Skip to content

Commit 33efe20

Browse files
MislavReversingLabsMislavReversingLabs
committed
2.10.0 updated with example
1 parent 5fdc738 commit 33efe20

File tree

1 file changed

+349
-6
lines changed

1 file changed

+349
-6
lines changed

Scenarios and Workflows/TAXII_data_filtering.ipynb

Lines changed: 349 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
},
3030
{
3131
"cell_type": "code",
32-
"execution_count": 20,
32+
"execution_count": 1,
3333
"outputs": [],
3434
"source": [
3535
"import json\n",
@@ -53,16 +53,16 @@
5353
"metadata": {
5454
"collapsed": false,
5555
"ExecuteTime": {
56-
"end_time": "2025-06-18T22:38:53.663257084Z",
57-
"start_time": "2025-06-18T22:38:53.656988541Z"
56+
"end_time": "2025-06-19T14:13:44.474860616Z",
57+
"start_time": "2025-06-19T14:13:44.453219973Z"
5858
}
5959
},
6060
"id": "1ff824581216504c"
6161
},
6262
{
6363
"cell_type": "markdown",
6464
"source": [
65-
"## Latest CobaltStrike indicators with high confidence from Ransomware Feed data\n",
65+
"## Latest CobaltStrike indicators with high confidence from Ransomware Indicators Feed data\n",
6666
"We will now fetch Ransomware Feed data from the last 30 days of time and filter out CobaltStrike indicators with confidence level of 80 or more."
6767
],
6868
"metadata": {
@@ -225,7 +225,8 @@
225225
{
226226
"cell_type": "markdown",
227227
"source": [
228-
"## Latest Trojan malware data with high confidence from Ransomware Indicators Feed data"
228+
"## Latest Trojan malware data with high confidence from Ransomware Indicators Feed data\n",
229+
"Here we will filter out latest Trojan data labeled with PE/Exe (Windows executables) from our Ransomware Indicators Feed."
229230
],
230231
"metadata": {
231232
"collapsed": false
@@ -250,13 +251,355 @@
250251
" max_results=500\n",
251252
")\n",
252253
"\n",
253-
"print(response)"
254+
"print(json.dumps(response))"
254255
],
255256
"metadata": {
256257
"collapsed": false
257258
},
258259
"id": "2b05ea3ea36fe86f"
259260
},
261+
{
262+
"cell_type": "markdown",
263+
"source": [
264+
"### Example output\n",
265+
"The returned data is a Python list of dictionary objects. Below is one example object dumped as a JSON string.\n",
266+
"<details>\n",
267+
"<summary>Expand to see the JSON example</summary>\n",
268+
"\n",
269+
"```\n",
270+
"[\n",
271+
" {\n",
272+
" \"type\": \"indicator\",\n",
273+
" \"spec_version\": \"2.1\",\n",
274+
" \"id\": \"indicator--9d097aab-bf8d-5915-9864-0e0f235b81ad\",\n",
275+
" \"created\": \"2025-05-20T16:12:13Z\",\n",
276+
" \"modified\": \"2025-05-20T16:12:13Z\",\n",
277+
" \"valid_from\": \"2025-05-20T16:12:13Z\",\n",
278+
" \"valid_until\": \"2025-06-19T16:12:13Z\",\n",
279+
" \"created_by_ref\": \"identity--ef2a68d1-a8d2-5cb4-973d-1b9e0858c41e\",\n",
280+
" \"name\": \"Malware File\",\n",
281+
" \"description\": \"Malware file activity was observed\",\n",
282+
" \"confidence\": 100,\n",
283+
" \"indicator_types\": [\n",
284+
" \"malicious-activity\"\n",
285+
" ],\n",
286+
" \"pattern_type\": \"stix\",\n",
287+
" \"pattern\": \"[file:hashes.'SHA-1' = 'b2ce7b5d50cad456498bc149f96fba2cd7d33033' OR file:hashes.'MD5' = 'a56f71b1a3a5b75f7a85de1cb43bd5e0' OR file:hashes.'SHA-256' = '82617a84d35721a149581353decda3ba78fb65b4ddeb9dc3ebdddcd855e6652f']\",\n",
288+
" \"labels\": [\n",
289+
" \"ReversingLabs\",\n",
290+
" \"1950208\",\n",
291+
" \"PE/Exe\",\n",
292+
" \"DBatLoader_a56f71b1a3a5b75f7a85de1cb43bd5e0.exe\",\n",
293+
" \"Remcos\",\n",
294+
" \"Trojan\",\n",
295+
" \"Early\"\n",
296+
" ],\n",
297+
" \"external_references\": [\n",
298+
" {\n",
299+
" \"source_name\": \"mitre\",\n",
300+
" \"external_id\": \"T1003\",\n",
301+
" \"description\": \"OS Credential Dumping\",\n",
302+
" \"url\": \"https://attack.mitre.org/techniques/T1003/\"\n",
303+
" },\n",
304+
" {\n",
305+
" \"source_name\": \"mitre\",\n",
306+
" \"external_id\": \"T1007\",\n",
307+
" \"description\": \"System Service Discovery\",\n",
308+
" \"url\": \"https://attack.mitre.org/techniques/T1007/\"\n",
309+
" },\n",
310+
" {\n",
311+
" \"source_name\": \"mitre\",\n",
312+
" \"external_id\": \"T1010\",\n",
313+
" \"description\": \"Application Window Discovery\",\n",
314+
" \"url\": \"https://attack.mitre.org/techniques/T1010/\"\n",
315+
" },\n",
316+
" {\n",
317+
" \"source_name\": \"mitre\",\n",
318+
" \"external_id\": \"T1012\",\n",
319+
" \"description\": \"Query Registry\",\n",
320+
" \"url\": \"https://attack.mitre.org/techniques/T1012/\"\n",
321+
" },\n",
322+
" {\n",
323+
" \"source_name\": \"mitre\",\n",
324+
" \"external_id\": \"T1016\",\n",
325+
" \"description\": \"System Network Configuration Discovery\",\n",
326+
" \"url\": \"https://attack.mitre.org/techniques/T1016/\"\n",
327+
" },\n",
328+
" {\n",
329+
" \"source_name\": \"mitre\",\n",
330+
" \"external_id\": \"T1018\",\n",
331+
" \"description\": \"Remote System Discovery\",\n",
332+
" \"url\": \"https://attack.mitre.org/techniques/T1018/\"\n",
333+
" },\n",
334+
" {\n",
335+
" \"source_name\": \"mitre\",\n",
336+
" \"external_id\": \"T1027\",\n",
337+
" \"description\": \"Obfuscated Files or Information\",\n",
338+
" \"url\": \"https://attack.mitre.org/techniques/T1027/\"\n",
339+
" },\n",
340+
" {\n",
341+
" \"source_name\": \"mitre\",\n",
342+
" \"external_id\": \"T1033\",\n",
343+
" \"description\": \"System Owner/User Discovery\",\n",
344+
" \"url\": \"https://attack.mitre.org/techniques/T1033/\"\n",
345+
" },\n",
346+
" {\n",
347+
" \"source_name\": \"mitre\",\n",
348+
" \"external_id\": \"T1036\",\n",
349+
" \"description\": \"Masquerading\",\n",
350+
" \"url\": \"https://attack.mitre.org/techniques/T1036/\"\n",
351+
" },\n",
352+
" {\n",
353+
" \"source_name\": \"mitre\",\n",
354+
" \"external_id\": \"T1053\",\n",
355+
" \"description\": \"Scheduled Task/Job\",\n",
356+
" \"url\": \"https://attack.mitre.org/techniques/T1053/\"\n",
357+
" },\n",
358+
" {\n",
359+
" \"source_name\": \"mitre\",\n",
360+
" \"external_id\": \"T1055\",\n",
361+
" \"description\": \"Process Injection\",\n",
362+
" \"url\": \"https://attack.mitre.org/techniques/T1055/\"\n",
363+
" },\n",
364+
" {\n",
365+
" \"source_name\": \"mitre\",\n",
366+
" \"external_id\": \"T1056\",\n",
367+
" \"description\": \"Input Capture\",\n",
368+
" \"url\": \"https://attack.mitre.org/techniques/T1056/\"\n",
369+
" },\n",
370+
" {\n",
371+
" \"source_name\": \"mitre\",\n",
372+
" \"external_id\": \"T1056.004\",\n",
373+
" \"description\": \"Credential API Hooking\",\n",
374+
" \"url\": \"https://attack.mitre.org/techniques/T1056.004/\"\n",
375+
" },\n",
376+
" {\n",
377+
" \"source_name\": \"mitre\",\n",
378+
" \"external_id\": \"T1057\",\n",
379+
" \"description\": \"Process Discovery\",\n",
380+
" \"url\": \"https://attack.mitre.org/techniques/T1057/\"\n",
381+
" },\n",
382+
" {\n",
383+
" \"source_name\": \"mitre\",\n",
384+
" \"external_id\": \"T1059\",\n",
385+
" \"description\": \"Command and Scripting Interpreter\",\n",
386+
" \"url\": \"https://attack.mitre.org/techniques/T1059/\"\n",
387+
" },\n",
388+
" {\n",
389+
" \"source_name\": \"mitre\",\n",
390+
" \"external_id\": \"T1068\",\n",
391+
" \"description\": \"Exploitation for Privilege Escalation\",\n",
392+
" \"url\": \"https://attack.mitre.org/techniques/T1068/\"\n",
393+
" },\n",
394+
" {\n",
395+
" \"source_name\": \"mitre\",\n",
396+
" \"external_id\": \"T1071\",\n",
397+
" \"description\": \"Application Layer Protocol\",\n",
398+
" \"url\": \"https://attack.mitre.org/techniques/T1071/\"\n",
399+
" },\n",
400+
" {\n",
401+
" \"source_name\": \"mitre\",\n",
402+
" \"external_id\": \"T1078\",\n",
403+
" \"description\": \"Valid Accounts\",\n",
404+
" \"url\": \"https://attack.mitre.org/techniques/T1078/\"\n",
405+
" },\n",
406+
" {\n",
407+
" \"source_name\": \"mitre\",\n",
408+
" \"external_id\": \"T1082\",\n",
409+
" \"description\": \"System Information Discovery\",\n",
410+
" \"url\": \"https://attack.mitre.org/techniques/T1082/\"\n",
411+
" },\n",
412+
" {\n",
413+
" \"source_name\": \"mitre\",\n",
414+
" \"external_id\": \"T1083\",\n",
415+
" \"description\": \"File and Directory Discovery\",\n",
416+
" \"url\": \"https://attack.mitre.org/techniques/T1083/\"\n",
417+
" },\n",
418+
" {\n",
419+
" \"source_name\": \"mitre\",\n",
420+
" \"external_id\": \"T1087\",\n",
421+
" \"description\": \"Account Discovery\",\n",
422+
" \"url\": \"https://attack.mitre.org/techniques/T1087/\"\n",
423+
" },\n",
424+
" {\n",
425+
" \"source_name\": \"mitre\",\n",
426+
" \"external_id\": \"T1095\",\n",
427+
" \"description\": \"Non-Application Layer Protocol\",\n",
428+
" \"url\": \"https://attack.mitre.org/techniques/T1095/\"\n",
429+
" },\n",
430+
" {\n",
431+
" \"source_name\": \"mitre\",\n",
432+
" \"external_id\": \"T1105\",\n",
433+
" \"description\": \"Ingress Tool Transfer\",\n",
434+
" \"url\": \"https://attack.mitre.org/techniques/T1105/\"\n",
435+
" },\n",
436+
" {\n",
437+
" \"source_name\": \"mitre\",\n",
438+
" \"external_id\": \"T1106\",\n",
439+
" \"description\": \"Native API\",\n",
440+
" \"url\": \"https://attack.mitre.org/techniques/T1106/\"\n",
441+
" },\n",
442+
" {\n",
443+
" \"source_name\": \"mitre\",\n",
444+
" \"external_id\": \"T1112\",\n",
445+
" \"description\": \"Modify Registry\",\n",
446+
" \"url\": \"https://attack.mitre.org/techniques/T1112/\"\n",
447+
" },\n",
448+
" {\n",
449+
" \"source_name\": \"mitre\",\n",
450+
" \"external_id\": \"T1113\",\n",
451+
" \"description\": \"Screen Capture\",\n",
452+
" \"url\": \"https://attack.mitre.org/techniques/T1113/\"\n",
453+
" },\n",
454+
" {\n",
455+
" \"source_name\": \"mitre\",\n",
456+
" \"external_id\": \"T1115\",\n",
457+
" \"description\": \"Clipboard Data\",\n",
458+
" \"url\": \"https://attack.mitre.org/techniques/T1115/\"\n",
459+
" },\n",
460+
" {\n",
461+
" \"source_name\": \"mitre\",\n",
462+
" \"external_id\": \"T1120\",\n",
463+
" \"description\": \"Peripheral Device Discovery\",\n",
464+
" \"url\": \"https://attack.mitre.org/techniques/T1120/\"\n",
465+
" },\n",
466+
" {\n",
467+
" \"source_name\": \"mitre\",\n",
468+
" \"external_id\": \"T1124\",\n",
469+
" \"description\": \"System Time Discovery\",\n",
470+
" \"url\": \"https://attack.mitre.org/techniques/T1124/\"\n",
471+
" },\n",
472+
" {\n",
473+
" \"source_name\": \"mitre\",\n",
474+
" \"external_id\": \"T1134\",\n",
475+
" \"description\": \"Access Token Manipulation\",\n",
476+
" \"url\": \"https://attack.mitre.org/techniques/T1134/\"\n",
477+
" },\n",
478+
" {\n",
479+
" \"source_name\": \"mitre\",\n",
480+
" \"external_id\": \"T1140\",\n",
481+
" \"description\": \"Deobfuscate/Decode Files or Information\",\n",
482+
" \"url\": \"https://attack.mitre.org/techniques/T1140/\"\n",
483+
" },\n",
484+
" {\n",
485+
" \"source_name\": \"mitre\",\n",
486+
" \"external_id\": \"T1218.011\",\n",
487+
" \"description\": \"Rundll32\",\n",
488+
" \"url\": \"https://attack.mitre.org/techniques/T1218.011/\"\n",
489+
" },\n",
490+
" {\n",
491+
" \"source_name\": \"mitre\",\n",
492+
" \"external_id\": \"T1219\",\n",
493+
" \"description\": \"Remote Access Software\",\n",
494+
" \"url\": \"https://attack.mitre.org/techniques/T1219/\"\n",
495+
" },\n",
496+
" {\n",
497+
" \"source_name\": \"mitre\",\n",
498+
" \"external_id\": \"T1491\",\n",
499+
" \"description\": \"Defacement\",\n",
500+
" \"url\": \"https://attack.mitre.org/techniques/T1491/\"\n",
501+
" },\n",
502+
" {\n",
503+
" \"source_name\": \"mitre\",\n",
504+
" \"external_id\": \"T1497\",\n",
505+
" \"description\": \"Virtualization/Sandbox Evasion\",\n",
506+
" \"url\": \"https://attack.mitre.org/techniques/T1497/\"\n",
507+
" },\n",
508+
" {\n",
509+
" \"source_name\": \"mitre\",\n",
510+
" \"external_id\": \"T1497.003\",\n",
511+
" \"description\": \"Time Based Evasion\",\n",
512+
" \"url\": \"https://attack.mitre.org/techniques/T1497.003/\"\n",
513+
" },\n",
514+
" {\n",
515+
" \"source_name\": \"mitre\",\n",
516+
" \"external_id\": \"T1518.001\",\n",
517+
" \"description\": \"Security Software Discovery\",\n",
518+
" \"url\": \"https://attack.mitre.org/techniques/T1518.001/\"\n",
519+
" },\n",
520+
" {\n",
521+
" \"source_name\": \"mitre\",\n",
522+
" \"external_id\": \"T1529\",\n",
523+
" \"description\": \"System Shutdown/Reboot\",\n",
524+
" \"url\": \"https://attack.mitre.org/techniques/T1529/\"\n",
525+
" },\n",
526+
" {\n",
527+
" \"source_name\": \"mitre\",\n",
528+
" \"external_id\": \"T1543.003\",\n",
529+
" \"description\": \"Windows Service\",\n",
530+
" \"url\": \"https://attack.mitre.org/techniques/T1543.003/\"\n",
531+
" },\n",
532+
" {\n",
533+
" \"source_name\": \"mitre\",\n",
534+
" \"external_id\": \"T1548.002\",\n",
535+
" \"description\": \"Bypass User Account Control\",\n",
536+
" \"url\": \"https://attack.mitre.org/techniques/T1548.002/\"\n",
537+
" },\n",
538+
" {\n",
539+
" \"source_name\": \"mitre\",\n",
540+
" \"external_id\": \"T1552.001\",\n",
541+
" \"description\": \"Credentials In Files\",\n",
542+
" \"url\": \"https://attack.mitre.org/techniques/T1552.001/\"\n",
543+
" },\n",
544+
" {\n",
545+
" \"source_name\": \"mitre\",\n",
546+
" \"external_id\": \"T1560\",\n",
547+
" \"description\": \"Archive Collected Data\",\n",
548+
" \"url\": \"https://attack.mitre.org/techniques/T1560/\"\n",
549+
" },\n",
550+
" {\n",
551+
" \"source_name\": \"mitre\",\n",
552+
" \"external_id\": \"T1562.001\",\n",
553+
" \"description\": \"Disable or Modify Tools\",\n",
554+
" \"url\": \"https://attack.mitre.org/techniques/T1562.001/\"\n",
555+
" },\n",
556+
" {\n",
557+
" \"source_name\": \"mitre\",\n",
558+
" \"external_id\": \"T1569.002\",\n",
559+
" \"description\": \"Service Execution\",\n",
560+
" \"url\": \"https://attack.mitre.org/techniques/T1569.002/\"\n",
561+
" },\n",
562+
" {\n",
563+
" \"source_name\": \"mitre\",\n",
564+
" \"external_id\": \"T1571\",\n",
565+
" \"description\": \"Non-Standard Port\",\n",
566+
" \"url\": \"https://attack.mitre.org/techniques/T1571/\"\n",
567+
" },\n",
568+
" {\n",
569+
" \"source_name\": \"mitre\",\n",
570+
" \"external_id\": \"T1573\",\n",
571+
" \"description\": \"Encrypted Channel\",\n",
572+
" \"url\": \"https://attack.mitre.org/techniques/T1573/\"\n",
573+
" },\n",
574+
" {\n",
575+
" \"source_name\": \"mitre\",\n",
576+
" \"external_id\": \"T1574.002\",\n",
577+
" \"description\": \"DLL Side-Loading\",\n",
578+
" \"url\": \"https://attack.mitre.org/techniques/T1574.002/\"\n",
579+
" },\n",
580+
" {\n",
581+
" \"source_name\": \"mitre\",\n",
582+
" \"external_id\": \"T1614.001\",\n",
583+
" \"description\": \"System Language Discovery\",\n",
584+
" \"url\": \"https://attack.mitre.org/techniques/T1614.001/\"\n",
585+
" }\n",
586+
" ],\n",
587+
" \"kill_chain_phases\": [\n",
588+
" {\n",
589+
" \"kill_chain_name\": \"rl-ransomware-kill-chain\",\n",
590+
" \"phase_name\": \"early\"\n",
591+
" }\n",
592+
" ],\n",
593+
" \"revoked\": false\n",
594+
" }\n",
595+
"```\n",
596+
"</details>\n"
597+
],
598+
"metadata": {
599+
"collapsed": false
600+
},
601+
"id": "296befe97c106bf8"
602+
},
260603
{
261604
"cell_type": "markdown",
262605
"source": [

0 commit comments

Comments
 (0)