`libtaxii.taxii_default_query` Module¶

Creating, handling, and parsing TAXII Default Queries.

Classes¶

Default Query¶

class libtaxii.taxii_default_query.DefaultQuery(targeting_expression_id, criteria)¶

Bases: libtaxii.messages_11.Query

Conveys a TAXII Default Query.

Parameters:	targeting_expression_id (string) – The targeting_expression used in the query criteria (`DefaultQuery.Criteria`) – The criteria of the query

class Criteria(operator, criteria=None, criterion=None)¶

Bases: libtaxii.common.TAXIIBase

Represents criteria for a DefaultQuery. Note: At least one criterion OR criteria MUST be present

Parameters:	operator (str) – The logical operator (should be one of OP_AND or OP_OR) criteria (`DefaultQuery.Criteria`) – The criteria for the query criterion (`DefaultQuery.Criterion`) – The criterion for the query

class DefaultQuery.Criterion(target, test, negate=False)¶

Bases: libtaxii.common.TAXIIBase

Represents criterion for a DefaultQuery.Criteria

Parameters:	target (string) – A targeting expression identifying the target test (`DefaultQuery.Criterion.Test`) – The test to be applied to the target negate (bool) – Whether the result of applying the test to the target should be negated

class Test(capability_id, relationship, parameters=None)¶

Bases: libtaxii.common.TAXIIBase

Parameters:	capability_id (string) – The ID of the capability module that defines the relationship & parameters relationship (string) – The relationship (e.g., equals) parameters (`dict` of key/value pairs) – The parameters for the relationship.

Example

import libtaxii as t
import libtaxii.taxii_default_query as tdq
import datetime
from dateutil.tz import tzutc

test1 = tdq.DefaultQuery.Criterion.Test(capability_id=tdq.CM_CORE, #Required
                                        relationship='equals', #Required
                                        parameters={'value': 'Test value',
                                                    'match_type': 'case_sensitive_string'}#Each relationship defines which params are and are not required
                                                )

        test2 = tdq.DefaultQuery.Criterion.Test(capability_id=tdq.CM_REGEX, #Required
                                                relationship='matches',#Required
                                                parameters={'value': '[A-Z]*',
                                                            'case_sensitive': True})#Each relationship defines which params are and are not required

        test3 = tdq.DefaultQuery.Criterion.Test(capability_id=tdq.CM_TIMESTAMP,#Required
                                                relationship='greater_than',#Required
                                                parameters={'value': datetime.datetime.now()})#Each relationship defines which params are and are not required

        criterion1 = tdq.DefaultQuery.Criterion(target='**', test=test1)
        criterion2 = tdq.DefaultQuery.Criterion(target='STIX_Package/Indicators/Indicator/@id', test=test2)
        criterion3 = tdq.DefaultQuery.Criterion(target='**/Description', test=test3)

        criteria1 = tdq.DefaultQuery.Criteria(operator=tdq.OP_AND, criterion=[criterion1])
        criteria2 = tdq.DefaultQuery.Criteria(operator=tdq.OP_OR, criterion=[criterion1, criterion2, criterion3])
        criteria3 = tdq.DefaultQuery.Criteria(operator=tdq.OP_AND, criterion=[criterion1, criterion3], criteria=[criteria2])

        query1 = tdq.DefaultQuery(t.CB_STIX_XML_11, criteria1)
        query2 = tdq.DefaultQuery(t.CB_STIX_XML_11, criteria3)
        #query1 and query2 would be able to be used in TAXII requests that contain queries (e.g., PollRequest messages)

Default Query Info¶

class libtaxii.taxii_default_query.DefaultQueryInfo(targeting_expression_infos, capability_modules)¶

Bases: libtaxii.messages_11.SupportedQuery

Used to describe the TAXII Default Queries that are supported.

Parameters:	targeting_expression_infos (`list` of `TargetingExpressionInfo` objects) – Describe the supported targeting expressions capability_modules (`list` of `str`) – Indicate the supported capability modules

class TargetingExpressionInfo(targeting_expression_id, preferred_scope=None, allowed_scope=None)¶

Bases: libtaxii.common.TAXIIBase

This class describes supported Targeting Expressions

Parameters:	targeting_expression_id (string) – The supported targeting expression ID preferred_scope (`list` of `string`) – Indicates the preferred scope of queries allowed_scope (`list` of `string`) – Indicates the allowed scope of queries

Example

import libtaxii as t
import libtaxii.taxii_default_query as tdq
import datetime
from dateutil.tz import tzutc

tei_01 = tdq.DefaultQueryInfo.TargetingExpressionInfo(
            targeting_expression_id = t.CB_STIX_XML_10, #Required. Indicates a supported targeting vocabulary (in this case STIX 1.1)
            preferred_scope=[], #At least one of Preferred/Allowed must be present. Indicates Preferred and allowed search scope.
            allowed_scope=['**'])#This example has no preferred scope, and allows any scope

tei_02 = tdq.DefaultQueryInfo.TargetingExpressionInfo(
            targeting_expression_id = t.CB_STIX_XML_11,  #required. Indicates a supported targeting vocabulary (in this case STIX 1.1)
            preferred_scope=['STIX_Package/Indicators/Indicator/**'], #At least one of Preferred/Allowed must be present. Indicates Preferred and allowed search scope.
            allowed_scope=[])#This example prefers the Indicator scope and allows no other scope

tdqi1 = tdq.DefaultQueryInfo(
            targeting_expression_infos = [tei_01, tei_02], #Required, 1-n. Indicates what targeting expressions are supported
            capability_modules = [tdq.CM_CORE])#Required, 1-n. Indicates which capability modules can be used.