STIX 2.1 Indicator SDO#
This page provides details on how the STIX 2.1 Indicator SDO is handled by EclecticIQ Intelligence Center.
Tip
STIX Patterns and how they are ingested is covered separately in STIX 2.1 STIX Patterns.
Ingestion#
New in version 2.9.0.
STIX 2.1 Indicator SDOs are ingested to produce indicator entities on EclecticIQ Intelligence Center.
The following table shows how STIX 2.1 Indicator SDO fields are mapped to indicator entities:
EclecticIQ Indicator field |
Mapped from STIX 2.1 |
Example |
Description |
---|---|---|---|
|
|
STIX 2.1 Indicator |
The Title of an Indicator entity, taken from the Indicator SDO’s |
|
|
indicator–4c631d2f-ee4e-5116-8163-994c951fb9d9 |
The STIX ID of an Indicator entity. Indicator SDO’s STIX 2.1 ID is mapped here. |
|
|
Description of indicator |
The description of an Indicator entity. Displayed as the “Analysis” field on EclecticIQ Intelligence Center. Indicator SDO’s description field is mapped here. |
|
|
File Hash Watchlist |
The Indicator sub-type of an Indicator entity. When an Indicator SDO is ingested,
the resulting entity’s Indicator sub-type
is derived from the STIX Pattern contained
in its See Map Indicator Types. |
|
|
Medium |
See “Confidence Scales” in STIX 2.1 Common Properties. |
|
|
Various |
Tests mechanisms are found under the Characteristics section of the entity builder on EclecticIQ Intelligence Center. STIX Patterns are ingested to produce these test mechanisms, and observables. |
|
|
Indicator |
This is always set to “Indicator”. For more information about Indicator SDO sub-types and indicator entity sub-types, see Map Indicator Types. |
|
|
Various |
|
|
|
malicious-activity, unknown |
Free-form tags on Indicator entities. The following data types in Indicator SDOs are ingested as free-form tags on Indicator entities:
|
|
|
Kill chain phase - Reconnaissance |
See Map kill chain phases below. |
|
|
2017-12-21T19:00:00+00:00 |
The Estimated time > Observed field in
the resulting Indicator entity is set to
the timestamp found in the ingested SDO’s
|
|
|
2017-12-21T19:00:00+00:00 |
The Estimated time > Start time field in
the resulting Indicator entity is set to
the timestamp found in the ingested SDO’s
|
|
|
2017-12-21T19:00:00+00:00 |
The Estimated time > End time field in
the resulting Indicator entity is set to
the timestamp found in the ingested SDO’s
|
|
|
identity–f6e43aa5-76cc-45ca-9b06-be2d65f26bfb |
The Producer field of the Indicator entity. The Indicator entity inherits the
Identity SDO
set in the Indicator SDO’s |
|
|
Various |
Stores marking structures such as terms of use statements. STIX 2.1 Statement Marking Objects map to this field. See STIX 2.1 Data Markings. |
|
|
GREEN |
Stores TLP color. For more information on how STIX 2.1 TLP Marking Objects map to this field, see STIX 2.1 Data Markings. |
Map Indicator Types#
Indicator SDOs and EclecticIQ Indicator entities each have their own sub-types:
An Indicator SDO can have one or more sub-types specified in their
indicator_types
field. Possible Indicator SDO sub-types are defined in §10.10 Indicator Type Vocabulary.An EclecticIQ Indicator entity has a different list of possible sub-types.
STIX 2.1 Indicator SDO sub-types and EclecticIQ Indicator sub-types do not map directly to each other. Instead, see the following sections:
Map patterns to EclecticIQ Indicator entity sub-type#
EclecticIQ Indicator entity have two “type” fields:
.entities[].data.type
is always set to “Indicator”.entities[].data.types[]
is a list of sub-types
When a STIX 2.1 Indicator SDO is ingested, the resulting
EclecticIQ Indicator entity derives its sub-types
(.entities[].data.types[]
) from the
STIX 2.1 STIX Patterns (.pattern
) contained in the
ingested Indicator SDO.
EclecticIQ Intelligence Center looks at the .pattern
field of the ingested SDO, and adds
one sub-type to the resulting Indicator entity
for each SCO type listed in
the following table:
Detected SCO type |
Resulting Indicator entity sub-type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Map kill chain phases#
An Indicator SDO may contain one or more
kill chain phases (§2.11).
When the SDO is ingested,
these kill chain phases
are added to the list of
tags (.entities[].meta.tags[]
)
on the resulting entity.
However, Lockheed Martin Kill Chain phases are mapped differently. See Map Lockheed Martin Kill Chain phases.
Map general kill chain phases#
By default, kill chain phases in Indicator SDOs
are mapped to the .entities[].meta.tags[]
field in resulting EclecticIQ entities
on ingestion.
This produces tags named as follows:
<.kill_chain_phases.kill_chain_name> - <.kill_chain_phases.phase_name>
E.g.
extended-cyber-kill-chain - internal-exploitation
When an indicator entity is exported
as a STIX 2.1 bundle, EclecticIQ Intelligence Center
checks its .entities[].meta.tags[]
field
and exports all members that
match the format <key> - <value>
as STIX 2.1 kill chain phases, like this:
"kill_chain_phases": {
"kill_chain_name": <key>,
"phase_name": <value>
}
Map Lockheed Martin Kill Chain phases#
§2.11 defines a special kill_chain_name
for Lockheed Martin Cyber Kill Chain phases:
lockheed-martin-cyber-kill-chain
.
So, when EclecticIQ Intelligence Center encounters a SDO
kill chain phase (kill_chain_phasess
)
with the attribute
"kill_chain_name": "lockheed-martin-cyber-kill-chain"
,
it ingests that kill chain phase
as a taxonomy node in the resulting EclecticIQ entity’s
taxonomy_paths
field instead.
Tip
taxonomy_paths
and tags
are displayed
as “Tags” in the entity builder on EclecticIQ Intelligence Center,
but are two different fields in the EclecticIQ data model.
The following table maps
Lockheed Martin Kill Chain the phase_name
in STIX 2.1 SDOs to EclecticIQ
taxonomy_paths
:
Caution
§2.11 specifies that STIX 2.1 values for
phase_name
should be in lowercase
and use hyphens instead of spaces or underscores,
but does not specify a vocabulary for
Lockheed Martin Cyber Kill Chain phase names.
This table shows the values that EclecticIQ Intelligence Center expects.
Expected STIX 2.1 phase_name |
Resulting taxonomy_paths node name |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When an Indicator entity with a Lockheed Martin Kill Chain phase is exported to STIX 2.1, this mapping is reversed.
Mapping STIX Patterns to observables#
For more information on how STIX Patterns are processed to produce EclecticIQ Observables, see STIX 2.1 STIX Patterns.
Export and outgoing feeds#
New in version 2.9.0.
When an EclecticIQ Indicator entity is exported or sent through an outgoing feed as a STIX 2.1 object, one of these cases occur:
Case 1#
If an Indicator entity:
was produced by ingesting an Indicator SDO,
and has not been modified since ingestion,
then the original Indicator SDO is preserved
in the Indicator entity’s original_stix21_objects
field.
Exporting this entity then reproduces the original STIX 2.1 Indicator SDO in full.
Case 2#
If an Indicator entity:
was not produced by ingesting an Indicator SDO (i.e. does not have an
original_stix21_objects
field)OR was produced by ingesting an Indicator SDO, but was modified after ingestion,
then EclecticIQ Intelligence Center checks for these further cases:
Case 2.1#
If the Indicator entity one or more of these test mechanisms types:
YARA
SNORT
Generic with a Description field set to
stix
(a STIX Pattern)
then the pattern contained inside the
rule is set as the .pattern
for the resulting Indicator SDO.
This means that when one or more test mechanisms exist in an EclecticIQ Indicator entity, its related observables are ignored when you export that entity as STIX 2.1. You must modify the test mechanism to reflect those changes in order for them to show up in the exported STIX 2.1 SDO.
For information on how test mechanism fields are mapped, see STIX 2.1 STIX Patterns.
Case 2.2#
If the Indicator entity does not
contain a test mechanism listed in Case 2.1,
then the resulting .pattern
field
is constructed from the observables
related to that Indicator entity.
This produces a list of “Comparison Expressions”
joined by the “OR” operator.
For example,
[ipv4-addr:value = 'Peter' OR ipv4-addr:value = '192.168.1.1']
.
Example result#
Exporting the following EclecticIQ Indicator as STIX 2.1:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"attachments": [],
"data": {
"description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR",
"handling": [],
"id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
"original_stix21_objects": [
{
"created": "2018-01-17T11:11:13.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR",
"id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
"labels": [
"malicious-activity"
],
"modified": "2018-01-17T11:11:13.000Z",
"name": "198.51.100.0",
"pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2018-01-01T00:00:00Z"
},
{
"created": "2018-01-17T11:11:13.000Z",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"identity_class": "organization",
"modified": "2018-01-17T11:11:13.000Z",
"name": "ACME Corp, Inc.",
"spec_version": "2.1",
"type": "identity"
}
],
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"test_mechanisms": [
{
"description": "stix",
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"specification": {
"value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
},
"test_mechanism_type": "generic",
"type": "test-mechanism"
}
],
"timestamp": "2018-01-17T11:11:13+00:00",
"title": "198.51.100.0",
"type": "indicator",
"types": [
{
"value": "IP Watchlist"
}
]
},
"enrichment_extracts": [],
"external_url": "https://tip.example.com/entity/4c631d2f-ee4e-5116-8163-994c951fb9d9",
"extracts": [
{
"instance_meta": {
"link_types": [
"observed"
],
"paths": []
},
"kind": "ipv4",
"meta": {},
"value": "198.51.100.0/24"
},
{
"instance_meta": {
"link_types": [
"test-mechanism"
],
"paths": [
"test_mechanisms[]"
]
},
"kind": "rule",
"meta": {},
"value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
}
],
"id": "4c631d2f-ee4e-5116-8163-994c951fb9d9",
"meta": {
"estimated_observed_time": "2018-01-17T11:11:13+00:00",
"estimated_threat_start_time": "2018-01-01T00:00:00+00:00",
"first_ingest_time": "2021-08-04T10:13:00.601145+00:00",
"half_life": 30,
"ingest_time": "2021-08-04T10:13:00.601145+00:00",
"source_reliability": null,
"tags": [
"malicious-activity"
],
"title": "198.51.100.0",
"tlp_color": null
},
"relevancy": 6.99824575659087e-14,
"sources": [
{
"name": "TP51058_group",
"source_id": "fb1a6aad-86da-467f-aba0-6464dd677cb0",
"source_type": "group"
}
]
}
],
"entity_counts": {
"indicator": 1
},
"outgoing_feed_name": "Exported Entities",
"Intelligence Center-version": "2.10.dev0",
"timestamp": "2018-01-17T11:11:13+00:00"
}
produces the resulting STIX 2.1 bundle:
{
"objects": [
{
"id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
"name": "198.51.100.0",
"type": "indicator",
"labels": ["malicious-activity"],
"created": "2018-01-17T11:11:13.000Z",
"pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']",
"modified": "2018-01-17T11:11:13.000Z",
"valid_from": "2018-01-01T00:00:00Z",
"description": "STIX 2.1 Interoperability Part 1, §72.2.3.2, Indicator IPv4 Address CIDR",
"pattern_type": "stix",
"spec_version": "2.1",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"pattern_version": "2.1"
},
{
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"spec_version": "2.1",
"identity_class": "organization"
}],
"type": "bundle",
"id": "bundle--bb8831db-5e1a-4bea-a472-f84d508d3807"
}