STIX 2.1 STIX Patterns

New in version 2.9.0.

When an STIX 2.1 indicator is ingested to produce EclecticIQ Indicator entities, the STIX Patterns contained in their .pattern field are processed to produce:

  • observables related to the resulting indicator entity

  • a test mechanism, embedded in the resulting indicator entity

The following sections explain how STIX Patterns map to observables and test mechanisms.

A pattern in a STIX 2.1 Indicator SDO looks like this:

// ...
"pattern": "[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']",
"pattern_type": "stix",
// ...

Map STIX Pattern to observables

EclecticIQ observables are limited in the amount of information they can capture in comparison to STIX 2.1 Cyber-observable Objects.

As a result, conversion of STIX Patterns to observables and the reverse without an original_stix21_objects field (see STIX 2.1 indicator) or a test mechanism (see Map STIX Pattern to test mechanism) may result in observables that capture less information than the original STIX Pattern.

The following sections details what such conversions entail:

Ingest STIX Pattern to produce observables

When an Indicator SDO is ingested, its .patterns field is processed to produce EclecticIQ observables.

For a full list of supported observable types, see STIX 2.1 Cyber-observable Objects.

The Intelligence Center converts each “Comparison Expression” (§9.1) to observables. The type of the observables resulting from this are derived from the “Object Path” within the comparison expression.

For example, the comparison expression user-account:display_name = 'Bluejay' is ingested to produce a name observable, with value Bluejay.

The table below describes how observation operators (§9.5) (and the observation expressions formed with them) are supported.

Observation operator

Support

Example pattern

Resulting observable(s)

Description

REPEATS, TIMES

Not supported



N/A

WITHIN ... SECONDS

Not supported



N/A

START ... STOP ...

Not supported



N/A

AND, OR, FOLLOWEDBY

Partial

user-account:display_name = 'Bluejay' FOLLOWEDBY user-account:display_name = 'Chestnut'

name:Bluejay, name:Chestnut

EclecticIQ Observables do not have properties that allow it to preserve the constraints indicated by these operators. Those constraints are ignored and the operators all treated as conjunctive when the pattern is processed.

=

user-account:display_name = 'Bluejay'

name:Bluejay

Supported.

!=

Not supported

user-account:display_name != 'Bluejay'

name:Bluejay

Known issue.

EclecticIQ observables don’t have properties that allow it to express negative observations.

Currently, this produces an observable, treating the expression as a positive observation.

>, <, <=, >=

Partial

user-account:display_name > 'Bluejay'

name:Bluejay

Known issue.

Observables don’t have properties to let it represent ‘more than’ or ‘less than’ comparisons, and are currently interpreted as ‘equality’ comparisons.

IN

Not supported

user-account:display_name IN ('Bluejay','Chestnut', Acacia')

name:('Bluejay','Chestnut', Acacia')

Known issue.

Patterns with an IN operator produces an observable containing the whole list, instead of producing one observable per item in the list.

LIKE, MATCHES

Not supported



Observables currently don’t have a pattern matching mechanism.

ISSUBSET, ISSUPERSET

Not supported



Observables currently don’t have a pattern matching mechanism.

EXISTS

Not supported



Observables currently don’t have a pattern matching mechanism.

Export observables to STIX Pattern

When an EclecticIQ Indicator is exported as an Indicator SDO, the Intelligence Center will first check if it has:

  • an original_stix21_objects field

  • test mechanisms

If the indicator has neither, the resulting .pattern field of the Indicator SDO is then constructed from its related observables.

The resulting pattern is a list SCOs (expressed as §9.5 Observation Expressions), joined by the “OR” operator. For example:

"[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']"

For a list of observable to SCO mappings, see STIX 2.1 Cyber-observable Objects.

Map STIX Pattern to test mechanism

Ingest STIX Pattern to test mechanism

A STIX 2.1 Indicator SDO is ingested to produce a corresponding EclecticIQ Indicator entity. Each Indicator SDO contains a STIX Pattern in its .pattern field that is, on ingestion, set as a test mechanism in the resulting Indicator entity.

The following table shows how fields from an Indicator SDO are mapped to its resulting test mechanism (contained in the resulting indicator entity):

STIX 2.1 Indicator SDO

EclecticIQ Indicator entity

.pattern

Depends on .pattern_type:

  • generic: .entities[].data.test_mechanism[].specification.value

    For a list STIX 2.1 pattern types that map to the generic test mechanism type, see Map STIX pattern_type to test mechanism.

  • yara: .entities[].data.test_mechanism[].rule.value

  • snort: .entities[].data.test_mechanism[].rules[].value

.pattern_type

Various. See Map STIX pattern_type to test mechanism.

.created_by_ref

.entities[].data.test_mechanism[].producer.identity

The resulting test mechanism looks like this:

{
// ...
"test_mechanisms": [
{
"description": "stix",
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"specification": {
"value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
},
"test_mechanism_type": "generic",
"type": "test-mechanism"
}
]
// ...
}

Map STIX pattern_type to test mechanism

Test mechanism types are derived from the .pattern_type (§10.19 Pattern Type Vocabulary) field in the ingested SDO.

The Intelligence Center maps these .pattern_type values as follows:

Indicator SDO .pattern_type

EclecticIQ Indicator test mechanism

stix

  • Type: Generic

  • Description: stix

pcre

  • Type: Generic

  • Description: pcre

sigma

  • Type: Generic

  • Description: sigma

snort

  • Type: SNORT

  • Description: N/A

suricata

  • Type: Generic

  • Description: suricata

yara

  • Type: YARA

  • Description: N/A

If the Indicator SDO has a .pattern_type field that contains a value not listed here, the pattern is still ingested and sets these properties on the test mechanism of the resulting Indicator entity:

  1. Setting the Type (test_mechanism[].pattern_type) of the test mechanism to: Generic

  2. Setting the Description (test_mechanism[].description) of the test mechanism to: .pattern_type of the Indicator SDO

Export test mechanism to STIX Pattern

Single test mechanism

When exporting an EclecticIQ indicator that contains one test mechanism, it results in an Indicator SDO with its .pattern and .pattern_type fields mapped as follows:

EclecticIQ Indicator field

Indicator SDO field

Description

entities[].data.test_mechanisms[].specification.value

.pattern

.pattern takes its value from the EclecticIQ test mechanism’s value field.

entities[].data.test_mechanisms[].test_mechanism_type

.pattern_type

.pattern_type is mapped from the EclecticIQ test mechanism’s test_mechanism_type and description fields.

See Map STIX pattern_type to test mechanism.

Multiple test mechanisms

When exporting an EclecticIQ Indicator that contains more than one test mechanism, then one Indicator SDO is produced per test mechanism.

For example:

Let’s say we want to export an EclecticIQ Indicator entity titled “http://maliciousdomain.example.com” and containing three test mechanisms:

  • a YARA test mechanism

  • a SNORT test mechanism

  • a STIX 2.1 test mechanism (with Type set to “Generic”, and Description field set to “stix”)

Exporting that Indicator entity to STIX 2.1 will produce three separate Indicator SDOs named “http://maliciousdomain.example.com”, containing one test mechanism from above each:

Relationships for multiple test mechanisms

When exporting an EclecticIQ Indicator that:

  • contains more than one test mechanism, and

  • is related to another EclecticIQ Indicator,

the resulting series of Indicator SDOs will have these relationships (see also diagrams below):

  • The first test mechanism for each of the related indicator entities each produce an Indicator SDO. For these exported indicator entities, only these SDOs are connected by a related-to SRO (§5).

  • If an indicator entity contains more than one test mechanism, these test mechanims produce one Indicator SDO each. Except for the first test mechanism, all subsequent test mechanisms produce an SDO that is related to the SDO produced from the first test mechanism.

To illustrate, let’s say that we have:

  • EclecticIQ Indicator 1

    • Test mechanism A

    • Test mechanism B

    • Test mechanism C

  • EclecticIQ Indicator 2

    • Test mechanism X

    • Test mechanism Y

    • Test mechanism Z

  • EclecticIQ Indicator 1 is related to EcleticIQ Indicator 2

images/download/attachments/86440988/graphviz-1ce20cb3b3450cf3e495bc8e1250db587aac3c4c.svg

Related EclecticIQ Indicators with multiple test mechanisms

When exported, these two indicator entities produce one Indicator SDO per test mechanism. So “Test mechanism A” results in “Indicator SDO A”, and so on.

The resulting relationship tree is shown in the following diagram:

images/download/attachments/86440988/graphviz-f12697068f786c8898a5c7789d3ffb03a800a526.svg

Resulting relationships from exported indicator entities