About STIX 2.1 objects
In EclecticIQ Intelligence Center entities, relationships, and observables correspond to the standard objects defined in the STIX 2.1 specification that are used to model, structure, and define different types of cyber threat information:
Intelligence Center entities correspond to STIX 2.1 domain objects (SDOs).
Intelligence Center relationships correspond to STIX 2.1 relationship objects (SROs).
Intelligence Center observables correspond to STIX 2.1 cyber-observable objects (SROs).
The Intelligence Center transforms and maps ingested data to these logical models to describe and to represent specific CTI concepts that contribute to building and defining a cyber threat intel landscape.
The modular approach makes it easy to handle information in a standardized and predictable way during the investigation of a threat scenario.
Object access control
You can control access to the Intelligence Center CTI objects to manage intelligence dissemination.
This ensures that the target audience receives the correct information, the publisher keeps control of the content they are distributing, and it avoids sharing sensitive information.
Define access control to the Intelligence Center CTI objects through data sources and TLP color code values:
Allowed sources for CTI objects limit access to the user groups and their members that are granted access to the objects.
To define group-level or user-level access to CTI object data sources, click > User management > Groups > ${group_name} > > Edit > Allowed sources > Source .TLP color code values restrict data access to the user groups and their members are that granted access to the objects by assigning them a specific TLP color clearance.
To define group-level or user-level access to CTI objects through TLP, click > User management > Groups > ${group_name} > > Edit > Allowed sources.
About confidence
The following key/value pairs map maliciousness confidence values between STIX 2.1 and EclecticIQ JSON SDOs:
eiqjson.py (sourced from EIQ platform-backend)
|
Author |
Gram |
|
Commit |
17a58f9f930d83ee862b731813ff472ea3994a37 |
|
Timestamp |
February, 14, 2022 11:59 AM |
|
Full path |
extensions/stix_taxii2/eiq/extensions/stix_taxii2/eiqjson.py |
|
Title |
[SNYK] Upgrade packages and ignore issues with no upgrade path |
|
Description |
**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465 |
_confidence_mapping = { range(0, 1): "None", range(1, 30): "Low", range(30, 70): "Medium", range(70, 101): "High", }About kill chain phases
STIX 2.1 kill chain phases are mapped to EclecticIQ JSON taxonomy tags:
|
STIX 2.1 |
EclecticIQ JSON |
|
kill_chain_phases.kill_chain_name |
meta.taxonomy_paths |
|
kill_chain_phases.phase_name |
meta.taxonomy_paths |
The Lockheed-Martin cyber kill chain
The following key/value pairs map the Lockheed-Martin cyber kill chain between STIX 2.1 and EclecticIQ JSON SDOs:
eiqjson.py (sourced from EIQ platform-backend)
|
Author |
Gram |
|
Commit |
17a58f9f930d83ee862b731813ff472ea3994a37 |
|
Timestamp |
February, 14, 2022 11:59 AM |
|
Full path |
extensions/stix_taxii2/eiq/extensions/stix_taxii2/eiqjson.py |
|
Title |
[SNYK] Upgrade packages and ignore issues with no upgrade path |
|
Description |
**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465 |
_lockheed_martin_killchain_map = { "reconnaissance": "Kill chain phase - Reconnaissance", "weaponization": "Kill chain phase - Weaponization", "delivery": "Kill chain phase - Delivery", "exploitation": "Kill chain phase - Exploitation", "installation": "Kill chain phase - Installation", "command-and-control": "Kill chain phase - Command and Control", "actions-on-objectives": "Kill chain phase - Actions on Objectives", }Supported STIX 2.1 objects
EclecticIQ Intelligence Center started supporting STIX 2.1 objects from release 2.8.0.
Given the scope, STIX 2.1 support effort is distributed across several Intelligence Center releases to make STIX 2.1 adoption more gradual and smoother for Intelligence Center users.
The scope of STIX 2.1 support in the Intelligence Center is based on the Threat Intelligence Platform (TIP) persona defined in the STIX/TAXII™ 2.0 Interoperability Test Document part 1, version 1.1 and part 2, version 1.0.
|
STIX 2.1 object |
STIX 2.1 type |
Intelligence Center support |
From release |
|
Indicator |
SDO |
|
2.8.0 |
|
Indicator |
SDO |
|
2.9.0 |
|
Observed data |
SDO |
|
2.9.0 |
|
Identity |
SDO |
|
2.9.0 |
|
autonomous-system number |
SCO |
|
2.9.0 |
|
domain-name |
SCO |
|
2.9.0 |
|
email-addr |
SCO |
|
2.9.0 |
|
email-message |
SCO |
|
2.9.0 |
|
file |
SCO |
File hashes:
|
2.9.0 |
|
ipv4-addr |
SCO |
|
2.9.0 |
|
ipv6-addr |
SCO |
|
2.9.0 |
|
mac-addr |
SCO |
|
2.9.0 |
|
mutex |
SCO |
|
2.9.0 |
|
network-traffic |
SCO |
|
2.9.0 |
|
software |
SCO |
|
2.9.0 |
|
ssdeep |
SCO |
|
2.9.0 |
|
url |
SCO |
|
2.9.0 |
|
user-account |
SCO |
|
2.9.0 |
|
windows-registry-key |
SCO |
|
2.9.0 |