STIX-shifter Data Source Interface

The STIX-shifter data source package provides access to data sources via stix-shifter.

The STIX-shifter interface can reach multiple data sources. The user needs to provide one profile per data source. The profile name (case insensitive) will be used in the FROM clause of the Kestrel GET command, e.g., newvar = GET entity-type FROM stixshifter://profilename WHERE .... Kestrel runtime will load profiles from 3 places (the later will override the former):

  1. STIX-shifter interface config file (only when a Kestrel session starts):

    Put your profiles in the STIX-shifter interface config file (YAML):

    • Default path: ~/.config/kestrel/stixshifter.yaml.

    • A customized path specified in the environment variable KESTREL_STIXSHIFTER_CONFIG.

    Example of STIX-shifter interface config file containing profiles:

    profiles:
        host101:
            connector: elastic_ecs
            connection:
                host: elastic.securitylog.company.com
                port: 9200
                selfSignedCert: false # this means do NOT check cert
                indices: host101
            config:
                auth:
                    id: VuaCfGcBCdbkQm-e5aOx
                    api_key: ui2lp2axTNmsyakw9tvNnw
        host102:
            connector: qradar
            connection:
                host: qradar.securitylog.company.com
                port: 443
            config:
                auth:
                    SEC: 123e4567-e89b-12d3-a456-426614174000
        host103:
            connector: cbcloud
            connection:
                host: cbcloud.securitylog.company.com
                port: 443
            config:
                auth:
                    org-key: D5DQRHQP
                    token: HT8EMI32DSIMAQ7DJM
    
  2. environment variables (only when a Kestrel session starts):

    Three environment variables are required for each profile:

    • STIXSHIFTER_PROFILENAME_CONNECTOR: the STIX-shifter connector name, e.g., elastic_ecs.

    • STIXSHIFTER_PROFILENAME_CONNECTION: the STIX-shifter connection object in JSON string.

    • STIXSHIFTER_PROFILENAME_CONFIG: the STIX-shifter configuration object in JSON string.

    Example of environment variables for a profile:

    $ export STIXSHIFTER_HOST101_CONNECTOR=elastic_ecs
    $ export STIXSHIFTER_HOST101_CONNECTION='{"host":"elastic.securitylog.company.com", "port":9200, "indices":"host101"}'
    $ export STIXSHIFTER_HOST101_CONFIG='{"auth":{"id":"VuaCfGcBCdbkQm-e5aOx", "api_key":"ui2lp2axTNmsyakw9tvNnw"}}'
    
  3. any in-session edit through the CONFIG command.

If you launch Kestrel in debug mode, STIX-shifter debug mode is still not enabled by default. To record debug level logs of STIX-shifter, create environment variable KESTREL_STIXSHIFTER_DEBUG with any value.

class kestrel_datasource_stixshifter.interface.StixShifterInterface[source]

Bases: AbstractDataSourceInterface

static schemes()[source]

STIX-shifter data source interface only supports stixshifter:// scheme.

static list_data_sources(config)[source]

Get configured data sources from environment variable profiles.

static query(uri, pattern, session_id, config)[source]

Query a stixshifter data source.