STIX 2.1 Identity SDO#

New in version 2.9.0.

STIX 2.1 Identity SDOs are distinct objects in the STIX 2.1 specification, but do not create an EclecticIQ entity when ingested on EclecticIQ Intelligence Center.

Instead, Identity SDOs are ingested as an embbeded property (producer) in resulting EclecticIQ entities.

For example, a STIX 2.1 bundle like this:

{
    "objects": [
    {
        "type": "identity",
        "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "identity_class": "organization",
        "name": "ACME Corp, Inc.",
        "created": "2018-01-17T11:11:13.000Z",
        "modified": "2018-01-17T11:11:13.000Z",
        "spec_version": "2.1"
    },
    {
        "type": "indicator",
        "id": "indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
        "name": "§2.2.3.1 Indicator One IPv4 Address",
        "description": "STIX 2.1 Interoperability Part 1, §2.2.3.1, Indicator IPv4 Address",
        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "created": "2018-01-17T11:11:13.000Z",
        "modified": "2018-01-17T11:11:13.000Z",
        "valid_from": "2018-01-01T00:00:00Z",
        "labels": ["malicious-activity"],
        "pattern": "[ipv4-addr:value = '198.51.100.1']",
        "pattern_type": "stix",
        "pattern_version": "2.1",
        "spec_version": "2.1"
    }],
    "type": "bundle",
    "id": "bundle--fb99015b-3059-452d-a53a-0efa9fc1df8c"
}

is ingested by EclecticIQ Intelligence Center to produce one Indicator entity.

The Identity SDO referenced in the ingested Indicator SDO’s created_by_ref field is then set to the following fields for the resulting EclecticIQ Indicator entity:

EclecticIQ Indicator field	Example	Description
`.entities[].data.original_stix21_objects`	"original_stix21_objects": [ // ... { "created": "2018-01-17T11:11:13.000Z", "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "identity_class": "organization", "modified": "2018-01-17T11:11:13.000Z", "name": "ACME Corp, Inc.", "spec_version": "2.1", "type": "identity" } ],	When ingesting a STIX 2.1 object, the original STIX 2.1 JSON is retained in the EclecticIQ entities they produce. You can find this in the `.entities[].data.original_stix21_objects` field of the resulting entity.
`.entities[].data.producer`	//... "producer": { "description": "", "identity": { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity" }, "references": [], "time_start": "2018-01-01T00:00:00+00:00", "type": "information-source" } //...	STIX 2.1 Identity SDOs ingested as properties in EclecticIQ entities have an `id` field in `.entities[].data.producer.identity` that retains its STIX 2.1 identifier.
`.entities[].data.test_mechanisms[].producer`	//... "test_mechanisms": [ { "description": "stix", "producer": { "description": "", "identity": { "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "ACME Corp, Inc.", "type": "identity" }, "references": [], "time_start": "2018-01-01T00:00:00+00:00", "type": "information-source" }, "specification": { "value": "[ipv4-addr:value = '198.51.100.1']" }, "test_mechanism_type": "generic", "type": "test-mechanism" } ], //...	For Indicator SDOs, the contents of the `pattern` field is ingested as a test mechanism for resulting the EclecticIQ Indicator. The Identity SDO is set as the `producer` for that test mechanism.

EclecticIQ Indicator field

Example

Description

.entities[].data.original_stix21_objects

"original_stix21_objects": [
    // ...
    {
      "created": "2018-01-17T11:11:13.000Z",
      "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "identity_class": "organization",
      "modified": "2018-01-17T11:11:13.000Z",
      "name": "ACME Corp, Inc.",
      "spec_version": "2.1",
      "type": "identity"
    }
  ],

When ingesting a STIX 2.1 object, the original STIX 2.1 JSON is retained in the EclecticIQ entities they produce.

You can find this in the .entities[].data.original_stix21_objects field of the resulting entity.

.entities[].data.producer

//...
"producer": {
  "description": "",
  "identity": {
    "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "name": "ACME Corp, Inc.",
    "type": "identity"
  },
  "references": [],
  "time_start": "2018-01-01T00:00:00+00:00",
  "type": "information-source"
}
//...

STIX 2.1 Identity SDOs ingested as properties in EclecticIQ entities have an id field in .entities[].data.producer.identity that retains its STIX 2.1 identifier.

.entities[].data.test_mechanisms[].producer

//...
"test_mechanisms": [
  {
    "description": "stix",
    "producer": {
      "description": "",
      "identity": {
        "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "name": "ACME Corp, Inc.",
        "type": "identity"
      },
      "references": [],
      "time_start": "2018-01-01T00:00:00+00:00",
      "type": "information-source"
    },
    "specification": {
      "value": "[ipv4-addr:value = '198.51.100.1']"
    },
    "test_mechanism_type": "generic",
    "type": "test-mechanism"
  }
],
//...

For Indicator SDOs, the contents of the pattern field is ingested as a test mechanism for resulting the EclecticIQ Indicator.

The Identity SDO is set as the producer for that test mechanism.

The following is a sample of the resulting EclecticIQ JSON:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    {
      "attachments": [],
      "data": {
        "description": "STIX 2.1 Interoperability Part 1, §2.2.3.1, Indicator IPv4 Address",
        "handling": [],
        "id": "indicator--12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
        "original_stix21_objects": [
            // ...
            {
              "created": "2018-01-17T11:11:13.000Z",
              "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
              "identity_class": "organization",
              "modified": "2018-01-17T11:11:13.000Z",
              "name": "ACME Corp, Inc.",
              "spec_version": "2.1",
              "type": "identity"
            }
        ],
        "producer": {
          "description": "",
          "identity": {
            "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
            "name": "ACME Corp, Inc.",
            "type": "identity"
          },
          "references": [],
          "time_start": "2018-01-01T00:00:00+00:00",
          "type": "information-source"
        },
        "test_mechanisms": [
          {
            "description": "stix",
            "producer": {
              "description": "",
              "identity": {
                "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
                "name": "ACME Corp, Inc.",
                "type": "identity"
              },
              "references": [],
              "time_start": "2018-01-01T00:00:00+00:00",
              "type": "information-source"
            },
            "specification": {
              "value": "[ipv4-addr:value = '198.51.100.1']"
            },
            "test_mechanism_type": "generic",
            "type": "test-mechanism"
          }
        ],
        "timestamp": "2018-01-17T11:11:13+00:00",
        "title": "§2.2.3.1 Indicator One IPv4 Address",
        "type": "indicator",
        "types": [
          {
            "value": "IP Watchlist"
          }
        ]
      },
      "enrichment_extracts": [],
      "external_url": "https://192.168.1.194/entity/12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
      "extracts": [
        //...
      ],
      "id": "12fd1bad-8306-4ed4-8c9b-7dfdd8ad5eb8",
      "meta": {
        //...
      },
      //...
    }
  ],
  //...
}