定义(Marking Definition)强制执行共享限制:
for marking in obj.get("object_marking_refs", []):
if "tlp-red" in marking:
route_to_restricted_platform_only(obj)
# 将经验证的本地情报添加回共享集合
new_indicator = stix2.Indicator(
name="恶意 C2 域名",
pattern="[domain-name:value = 'evil-c2.example.com']",
pattern_type="stix",
valid_from="2025-01-15T00:00:00Z",
confidence=80,
labels=["malicious-activity"],
object_marking_refs=["marking-definition--34098fce-860f-479c-ae..."] # TLP:GREEN
)
collection.add_objects(stix2.Bundle(new_indicator))
| 术语 | 定义 |
|---|---|
| STIX Bundle | 顶层 STIX 容器对象(类型: "bundle"),包含任意数量的 STIX 域对象(SDO)和 STIX 关系对象(SRO) |
| SDO | STIX 域对象(STIX Domain Object)——核心情报类型:indicator、threat-actor、malware、campaign、attack-pattern、course-of-action |
| SRO | STIX 关系对象(STIX Relationship Object)——用带标签的关系(如 "uses"、"attributed-to"、"indicates")连接两个 SDO |
| 模式语言 | 指标条件的 STIX 模式语法:[network-traffic:dst_port = 443 AND ipv4-addr:value = '10.0.0.1'] |
| 标记定义 | 编码 TLP 或声明共享限制的 STIX 对象 |
| added_after | TAXII 2.1 过滤参数(RFC 3339 时间戳),用于增量轮询新对象 |
spec_version 字段:STIX 2.0 和 2.1 具有不兼容的模式(2.1 新增了 confidence、包级别的 object_marking_refs)。解析前务必检查 spec_version。next 链接头)会导致数据静默丢失。added_after 时钟偏差:服务端和客户端时间不一致会导致在间隔边界处遗漏对象。统一使用 UTC 并添加 5 分钟重叠窗口。