Add some basic functions in the source

[priamai]

Hello,
we discuss before to support a full STIX filter function like this but for now I would need just a set of primitives added:

• return stix id list by object type (all of them including the base but also our object types like the DOD or the Feeds)
• return stix id list by SCO,SDO, SRO macro type
• return stix id based on created time stamp with >, < and [] interval dates
• return stix id based on modified time stamp with >, < and [] interval dates

Also cherry on the cake if we can combine the filters for example:

• return stix id list of type Feeds between creation date A and B
• return stix id list of malware type with creation more than A
• etc etc

[brettforbes]

@dfjosullivan , can you comment please? I guess these methods underlie the block definitions we want to build. So if we build these methods out first, then it should be pretty useful. Can you advise on the best way to layout queries to underlie the table of block definitions? Like what do i call them, how should all of the methods be organised?

[brettforbes]

Hi
I cant understand queries 1 and 2, please provide greater detail.

Also, I can't understand 5, since the same Feed object is continuously updated, and in fact it is the Observed Data and the Threat Sub Objects that have creation dates. Finally, the data observed also has its own created and modified dates. What specifically are your referring to in your query request? We can make anything, but what do you want? Can you be MECE (Mutually Exclusive, Collectively Exhaustive)?

[priamai]

I was thinking something like this approach:

filterme = Conditions(type="campaign",created__gt="2023-01-01",created__lt="2023-03-01")

List_id = source.filter(filterme)

[priamai]

filterme2 = Conditions(stixtype="SDO",library="stix2.1")

To get all the SDO of the standard library.

Filterme3 = Conditions(stixtype="Technique",library="attack")

[brettforbes]

Yes, but its not like this at all, and by not understanding how it works, it is making t hard.

Instead we need to assemble a query to get stix_id's based on certain constraints, like
match $sdo isa stix-domain-object, has created $created, has stix-id $stix_id; $created > "2023-01-01"; $created < "2023-03-01"; get $stix_id;

Then we simply run the TypeDBSource.get() method for each of the returned stix_id's

The key is to understand the object variations and constraints well enough so that we can deal with all of them pretty easily. this is why i ask for more detail

[priamai]

At the bone to build the query:

Operators: equal, greater than (greater than equal), less than (less than equal).

The stix fields I want to filter:
created
modified
type (equal only)

Everything else we can build on top of this core function.
Well i guess the Mitre technique and subtechniques will be tricky but we can make some syntax magic.

[brettforbes]

completed and pushed, @dfjosullivan is to convert it onto the TypeDB function in Issue #34