johnwunder · treyka · Jun 26, 2018 · Jun 29, 2018 · Jul 20, 2018 · Jul 20, 2018
diff --git a/STIX 2.0 Training.ipynb b/STIX 2.0 Training.ipynb
@@ -57,8 +57,8 @@
    "source": [
     "# Get the list of collections for an API root (using MITRE's)\n",
     "\n",
-    "api_root = server.api_roots[3]\n",
-    "for collection in api_root.collections:\n",
+    "mitre_api_root = server.api_roots[3]\n",
+    "for collection in mitre_api_root.collections:\n",
     "    print(collection.title)"
    ]
   },
@@ -79,7 +79,7 @@
    "source": [
     "from stix2 import TAXIICollectionSource, Filter\n",
     "\n",
-    "taxii_source = TAXIICollectionSource(api_root.collections[0])"
+    "taxii_source = TAXIICollectionSource(mitre_api_root.collections[0])"
    ]
   },
   {
@@ -98,8 +98,8 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "apt30 = results[10]\n",
-    "print(apt30.name) # Note that it's a python-stix2 object already, no need to parse the JSON"
+    "apt_xxx = results[36]\n",
+    "print(apt_xxx.name) # Note that it's a python-stix2 object already, no need to parse the JSON"
    ]
   },
   {
@@ -112,7 +112,7 @@
     "\n",
     "# Find relationships where the source is that intrusion set\n",
     "all_relationships = taxii_source.query(Filter(\"type\", \"=\", \"relationship\"))\n",
-    "relationships = [r for r in all_relationships if r.source_ref == apt30.id]\n",
+    "relationships = [r for r in all_relationships if r.source_ref == apt_xxx.id]\n",
     "print(\"Found {} relationships\".format(len(relationships)))"
    ]
   },
@@ -124,7 +124,7 @@
    "source": [
     "for rel in relationships:\n",
     "    target = taxii_source.get(rel.target_ref)\n",
-    "    print(\"{} {} {} ({})\".format(apt30.name, rel.relationship_type, target.name, target.type))\n",
+    "    print(\"{} {} {} ({})\".format(apt_xxx.name, rel.relationship_type, target.name, target.type))\n",
     "\n",
     "# Gotcha! Note that this does not optimize the number of calls.\n",
     "# You still need to know when a TAXII request is going to be made and when the result is available locally.\n",
@@ -147,7 +147,7 @@
    "source": [
     "from stix2 import Environment, MemoryStore\n",
     "\n",
-    "taxiisource = TAXIICollectionSource(api_root.collections[0])\n",
+    "taxiisource = TAXIICollectionSource(mitre_api_root.collections[0])\n",
     "env = Environment(source=taxiisource)"
    ]
   },
@@ -157,7 +157,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "env.get(apt30.id).name"
+    "env.get(apt_xxx.id).name"
    ]
   },
   {
@@ -167,7 +167,7 @@
    "outputs": [],
    "source": [
     "# Try the other direction\n",
-    "rels = env.query(Filter(\"source_ref\", \"=\", apt30.id))\n",
+    "rels = env.query(Filter(\"source_ref\", \"=\", apt_xxx.id))\n",
     "print(len(rels))\n",
     "\n",
     "# Note the delay: not all filters happen server-side,\n",
@@ -180,7 +180,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "malware = env.get(rels[3].target_ref)\n",
+    "malware = env.get(rels[1].target_ref)\n",
     "malware.name"
    ]
   },
@@ -220,7 +220,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "# Push to our data source\n",
+    "# Push to our memory data source\n",
     "env2.add(ind)\n",
     "env2.add(rel)"
    ]
@@ -232,29 +232,7 @@
    "outputs": [],
    "source": [
     "# Is it still there?\n",
-    "print(env2.get(rel.id))\n",
-    "\n",
-    "# NOTE: This could have included a push to TAXII with the TAXII source/sink"
-   ]
-  },
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Something quick? Use the workbench\n",
-    "\n",
-    "The workbench layer is essentially a default environment and some helpers to automatically work with it."
-   ]
-  },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": [
-    "# Jupyter notebook thing...restart our kernel\n",
-    "from IPython.core.display import HTML\n",
-    "HTML(\"<script>Jupyter.notebook.kernel.restart()</script>\")"
+    "print(env2.get(rel.id))"
    ]
   },
   {
@@ -263,14 +241,14 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "# Import the workbench utilities\n",
-    "from stix2.workbench import *\n",
-    "from taxii2client import Collection\n",
+    "# setup writable API root\n",
+    "from stix2 import TAXIICollectionSink\n",
     "\n",
-    "# ATT&CK\n",
-    "collection = Collection(\"https://ubertaxii.com/taxii/mitre/collections/b8291031-66d3-4402-ad0e-0c2e6f0df3a2/\", user=\"ubertaxii\", password=\"certain_players_want_a_pony\")\n",
-    "tc_source = TAXIICollectionSource(collection)\n",
-    "add_data_source(tc_source)"
+    "scratch_api_root = server.api_roots[4]\n",
+    "for collection in scratch_api_root.collections:\n",
+    "    print(collection.title)\n",
+    "taxii_sink = TAXIICollectionSink(scratch_api_root.collections[0])\n",
+    "env3 = Environment(factory=factory, source=source, sink=taxii_sink)"
    ]
   },
   {
@@ -279,8 +257,9 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "response = attack_patterns()\n",
-    "print(len(response))"
+    "# Push to our memory data source\n",
+    "env3.add(ind)\n",
+    "env3.add(rel)"
    ]
   },
   {
@@ -289,17 +268,10 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "ap = response[127]\n",
-    "print(\"Attack Pattern: \" + ap.name)\n",
-    "\n",
-    "def not_me(item):\n",
-    "    if item.source_ref != ap.id:\n",
-    "        return item.source_ref\n",
-    "    return item.target_ref\n",
-    "    \n",
+    "# Is it still there?\n",
+    "print(env3.get(rel.id))\n",
     "\n",
-    "for rel in ap.relationships():\n",
-    "    print(\"Related to: {} ({})\".format(get(not_me(rel)).name), rel.relationship_type)"
+    "# NOTE: This is hitting the TAXII collection we just wrote to..."
    ]
   }
  ],
@@ -319,7 +291,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.6.5"
+   "version": "3.5.3"
   }
  },
  "nbformat": 4,