Intel exchange formats STIX 2.1 bundles, MISP events, ATT&CK Navigator layers, TAXII 2.1 pushes — TLP-aware.

Why hand-rolled?

digger's exchange exporters are pure-Python, zero-dependency (other than requests for TAXII push). The exports are not large enough to justify pulling in stix2 or pymisp, and the hand-rolled paths let us guarantee that TLP markings, MITRE ATT&CK references, and digger-specific metadata are always preserved without fighting an upstream schema.

Source: digger/exchange/.

STIX 2.1 bundle

digger export stix --case-dir ./case-1 --tlp TLP:AMBER --out ./case.stix.json

Produces a JSON bundle containing:

STIX type	Role
`identity`	One identity SDO for digger itself
`marking-definition`	TLP marking referenced by every object
`incident`	One incident SDO summarizing the case
`indicator`	One per IOC extracted from medium+ findings — pattern in STIX 2.1 dialect
`attack-pattern`	One per MITRE ATT&CK technique referenced
`relationship`	indicator indicates incident; incident uses attack-pattern

Compatible with OpenCTI, MISP (via stix2misp), Anomali, and any TAXII 2.1 receiver. IOC kinds mapped to STIX patterns:

sha256: [file:hashes.'SHA-256' = '…']
md5: [file:hashes.'MD5' = '…']
ipv4: [ipv4-addr:value = '…']
domain: [domain-name:value = '…']
url: [url:value = '…']
path: [file:name MATCHES '…']

MISP event

digger export misp --case-dir ./case-1 --tlp TLP:AMBER --out ./case.misp.json

One MISP event with attributes derived from IOCs and tags including the TLP marking and a MITRE ATT&CK galaxy tag per technique. Import via the MISP web UI's Events > List Events > Add Event from JSON or programmatically with PyMISP.

distribution: Defaults to 0 (your org only). Override before import via MISP.
threat_level_id: 1 = high, 2 = medium (default), 3 = low, 4 = undefined.
analysis: 0 initial, 1 ongoing (default), 2 complete.

MITRE ATT&CK Navigator layer

digger export attack-navigator --case-dir ./case-1 --out ./case.attack-navigator.json

Drop the resulting JSON into the ATT&CK Navigator via Open Existing Layer → Upload from Local. You get a tinted matrix showing every technique digger observed on this host, colored by severity (info → critical) on a green→yellow→red gradient.

TAXII 2.1 push

digger export taxii --case-dir ./case-1 \
       --base-url https://taxii.example.com \
       --api-root api1 \
       --collection 91a7e2-…-bundle \
       --token "$DIGGER_TAXII_TOKEN" \
       --tlp TLP:AMBER

Pushes the STIX 2.1 bundle to the named collection. Auth is HTTP Basic (--username + --password) or Bearer (--token). Server URL components follow the TAXII 2.1 spec exactly (discovery → api-roots → collections → objects/).

TLP sharing filter

Each finding carries its own TLP (defaulting to the case-wide marking). Exporters propagate that marking into every produced object. Use a sharing TLP one or more steps stricter to filter:

digger export stix --case-dir ./case-1 --tlp TLP:GREEN
# only findings marked CLEAR or GREEN are included
# everything else is filtered out per FIRST.org TLP 2.0 semantics

Sigma rule loader

Sigma is a separate flow — input, not output — but it lives in digger/exchange/sigma.py. See Sigma rules.