STIX 2.1 Common Properties#

This page provides details on how certain STIX 2.1 common properties are handled by EclecticIQ Intelligence Center.

If the STIX 2.1 common property you are looking for is not here, it may be covered in the documentation for how a specific STIX 2.1 object is handled by EclecticIQ Intelligence Center.

Labels are ingested as tags#

New in version 2.9.0.

Each member of the of the .labels[] field in a STIX 2.1 object is ingested as a tag in the resulting entity.

So ingesting a STIX 2.1 Indicator SDO that looks like this:

{
    "type":·"indicator",
    "id":·"indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
    "name":·"Bad·IP1",
    "description":·(
        "STIX·2.1·Interoperability·Part·1,·§2.2.3.1, ·Indicat$
    ),
    "created_by_ref":·"identity--f431f809-377b-45e0-aa1c-6a47$
    "created":·"2018-01-17T11:11:13.000Z",
    "modified":·"2018-01-17T11:11:13.000Z",
    "valid_from":·"2018-01-01T00:00:00Z",
    "labels":·["malicious-activity"],
    "pattern":·"[ipv4-addr:value·=·'198.51.100.1']",
    "pattern_type":·"stix",
    "pattern_version":·"2.1",
    "spec_version":·"2.1",
}

Produces an EclecticIQ JSON indicator with the following tags field:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "entities": [
    {
      "data": {
        //...
      },
      "meta": {
        "source_reliability": null,
        "tags": ["malicious-activity"],
        "title": "Bad·IP1",
        "tlp_color": null
      },
     //...
    }
  ],
  //...
}

Confidence Scales#

New in version 2.9.0.

Ingested STIX 2.1 confidence values#

If a STIX 2.1 object containing a confidence property is ingested by EclecticIQ Intelligence Center, that value is translated to one of values listed in the table below for the resulting EclecticIQ entity:

STIX 2.1 SDO –> EclecticIQ Entity#

STIX 2.1 .confidence

EclecticIQ entity .confidence.value

Not specified

Unknown

0

None

1 – 29

Low

30 – 69

Medium

70 – 100

High

The original STIX 2.1 object’s confidence value is retained only in the .entities[].data.original_stix21_objects field of the resulting EclecticIQ entity, and is not used by EclecticIQ Intelligence Center.

Exported STIX 2.1 confidence values#

EclecticIQ Intelligence Center only packs or exports the EclecticIQ entity’s confidence value. The resulting STIX 2.1 object will not contain its original .confidence value.

Exporting EclecticIQ entities to STIX 2.1 will convert EclecticIQ entity confidence values as follows:

EclecticIQ Entity –> STIX 2.1 SDO#

EclecticIQ entity .confidence.value

STIX 2.1 .confidence

Not specified

N/A

None

0

Low

15

Medium

50

High

85

This complies with the conversion tables in Appendix A of the STIX 2.1 specification.