STIX 2.1 STIX Patterns
New in version 2.9.0.
When an STIX 2.1 indicator is ingested to produce EclecticIQ Indicator entities, the STIX Patterns contained in their .pattern field are processed to produce:
observables related to the resulting indicator entity
a test mechanism, embedded in the resulting indicator entity
The following sections explain how STIX Patterns map to observables and test mechanisms.
A pattern in a STIX 2.1 Indicator SDO looks like this:
/
/
...
"pattern"
:
"[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']"
,
"pattern_type"
:
"stix"
,
/
/
...
The pattern field contains a STIX Pattern compliant with §9.3 STIX Patterns.
The pattern_type field contains a “type” value, defined in §10.19 Pattern Type Vocabulary.
Contents
Map STIX Pattern to observables
EclecticIQ observables are limited in the amount of information they can capture in comparison to STIX 2.1 Cyber-observable Objects.
As a result, conversion of STIX Patterns to observables and the reverse without an original_stix21_objects field (see STIX 2.1 indicator) or a test mechanism (see Map STIX Pattern to test mechanism) may result in observables that capture less information than the original STIX Pattern.
The following sections details what such conversions entail:
Ingest STIX Pattern to produce observables
When an Indicator SDO is ingested, its .patterns field is processed to produce EclecticIQ observables.
For a full list of supported observable types, see STIX 2.1 Cyber-observable Objects.
The Intelligence Center converts each “Comparison Expression” (§9.1) to observables. The type of the observables resulting from this are derived from the “Object Path” within the comparison expression.
For example, the comparison expression user-account:display_name = 'Bluejay' is ingested to produce a name observable, with value Bluejay.
The table below describes how observation operators (§9.5) (and the observation expressions formed with them) are supported.
Observation operator |
Support |
Example pattern |
Resulting observable(s) |
Description |
REPEATS, TIMES |
Not supported |
|
|
N/A |
WITHIN ... SECONDS |
Not supported |
|
|
N/A |
START ... STOP ... |
Not supported |
|
|
N/A |
AND, OR, FOLLOWEDBY |
Partial |
user-account:display_name = 'Bluejay' FOLLOWEDBY user-account:display_name = 'Chestnut' |
name:Bluejay, name:Chestnut |
EclecticIQ Observables do not have properties that allow it to preserve the constraints indicated by these operators. Those constraints are ignored and the operators all treated as conjunctive when the pattern is processed. |
= |
✅ |
user-account:display_name = 'Bluejay' |
name:Bluejay |
Supported. |
!= |
Not supported |
user-account:display_name != 'Bluejay' |
name:Bluejay |
Known issue. EclecticIQ observables don’t have properties that allow it to express negative observations. Currently, this produces an observable, treating the expression as a positive observation. |
>, <, <=, >= |
Partial |
user-account:display_name > 'Bluejay' |
name:Bluejay |
Known issue. Observables don’t have properties to let it represent ‘more than’ or ‘less than’ comparisons, and are currently interpreted as ‘equality’ comparisons. |
IN |
Not supported |
user-account:display_name IN ('Bluejay','Chestnut', Acacia') |
name:('Bluejay','Chestnut', Acacia') |
Known issue. Patterns with an IN operator produces an observable containing the whole list, instead of producing one observable per item in the list. |
LIKE, MATCHES |
Not supported |
|
|
Observables currently don’t have a pattern matching mechanism. |
ISSUBSET, ISSUPERSET |
Not supported |
|
|
Observables currently don’t have a pattern matching mechanism. |
EXISTS |
Not supported |
|
|
Observables currently don’t have a pattern matching mechanism. |
Export observables to STIX Pattern
When an EclecticIQ Indicator is exported as an Indicator SDO, the Intelligence Center will first check if it has:
an original_stix21_objects field
test mechanisms
If the indicator has neither, the resulting .pattern field of the Indicator SDO is then constructed from its related observables.
The resulting pattern is a list SCOs (expressed as §9.5 Observation Expressions), joined by the “OR” operator. For example:
"[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']"
For a list of observable to SCO mappings, see STIX 2.1 Cyber-observable Objects.
Map STIX Pattern to test mechanism
Ingest STIX Pattern to test mechanism
A STIX 2.1 Indicator SDO is ingested to produce a corresponding EclecticIQ Indicator entity. Each Indicator SDO contains a STIX Pattern in its .pattern field that is, on ingestion, set as a test mechanism in the resulting Indicator entity.
The following table shows how fields from an Indicator SDO are mapped to its resulting test mechanism (contained in the resulting indicator entity):
STIX 2.1 Indicator SDO |
EclecticIQ Indicator entity |
.pattern |
Depends on .pattern_type:
|
.pattern_type |
Various. See Map STIX pattern_type to test mechanism. |
.created_by_ref |
.entities[].data.test_mechanism[].producer.identity |
The resulting test mechanism looks like this:
{
/
/
...
"test_mechanisms"
: [
{
"description"
:
"stix"
,
"producer"
: {
"description"
: "",
"identity"
: {
"id"
:
"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
,
"name"
:
"ACME Corp, Inc."
,
"type"
:
"identity"
},
"references"
: [],
"time_start"
:
"2018-01-01T00:00:00+00:00"
,
"type"
:
"information-source"
},
"specification"
: {
"value"
:
"[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
},
"test_mechanism_type"
:
"generic"
,
"type"
:
"test-mechanism"
}
]
/
/
...
}
Map STIX pattern_type to test mechanism
Test mechanism types are derived from the .pattern_type (§10.19 Pattern Type Vocabulary) field in the ingested SDO.
The Intelligence Center maps these .pattern_type values as follows:
Indicator SDO .pattern_type |
EclecticIQ Indicator test mechanism |
stix |
|
pcre |
|
sigma |
|
snort |
|
suricata |
|
yara |
|
If the Indicator SDO has a .pattern_type field that contains a value not listed here, the pattern is still ingested and sets these properties on the test mechanism of the resulting Indicator entity:
Setting the Type (test_mechanism[].pattern_type) of the test mechanism to: Generic
Setting the Description (test_mechanism[].description) of the test mechanism to: .pattern_type of the Indicator SDO
Export test mechanism to STIX Pattern
Single test mechanism
When exporting an EclecticIQ indicator that contains one test mechanism, it results in an Indicator SDO with its .pattern and .pattern_type fields mapped as follows:
EclecticIQ Indicator field |
Indicator SDO field |
Description |
entities[].data.test_mechanisms[].specification.value |
.pattern |
.pattern takes its value from the EclecticIQ test mechanism’s value field. |
entities[].data.test_mechanisms[].test_mechanism_type |
.pattern_type |
.pattern_type is mapped from the EclecticIQ test mechanism’s test_mechanism_type and description fields. |
Multiple test mechanisms
When exporting an EclecticIQ Indicator that contains more than one test mechanism, then one Indicator SDO is produced per test mechanism.
For example:
Let’s say we want to export an EclecticIQ Indicator entity titled “http://maliciousdomain.example.com” and containing three test mechanisms:
a YARA test mechanism
a SNORT test mechanism
a STIX 2.1 test mechanism (with Type set to “Generic”, and Description field set to “stix”)
Exporting that Indicator entity to STIX 2.1 will produce three separate Indicator SDOs named “http://maliciousdomain.example.com”, containing one test mechanism from above each:
Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the YARA test mechanism.
Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the SNORT test mechanism.
Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the STIX 2.1 test mechanism.
Relationships for multiple test mechanisms
When exporting an EclecticIQ Indicator that:
contains more than one test mechanism, and
is related to another EclecticIQ Indicator,
the resulting series of Indicator SDOs will have these relationships (see also diagrams below):
The first test mechanism for each of the related indicator entities each produce an Indicator SDO. For these exported indicator entities, only these SDOs are connected by a related-to SRO (§5).
If an indicator entity contains more than one test mechanism, these test mechanims produce one Indicator SDO each. Except for the first test mechanism, all subsequent test mechanisms produce an SDO that is related to the SDO produced from the first test mechanism.
To illustrate, let’s say that we have:
EclecticIQ Indicator 1
Test mechanism A
Test mechanism B
Test mechanism C
EclecticIQ Indicator 2
Test mechanism X
Test mechanism Y
Test mechanism Z
EclecticIQ Indicator 1 is related to EcleticIQ Indicator 2
When exported, these two indicator entities produce one Indicator SDO per test mechanism. So “Test mechanism A” results in “Indicator SDO A”, and so on.
The resulting relationship tree is shown in the following diagram: