PiRogue Tool Suite

Share knowledge

Facilitating the exchange of knowledge among investigators, both within the same organization and across different organizations, is crucial for promoting learning and continuous improvement. This can be achieved through formal knowledge sharing feeds. Colander supports export feeds accessible via a password-protected URL giving access to the knowledge in different formats such as JSON, STIX2, MISP, CSV, dot and Mermaid.

The workspace “Feeds” is dedicated to the management of knowledge feeds. Check the documentation to know how Colander converts data to MISP and STIX2.

Feed overview
Feed overview

Artifacts and private keys

Colander feeds will never disclose:

  • artifact contents (the underlying file)
  • the case’s private key (used for signing artifacts)

Authentication

Feeds are protected with a secret—a random string by default. The secret can be provided in two different ways when accessing the content of a feed:

  • in the secret query parameter: /feed/entities/9f351661-299a-4e83-9c44-60ece9478d50?secret=tiq4vf00xrjn38dw
  • in the X-Colander-Feed HTTP request header: X-Colander-Feed: Secret tiq4vf00xrjn38dw

Feed secret

Changing the secret of a feed you already shared will block the access when the previous secret is used.

Share entities

When creating a feed, you need to:

  • choose a meaningful name and description
  • select the types of entities you want to share
  • set the maximum level of confidentiality

As an example, if you select TLP:AMBER, the entities with higher TLP level won’t be shared.

After creation, the feed is accessible via its URL. The format query parameter allows users to choose the data format they want. Colander supports the following formats:

  • JSON, a Colander feed
  • STIX2, a STIX2 bundle
  • MISP, a MISP event
  • CSV
  • dot (Graphviz)
  • Mermaid

MISP

Your MISP organization name (Orgc) and its UUID (Orgc UUID) are required to enable feed conversion to MISP.

Share detection rules

When creating a feed, you need to:

  • choose a meaningful name and description
  • select the types of rules you want to share
  • set the maximum level of confidentiality

As an example, if you select TLP:AMBER, the entities with higher TLP level won’t be shared.

After creation, the feed is accessible via its URL and provides all detection rules combined into a single text file.

Custom format

Colander supports template-based feeds. It uses Jinja to render user-defined templates Feed templates. Templates are rendered in a security sandbox which prevents them from accessing Python functions.

The template context exposes the variable feed which contains all entities stored in your case. Find examples of templates on GitHub or check the documentation to learn more about the data structure.

Confidentiality

Colander does not filter entities based on their confidentiality level.

Example of a simple template
Example of a simple template
How to include templates into another
How to include templates into another
Edit this page on GitHub
Prev
Import knowledge
Next
Entity management