STIX 2.1 Observed Data SDO
This page provides details on how certain STIX 2.1 common properties are handled by the Intelligence Center.
If the STIX 2.1 common property you are looking for is not here, it may be covered in the documentation for how a specific STIX 2.1 object is handled by the Intelligence Center.
Contents
Labels are ingested as tags
New in version 2.9.0.
Each member of the of the .labels[] field in a STIX 2.1 object is ingested as a tag in the resulting entity.
So ingesting a STIX 2.1 Indicator SDO that looks like this:
{ "type":·"indicator", "id":·"indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8", "name":·"Bad·IP1", "description":·( "STIX·2.1·Interoperability·Part·1,·§2.2.3.1, ·Indicat$ ), "created_by_ref":·"identity--f431f809-377b-45e0-aa1c-6a47$ "created":·"2018-01-17T11:11:13.000Z", "modified":·"2018-01-17T11:11:13.000Z", "valid_from":·"2018-01-01T00:00:00Z", "labels":·["malicious-activity"], "pattern":·"[ipv4-addr:value·=·'198.51.100.1']", "pattern_type":·"stix", "pattern_version":·"2.1", "spec_version":·"2.1",}Produces an EclecticIQ JSON indicator with the following tags field:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"entities": [
{
"data": {
//...
},
"meta": {
"source_reliability": null,
"tags": ["malicious-activity"],
"title": "Bad·IP1",
"tlp_color": null
},
//...
}
],
//...
}Confidence Scales
New in version 2.9.0.
Ingested STIX 2.1 confidence values
If a STIX 2.1 object containing a confidence property is ingested by the Intelligence Center, that value is translated to one of values listed in the table below for the resulting EclecticIQ entity:
STIX 2.1 SDO –> EclecticIQ Entity
|
STIX 2.1 .confidence |
EclecticIQ entity .confidence.value |
|
Not specified |
Unknown |
|
0 |
None |
|
1 – 29 |
Low |
|
30 – 69 |
Medium |
|
70 – 100 |
High |
The original STIX 2.1 object’s confidence value is retained only in the .entities[].data.original_stix21_objects field of the resulting EclecticIQ entity, and is not used by the Intelligence Center.
Exported STIX 2.1 confidence values
The Intelligence Center only packs or exports the EclecticIQ entity’s confidence value. The resulting STIX 2.1 object will not contain its original .confidence value.
Exporting EclecticIQ entities to STIX 2.1 will convert EclecticIQ entity confidence values as follows:
EclecticIQ Entity –> STIX 2.1 SDO
|
EclecticIQ entity .confidence.value |
STIX 2.1 .confidence |
|
Not specified |
N/A |
|
None |
0 |
|
Low |
15 |
|
Medium |
50 |
|
High |
85 |
This complies with the conversion tables in Appendix A of the STIX 2.1 specification.