How-to: Use Workspaces

Manage investigation workspaces and a global context registry.

---

Create and use a workspace

from gnat.context import GlobalContextRegistry, GlobalContext, Workspace, FlatFileStore
from gnat.context.workspace import WorkspaceManager

# Setup
store   = FlatFileStore(base_dir="~/.gnat/workspaces")
manager = WorkspaceManager(global_registry, store=store)

# Create / open
ws = manager.get_or_create("apt29-investigation")

# Add objects
ws.add(indicator, mark_dirty=True)
ws.add(actor, mark_dirty=True)

# Diff — what changed since last commit
diff = ws.diff()
print(diff["added"], diff["modified"])

# Commit to ThreatQ
ws.commit(client=threatq_client)

# Export STIX bundle
bundle = ws.export_bundle()

---

Global context registry

Register multiple platforms and set a default write target:

from gnat.context import GlobalContextRegistry, GlobalContext

reg = GlobalContextRegistry()
reg.register(GlobalContext("tq",    threatq_client,      priority=10))
reg.register(GlobalContext("rf",    rf_client,           priority=20, read_only=True))
reg.register(GlobalContext("cs",    crowdstrike_client,  priority=15))
reg.set_default("tq")

# Enrich from all contexts
ws.enrich(strategy="create_relationships")

---

See Also

• How-to: Export Indicators
• How-to: Use the Research Library
• Explanation: Context System
• Explanation: Workspace Persistence

---

Licensed under the Apache License, Version 2.0