STIX 2.1 indicator
This page provides details on how the STIX 2.1 Indicator SDO is handled by the Intelligence Center.
Contents
Ingestion
New in version 2.9.0.
STIX 2.1 Indicator SDOs are ingested to produce indicator entities on the Intelligence Center.
The following table shows how STIX 2.1 Indicator SDO fields are mapped to indicator entities:
|
EclecticIQ Indicator field |
Mapped from STIX 2.1 |
Example |
Description |
|
.entities[].data.title |
|
STIX 2.1 Indicator |
The Title of an Indicator entity, taken from the Indicator SDO’s name. |
|
.entities[].data.id |
|
indicator–4c631d2f-ee4e-5116-8163-994c951fb9d9 |
The STIX ID of an Indicator entity. Indicator SDO’s STIX 2.1 ID is mapped here. |
|
.entities[].data.description |
|
Description of indicator |
The description of an Indicator entity. Displayed as the “Analysis” field on the Intelligence Center. Indicator SDO’s description field is mapped here. |
|
.entities[].data.types[] |
|
File Hash Watchlist |
The Indicator sub-type of an Indicator entity. When an Indicator SDO is ingested, the resulting entity’s Indicator sub-type is derived from the STIX Pattern contained in its .pattern field. See Map Indicator Types. |
|
.entities[].data.confidence |
.confidence |
Medium |
See “Confidence Scales” in STIX 2.1 Common Properties. |
|
.entities[].test_mechanisms[] |
.pattern |
Various |
Tests mechanisms are found under the Characteristics section of the entity builder on the Intelligence Center. STIX Patterns are ingested to produce these test mechanisms, and observables. See Map STIX Patterns below. |
|
.entities[].data.type |
|
Indicator |
This is always set to “Indicator”. For more information about Indicator SDO sub-types and indicator entity sub-types, see Map Indicator Types. |
|
.entities[].extracts[] |
|
Various |
See Map STIX Patterns below. |
|
.entities[].meta.tags[] |
|
malicious-activity, unknown |
Free-form tags on Indicator entities. The following data types in Indicator SDOs are ingested as free-form tags on Indicator entities:
|
|
.entities[].meta.taxonomy_paths[] |
|
Kill chain phase - Reconnaissance |
See Map kill chain phases below. |
|
.entities[].meta.estimated_observed_time |
|
2017-12-21T19:00:00+00:00 |
The Estimated time > Observed field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s created field. |
|
.entities[].meta.estimated_threat_start_time |
|
2017-12-21T19:00:00+00:00 |
The Estimated time > Start time field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s valid_from field. |
|
.entities[].meta.estimated_end_start_time |
|
2017-12-21T19:00:00+00:00 |
The Estimated time > End time field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s valid_until field. |
|
.entities[].data.producer |
|
identity–f6e43aa5-76cc-45ca-9b06-be2d65f26bfb |
The Producer field of the Indicator entity. The Indicator entity inherits the Identity SDO set in the Indicator SDO’s created_by_ref field. |
|
.entities[].data.handling[] |
|
Various |
Stores marking structures such as terms of use statements. STIX 2.1 Statement Marking Objects map to this field. See STIX 2.1 Data Markings. |
|
.entities[].data.meta.tlp_color |
|
GREEN |
Stores TLP color. For more information on how STIX 2.1 TLP Marking Objects map to this field, see STIX 2.1 Data Markings. |
Map Indicator Types
Indicator SDOs and EclecticIQ Indicator entities each have their own sub-types:
An Indicator SDO can have one or more sub-types specified in their indicator_types field. Possible Indicator SDO sub-types are defined in §10.10 Indicator Type Vocabulary.
An EclecticIQ Indicator entity has a different list of possible sub-types.
STIX 2.1 Indicator SDO sub-types and EclecticIQ Indicator sub-types do not map directly to each other. Instead, see the following sections:
Map Indicator SDO sub-types to EclecticIQ entity tags
STIX 2.1 Indicator SDO sub-types are listed in their .indicator_types[] field.
When that SDO is ingested, these .indicator_types[] are set as tags (.entities[].meta.tags[]) on the resulting EclecticIQ Indicator entity, and look like this:
Indicator Type - <§10.10 Indicator Type Vocabulary>
# For example:
Indicator Type - anomalous-activityMap patterns to EclecticIQ Indicator entity sub-type
EclecticIQ Indicator entity have two “type” fields:
.entities[].data.type is always set to “Indicator”
.entities[].data.types[] is a list of sub-types
When a STIX 2.1 Indicator SDO is ingested, the resulting EclecticIQ Indicator entity derives its sub-types (.entities[].data.types[]) from the STIX Patterns contained in the ingested Indicator SDO.
The Intelligence Center looks at the .patterns field of the ingested SDO, and adds one sub-type to the resulting Indicator entity for each SCO type listed in the following table:
|
Detected SCO type |
Resulting Indicator entity sub-type |
|
domain-name:value |
Domain Watchlist |
|
email-addr:value |
Email Watchlist |
|
ipv4-addr:value |
IP Watchlist |
|
ipv6-addr:value |
IP Watchlist |
|
url:value |
URL Watchlist |
|
user-account:account_login |
Login Name |
|
file:hashes |
File Hash Watchlist |
Map STIX Patterns
STIX Patterns in Indicator SDOs are ingested to produce:
A test mechanism, embedded in resulting Indicator entities
Observables that represent
the pattern and its type
one observable per comparison in the pattern
See the following sections for details:
A pattern in a STIX 2.1 Indicator SDO looks like this:
// ..."pattern": "[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']","pattern_type": "stix",// ...The pattern field contains a STIX Pattern compliant with §9.3 STIX Patterns.
The pattern_type field contains a “type” value, defined in §10.19 Pattern Type Vocabulary.
Map STIX Pattern to test mechanism
An ingested STIX Pattern produces a test mechanism. Test mechanisms are embedded in EclecticIQ Indicator entities and can be in the Characteristics section when editing the indicator in the entity builder, or in the JSON tab when viewing the indicator on the platform.
Test mechanisms (.entities[].data.test_mechanisms[]) in EclecticIQ JSON look like this:
{ "description": "Example test mechanism", "producer": { "identity": { "name": "ACME Corp", "type": "identity" }, "references": [ "https://example-reference.example.com", "https://example-reference.example.com/example" ], "time_end": "2021-08-07T00:00:00+00:00", "time_end_precision": "day", "time_received": "2021-08-04T00:00:00+00:00", "time_received_precision": "second", "time_start": "2021-08-04T00:00:00+00:00", "time_start_precision": "month", "type": "information-source" }, "specification": { "value": "Example of a test mechanism" }, "test_mechanism_type": "generic", "type": "test-mechanism"}The .pattern field from an ingested Indicator SDO produces a test mechanism in the resulting entity that contains:
The full STIX Pattern from the Indicator SDO .pattern field
The producer identity from the Indicator SDO .created_by_ref field
A test mechanism type and description derived from the Indicator SDO .pattern_type field
The resulting test mechanism looks like this:
{// ..."test_mechanisms": [ { "description": "stix", "producer": { "description": "", "identity": { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity" }, "references": [], "time_start": "2018-01-01T00:00:00+00:00", "type": "information-source" }, "specification": { "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']" }, "test_mechanism_type": "generic", "type": "test-mechanism" } ]// ...}Map STIX pattern_type to test mechanism
Test mechanism types are derived from the .pattern_type field in the ingested SDO.
Because the platform only supports only three test mechanism types:
Generic
SNORT
YARA
Other .pattern_type values specified in §10.19 Pattern Type Vocabulary are mapped to test mechanism by:
Setting the Type of the test mechanism to: Generic
Setting the Description of the test mechanism to: .pattern_type of the Indicator SDO
The following table shows in detail how .pattern_type is mapped to test mechanisms:
|
Indicator SDO .pattern_type |
EclecticIQ Indicator test mechanism |
|
stix |
|
|
pcre |
|
|
sigma |
|
|
snort |
|
|
suricata |
|
|
yara |
|
Map STIX Pattern to observables
When an Indicator SDO is ingested, its .patterns field is processed to produce EclecticIQ observables.
The platform converts each “Comparison Expression” (§9.1) to observables. The type of the observables resulting from this are derived from the “Object Path” within the comparison expression.
For example, the comparison expression user-account:display_name = 'Peter' is ingested to produce a name observable, with value Peter.
For a full list of supported types, see STIX 2.1 Cyber-observable Objects.
When an EclecticIQ Indicator entity is exported as a STIX 2.1 object, the resulting .patterns[] field is constructed from the observables related to that Indicator entity.
Map kill chain phases
An Indicator SDO may contain one or more kill chain phases (§2.11). When the SDO is ingested, these kill chain phases are added to the list of tags (.entities[].meta.tags[]) on the resulting entity.
However, Lockheed Martin Kill Chain phases are mapped differently. See Map Lockheed Martin Kill Chain phases.
Map general kill chain phases
By default, kill chain phases in Indicator SDOs are mapped to the .entities[].meta.tags[] field in resulting EclecticIQ entities on ingestion.
This produces tags named as follows:
<.kill_chain_phases.kill_chain_name> - <.kill_chain_phases.phase_name>
E.g.
extended-cyber-kill-chain - internal-exploitationWhen an indicator entity is exported as a STIX 2.1 bundle, the Intelligence Center checks its .entities[].meta.tags[] field and exports all members that match the format <key> - <value> as STIX 2.1 kill chain phases, like this:
"kill_chain_phases": { "kill_chain_name": <key>, "phase_name": <value>}Map Lockheed Martin Kill Chain phases
§2.11 defines a special kill_chain_name for Lockheed Martin Cyber Kill Chain phases: lockheed-martin-cyber-kill-chain.
So, when the Intelligence Center encounters a SDO kill chain phase (kill_chain_phasess) with the attribute "kill_chain_name": "lockheed-martin-cyber-kill-chain", it ingests that kill chain phase as a taxonomy node in the resulting EclecticIQ entity’s taxonomy_paths field instead.
The following table maps Lockheed Martin Kill Chain the phase_name in STIX 2.1 SDOs to EclecticIQ taxonomy_paths:
§2.11 specifies that STIX 2.1 values for phase_name should be in lowercase and use hyphens instead of spaces or underscores, but does not specify a vocabulary for Lockheed Martin Cyber Kill Chain phase names.
This table shows the values that the Intelligence Center expects.
|
Expected STIX 2.1 phase_name |
Resulting taxonomy_paths node name |
|
reconnaissance |
Kill chain phase - Reconnaissance |
|
Inteligence Ceneweaponization |
Kill chain phase - Weaponization |
|
delivery |
Kill chain phase - Delivery |
|
exploitation |
Kill chain phase - Exploitation |
|
installation |
Kill chain phase - Installation |
|
command-and-control |
Kill chain phase - Command and Control |
|
actions-on-objectives |
Kill chain phase - Actions on Objectives |
When an Indicator entity with a Lockheed Martin Kill Chain phase is exported to STIX 2.1, this mapping is reversed.
Export and outgoing feeds
New in version 2.9.0.
Exporting the following EclecticIQ Indicator as STIX 2.1:
{ "content-type": "urn:eclecticiq.com:json:1.0", "enrichments": [], "entities": [ { "attachments": [], "data": { "description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR", "handling": [], "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9", "original_stix21_objects": [ { "created": "2018-01-17T11:11:13.000Z", "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR", "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9", "labels": [ "malicious-activity" ], "modified": "2018-01-17T11:11:13.000Z", "name": "198.51.100.0", "pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "2.1", "type": "indicator", "valid_from": "2018-01-01T00:00:00Z" }, { "created": "2018-01-17T11:11:13.000Z", "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "identity_class": "organization", "modified": "2018-01-17T11:11:13.000Z", "name": "ACME Corp, Inc.", "spec_version": "2.1", "type": "identity" } ], "producer": { "description": "", "identity": { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity" }, "references": [], "time_start": "2018-01-01T00:00:00+00:00", "type": "information-source" }, "test_mechanisms": [ { "description": "stix", "producer": { "description": "", "identity": { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity" }, "references": [], "time_start": "2018-01-01T00:00:00+00:00", "type": "information-source" }, "specification": { "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']" }, "test_mechanism_type": "generic", "type": "test-mechanism" } ], "timestamp": "2018-01-17T11:11:13+00:00", "title": "198.51.100.0", "type": "indicator", "types": [ { "value": "IP Watchlist" } ] }, "enrichment_extracts": [], "external_url": "https://tip.example.com/entity/4c631d2f-ee4e-5116-8163-994c951fb9d9", "extracts": [ { "instance_meta": { "link_types": [ "observed" ], "paths": [] }, "kind": "ipv4", "meta": {}, "value": "198.51.100.0/24" }, { "instance_meta": { "link_types": [ "test-mechanism" ], "paths": [ "test_mechanisms[]" ] }, "kind": "rule", "meta": {}, "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']" } ], "id": "4c631d2f-ee4e-5116-8163-994c951fb9d9", "meta": { "estimated_observed_time": "2018-01-17T11:11:13+00:00", "estimated_threat_start_time": "2018-01-01T00:00:00+00:00", "first_ingest_time": "2021-08-04T10:13:00.601145+00:00", "half_life": 30, "ingest_time": "2021-08-04T10:13:00.601145+00:00", "source_reliability": null, "tags": [ "malicious-activity" ], "title": "198.51.100.0", "tlp_color": null }, "relevancy": 6.99824575659087e-14, "sources": [ { "name": "TP51058_group", "source_id": "fb1a6aad-86da-467f-aba0-6464dd677cb0", "source_type": "group" } ] } ], "entity_counts": { "indicator": 1 }, "outgoing_feed_name": "Exported Entities", "Intelligence Center-version": "2.10.dev0", "timestamp": "2018-01-17T11:11:13+00:00"}produces the resulting STIX 2.1 bundle:
{ "objects": [ { "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9", "name": "198.51.100.0", "type": "indicator", "labels": ["malicious-activity"], "created": "2018-01-17T11:11:13.000Z", "pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']", "modified": "2018-01-17T11:11:13.000Z", "valid_from": "2018-01-01T00:00:00Z", "description": "STIX 2.1 Interoperability Part 1, §72.2.3.2, Indicator IPv4 Address CIDR", "pattern_type": "stix", "spec_version": "2.1", "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "pattern_version": "2.1" }, { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity", "created": "2018-01-17T11:11:13.000Z", "modified": "2018-01-17T11:11:13.000Z", "spec_version": "2.1", "identity_class": "organization" }], "type": "bundle", "id": "bundle--bb8831db-5e1a-4bea-a472-f84d508d3807"}