Hi,
Why you wrote this tool?
What fix this tool?

A post run hook should be called for each output, thus allowing for example, an rsync to happen once the run has completed.

Each module should define their options, if they are required and the expected type. Then, on the init function, they should validate their configs before breaking because something isn't set.

Add a modifier option to add/remove tags to all events

When creating an output where you could configure the fields to display, use dotty-dict to wrap the data for parsing:

https://pypi.org/project/dotty-dict/

This allows something like orgc.uuid to access the Org UUID field.

First pass at a STIX 2.0 and 2.1 output format with a Manifest similar to the MISP format.

See 24b5bff and 4f66fc3

This is subject to change.

Requires: MISP/misp-stix#26

Define a feed
Feed defines tag filers
Feed defines distribution filter
Feed then passes to a modification chain (if defined)
-- This chain runs each modification rule in order defined in the feed
Modified feed passed to multiple outputs.

With dotty-dict we can let users specific what fields they want to output in a CSV. This means, we can create a new CSV output with a default set of fields, but let users actually define the fields much like screen output.

It's possible for a long run on JSON files that no longer need to be there. Example, an event that is no longer in the feed. These files should be deleted.

If a feed has 0 events, we should still be passing the run to the modifiers/outputs.

Example Reason: Event expires, and now, feed has zero entries, event should have the ability to remove the events from the files, otherwise they will still show up.

Load the original file, and check to see if it is different - only write the file if it's different so that caches and update times don't change