About STIX 2.1 objects

In EclecticIQ Intelligence Center entities, relationships, and observables correspond to the standard objects defined in the STIX 2.1 specification that are used to model, structure, and define different types of cyber threat information:

The Intelligence Center transforms and maps ingested data to these logical models to describe and to represent specific CTI concepts that contribute to building and defining a cyber threat intel landscape.
The modular approach makes it easy to handle information in a standardized and predictable way during the investigation of a threat scenario.

Object access control

You can control access to the Intelligence Center CTI objects to manage intelligence dissemination.
This ensures that the target audience receives the correct information, the publisher keeps control of the content they are distributing, and it avoids sharing sensitive information.

Define access control to the Intelligence Center CTI objects through data sources and TLP color code values:

  • Allowed sources for CTI objects limit access to the user groups and their members that are granted access to the objects.
    To define group-level or user-level access to CTI object data sources, click > User management > Groups > ${group_name} > > Edit > Allowed sources > Source .

  • TLP color code values restrict data access to the user groups and their members are that granted access to the objects by assigning them a specific TLP color clearance.

  • To define group-level or user-level access to CTI objects through TLP, click > User management > Groups > ${group_name} > > Edit > Allowed sources.

About confidence

The following key/value pairs map maliciousness confidence values between STIX 2.1 and EclecticIQ JSON SDOs:

eiqjson.py (sourced from EIQ platform-backend)

Author

Gram

Commit

17a58f9f930d83ee862b731813ff472ea3994a37

Timestamp

February, 14, 2022 11:59 AM

Full path

extensions/stix_taxii2/eiq/extensions/stix_taxii2/eiqjson.py

Title

[SNYK] Upgrade packages and ignore issues with no upgrade path

Description

**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465

_confidence_mapping = {
range(0, 1): "None",
range(1, 30): "Low",
range(30, 70): "Medium",
range(70, 101): "High",
}

About kill chain phases

STIX 2.1 kill chain phases are mapped to EclecticIQ JSON taxonomy tags:

STIX 2.1

EclecticIQ JSON

kill_chain_phases.kill_chain_name

meta.taxonomy_paths

kill_chain_phases.phase_name

meta.taxonomy_paths

The Lockheed-Martin cyber kill chain

The following key/value pairs map the Lockheed-Martin cyber kill chain between STIX 2.1 and EclecticIQ JSON SDOs:

eiqjson.py (sourced from EIQ platform-backend)

Author

Gram

Commit

17a58f9f930d83ee862b731813ff472ea3994a37

Timestamp

February, 14, 2022 11:59 AM

Full path

extensions/stix_taxii2/eiq/extensions/stix_taxii2/eiqjson.py

Title

[SNYK] Upgrade packages and ignore issues with no upgrade path

Description

**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465

_lockheed_martin_killchain_map = {
"reconnaissance": "Kill chain phase - Reconnaissance",
"weaponization": "Kill chain phase - Weaponization",
"delivery": "Kill chain phase - Delivery",
"exploitation": "Kill chain phase - Exploitation",
"installation": "Kill chain phase - Installation",
"command-and-control": "Kill chain phase - Command and Control",
"actions-on-objectives": "Kill chain phase - Actions on Objectives",
}

Supported STIX 2.1 objects

EclecticIQ Intelligence Center started supporting STIX 2.1 objects from release 2.8.0.
Given the scope, STIX 2.1 support effort is distributed across several Intelligence Center releases to make STIX 2.1 adoption more gradual and smoother for Intelligence Center users.
The scope of STIX 2.1 support in the Intelligence Center is based on the Threat Intelligence Platform (TIP) persona defined in the STIX/TAXII™ 2.0 Interoperability Test Document part 1, version 1.1 and part 2, version 1.0.


STIX 2.1 object

STIX 2.1 type

Intelligence Center support

From release

Indicator

SDO

  • Ingestion
    (incoming feeds)

2.8.0

Indicator

SDO

  • Dissemination
    (outgoing feeds)

2.9.0

Observed data

SDO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

Identity

SDO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

autonomous-system number

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

domain-name

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

email-addr

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

email-message

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

file

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

File hashes:

  • MD5

  • SHA-1

  • SHA-256

  • SHA-512

2.9.0

ipv4-addr

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

ipv6-addr

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

mac-addr

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

mutex

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

network-traffic

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

software

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

ssdeep

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

url

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

user-account

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0

windows-registry-key

SCO

  • Ingestion
    (incoming feeds)

  • Dissemination
    (outgoing feeds)

2.9.0