STIX 2.1 Identity SDO
New in version 2.9.0.
STIX 2.1 Identity SDOs are distinct objects in the STIX 2.1 specification, but do not create an EclecticIQ entity when ingested on the Intelligence Center.
Instead, Identity SDOs are ingested as an embbeded property (producer) in resulting EclecticIQ entities.
For example, a STIX 2.1 bundle like this:
{
"objects": [
{
"type": "identity",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"identity_class": "organization",
"name": "ACME Corp, Inc.",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"spec_version": "2.1"
},
{
"type": "indicator",
"id": "indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
"name": "§2.2.3.1 Indicator One IPv4 Address",
"description": "STIX 2.1 Interoperability Part 1, §2.2.3.1, Indicator IPv4 Address",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"valid_from": "2018-01-01T00:00:00Z",
"labels": ["malicious-activity"],
"pattern": "[ipv4-addr:value = '198.51.100.1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1"
}],
"type": "bundle",
"id": "bundle--fb99015b-3059-452d-a53a-0efa9fc1df8c"
}is ingested by the Intelligence Center to produce one Indicator entity.
The Identity SDO referenced in the ingested Indicator SDO’s created_by_ref field is then set to the following fields for the resulting EclecticIQ Indicator entity:
|
EclecticIQ Indicator field |
Example |
Description |
|
.entities[].data.original_stix21_objects |
|
When ingesting a STIX 2.1 object, the original STIX 2.1 JSON is retained in the EclecticIQ entities they produce. You can find this in the .entities[].data.original_stix21_objects field of the resulting entity. |
|
.entities[].data.producer |
|
STIX 2.1 Identity SDOs ingested as properties in EclecticIQ entities have an id field in .entities[].data.producer.identity that retains its STIX 2.1 identifier. |
|
.entities[].data.test_mechanisms[].producer |
|
For Indicator SDOs, the contents of the pattern field is ingested as a test mechanism for resulting the EclecticIQ Indicator. The Identity SDO is set as the producer for that test mechanism. |
The following is a sample of the resulting EclecticIQ JSON:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"attachments": [],
"data": {
"description": "STIX 2.1 Interoperability Part 1, §2.2.3.1, Indicator IPv4 Address",
"handling": [],
"id": "indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
"original_stix21_objects": [
// ...
{
"created": "2018-01-17T11:11:13.000Z",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"identity_class": "organization",
"modified": "2018-01-17T11:11:13.000Z",
"name": "ACME Corp, Inc.",
"spec_version": "2.1",
"type": "identity"
}
],
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"test_mechanisms": [
{
"description": "stix",
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"specification": {
"value": "[ipv4-addr:value = '198.51.100.1']"
},
"test_mechanism_type": "generic",
"type": "test-mechanism"
}
],
"timestamp": "2018-01-17T11:11:13+00:00",
"title": "§2.2.3.1 Indicator One IPv4 Address",
"type": "indicator",
"types": [
{
"value": "IP Watchlist"
}
]
},
"enrichment_extracts": [],
"external_url": "https://192.168.1.194/entity/12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
"extracts": [
//...
],
"id": "12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
"meta": {
//...
},
//...
}
],
//...
}