STIX Shifter Data Source Interface

STIX Shifter data source package provides access to data sources via stix-shifter.

Before use, need to install the target stix-shifter connector packages such as stix-shifter-modules-carbonblack.

The STIX Shifter interface can reach multiple data sources. The user needs to setup one profile per data source. The profile name will be used in the FROM clause of the Kestrel GET command, e.g., newvar = GET entity-type FROM stixshifter://profilename WHERE .... Kestrel runtime will load the profile for the used profile from environment variables:

STIXSHIFTER_PROFILENAME_CONNECTOR: the STIX Shifter connector name, e.g., elastic_ecs.
STIXSHIFTER_PROFILENAME_CONNECTION: the STIX Shifter connection object in JSON string.
STIXSHIFTER_PROFILENAME_CONFIG: the STIX Shifter configuration object in JSON string.

Properties of profile name:

Not case sensitive, e.g., profileX in the Kestrel command will match STIXSHIFTER_PROFILEX_... in environment variables.
Cannot contain _.

class kestrel_datasource_stixshifter.interface.StixShifterInterface[source]

Bases: kestrel.datasource.interface.AbstractDataSourceInterface

static schemes()[source]: STIX Shifter data source interface only supports stixshifter:// scheme.

static list_data_sources()[source]: Get configured data sources from environment variable profiles.

static query(uri, pattern, session_id=None)[source]: Query a stixshifter data source.