STIX 2.1 Observed Data SDO#
This page provides details on how the STIX 2.1 Observed Data SDO is handled by EclecticIQ Intelligence Center.
Ingestion#
New in version 2.9.0.
Observed data SDOs are ingested by EclecticIQ Intelligence Center to
produce EclecticIQ Indicator entities, but with
a STIX 2.1 Observed Data Object
tag to distinguish
it from other Indicator entities.
That’s because EclecticIQ Intelligence Center does not currently have
an Observed Data entity type. So while it
is ingested as an EclecticIQ Indicator entity,
it is kept distinct from EclecticIQ Indicator entities
produced by ingesting Indicator SDOs using the
STIX 2.1 Observed Data Object
tag.
So, an Observed data SDO with a single
ipv4-addr
SCO:
{
"type": "observed-data",
"id": "observed-data--60c871de-5936-41f1-afbe-4ef829c3ee0a",
"spec_version": "2.1",
"x_interop_description": "STIX 2.1 Interoperability Part 1, \\u00a72.3.5.2 Sighting + Indicator with IPv4 Address Matching CIDR",
"created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"first_observed": "2017-12-21T19:00:00Z",
"last_observed": "2018-01-06T19:00:00Z",
"number_observed": 50,
"object_refs": ["ipv4-addr--8a602356-2fdd-565f-bfb2-5b282a215584"]
},
{
"type": "ipv4-addr",
"id": "ipv4-addr--8a602356-2fdd-565f-bfb2-5b282a215584",
"spec_version": "2.1",
"value": "198.51.100.12"
}
is ingested to produce an EclecticIQ Indicator with the following fields set:
EclecticIQ Indicator field |
Mapped from STIX 2.1 |
Example |
Description |
---|---|---|---|
|
N/A |
STIX 2.1 Observed Data Object |
The Title of an Indicator entity. Always set to STIX 2.1 Observed Data Object. Observed Data SDOs do not have a title; EclecticIQ Intelligence Center sets an arbitrary title on ingestion. |
|
|
observed-data–455d15c6-415a-4008-addf-8a4405ede887 |
The STIX ID of the Indicator entity is set to the Observed Data SDO’s STIX 2.1 ID. |
|
|
identity–f6e43aa5-76cc-45ca-9b06-be2d65f26bfb |
The Producer field of the Indicator entity. The Indicator entity inherits the
Identity SDO
set in the Observed Data SDO’s |
|
N/A |
STIX 2.1 Observed Data Object |
Tags on the Indicator entity. The STIX 2.1 Observed Data Object is arbitrarily set on all ingested Observed Data SDOs to distinguish them from Indicator SDOs also ingested as Indicator entities on EclecticIQ Intelligence Center. |
|
|
2017-12-21T19:00:00+00:00 |
The Estimated time > Observed field in
the Indicator entity is set to
the timestamp found in the Observed Data SDO’s
|
|
|
N/A |
SCOs referenced in For more information on ingesting SCOs, see STIX 2.1 Cyber-observable Objects. |
Sample of resulting EclecticIQ JSON:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"attachments": [],
"data": {
"handling": [],
"id": "observed-data--60c871de-5936-41f1-afbe-4ef829c3ee0a",
"original_stix21_objects": [
// original STIX 2.1 JSON
],
"producer": {
"description": "",
"identity": {
"id": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"name": "ACME Corp Sighting, Inc.",
"type": "identity"
},
"references": [],
"type": "information-source"
},
"timestamp": "2021-05-27T09:09:18.448959+00:00",
"title": "STIX 2.1 Observed Data Object",
"type": "indicator"
},
"enrichment_extracts": [],
"external_url": "https://192.168.1.194/entity/60c871de-5936-41f1-afbe-4ef829c3ee0a",
"extracts": [
{
"instance_meta": {
"link_types": [
"observed"
],
"paths": []
},
"kind": "ipv4",
"meta": {},
"value": "198.51.100.12"
}
],
"id": "60c871de-5936-41f1-afbe-4ef829c3ee0a",
"meta": {
"estimated_observed_time": "2017-12-21T19:00:00+00:00",
"estimated_threat_start_time": "2018-01-17T11:11:13+00:00",
"first_ingest_time": "2021-05-27T09:09:18.306113+00:00",
"half_life": 30,
"ingest_time": "2021-05-27T09:09:18.306113+00:00",
"source_reliability": null,
"tags": [
"STIX 2.1 Observed Data Object"
],
"title": "STIX 2.1 Observed Data Object",
"tlp_color": null
},
"relevancy": 4.987782539022308e-13,
"sources": [
{
"name": "Testing Group",
"source_id": "3b9f8dc2-7478-498d-819a-79ea338c9889",
"source_type": "group"
}
]
}
],
"entity_counts": {
"indicator": 1
},
//...
"timestamp": "2021-05-27T09:09:18.448959+00:00"
}
Export and outgoing feeds#
New in version 2.9.0.
To determine if an EclecticIQ Indicator entity should be
exported or packed as a Indicator SDO or
(in this case) an Observed Data SDO,
EclecticIQ Intelligence Center checks if the EclecticIQ Indicator
has the STIX 2.1 Observed Data Object
tag.
If the tag is present in the EclecticIQ Indicator, it is packed as an Observed Data SDO. Its related observables are
packed as SCOs in the same bundle, and
referenced in the resulting Observed Data SDO’s
object_refs
field.
If the tag is not present, the EclecticIQ Indicator
is packed as an Indicator SDO instead, and will
have observables added in its patterns
field instead.
No SCOs are created for EclecticIQ Indicator entities
packed as Indicator SDOs.
For example, exporting the following EclecticIQ Indicator as STIX 2.1:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"attachments": [],
"data": {
"handling": [],
"id": "observed-data--60c871de-5936-41f1-afbe-4ef829c3ee0a",
"original_stix21_objects": [
{
"created": "2018-01-17T11:11:13.000Z",
"created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"first_observed": "2017-12-21T19:00:00Z",
"id": "observed-data--60c871de-5936-41f1-afbe-4ef829c3ee0a",
"last_observed": "2018-01-06T19:00:00Z",
"modified": "2018-01-17T11:11:13.000Z",
"number_observed": 50,
"object_refs": [
"ipv4-addr--8a602356-2fdd-565f-bfb2-5b282a215584"
],
"spec_version": "2.1",
"type": "observed-data",
"x_interop_description": "STIX 2.1 Interoperability Part 1, \\u00a72.3.5.2 Sighting + Indicator with IPv4 Address Matching CIDR"
},
{
"created": "2018-01-17T11:11:13.000Z",
"id": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"identity_class": "organization",
"modified": "2018-01-17T11:11:13.000Z",
"name": "ACME Corp Sighting, Inc.",
"spec_version": "2.1",
"type": "identity"
},
{
"id": "ipv4-addr--8a602356-2fdd-565f-bfb2-5b282a215584",
"spec_version": "2.1",
"type": "ipv4-addr",
"value": "198.51.100.12"
}
],
"producer": {
"description": "",
"identity": {
"id": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"name": "ACME Corp Sighting, Inc.",
"type": "identity"
},
"references": [],
"type": "information-source"
},
"timestamp": "2021-05-27T09:09:18.448959+00:00",
"title": "STIX 2.1 Observed Data Object",
"type": "indicator"
},
"enrichment_extracts": [],
"external_url": "https://192.168.1.194/entity/60c871de-5936-41f1-afbe-4ef829c3ee0a",
"extracts": [
{
"instance_meta": {
"link_types": [
"observed"
],
"paths": []
},
"kind": "ipv4",
"meta": {},
"value": "198.51.100.12"
}
],
"id": "60c871de-5936-41f1-afbe-4ef829c3ee0a",
"meta": {
"estimated_observed_time": "2017-12-21T19:00:00+00:00",
"estimated_threat_start_time": "2018-01-17T11:11:13+00:00",
"first_ingest_time": "2021-05-27T09:09:18.306113+00:00",
"half_life": 30,
"ingest_time": "2021-05-27T09:09:18.306113+00:00",
"source_reliability": null,
"tags": [
"STIX 2.1 Observed Data Object"
],
"title": "STIX 2.1 Observed Data Object",
"tlp_color": null
},
"relevancy": 4.987782539022308e-13,
"sources": [
{
"name": "Testing Group",
"source_id": "3b9f8dc2-7478-498d-819a-79ea338c9889",
"source_type": "group"
}
]
}
],
"entity_counts": {
"indicator": 1
},
"outgoing_feed_name": "Exported Entities",
"Intelligence Center-version": "2.10.0",
"timestamp": "2021-05-27T09:09:18.448959+00:00"
}
produces the resulting JSON:
{
"objects": [
{
"id": "observed-data--455d15c6-415a-4008-addf-8a4405ede887",
"type": "observed-data",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"object_refs": ["ipv4-addr--2b3e2c17-3144-5591-9c88-a605220f8c0c"],
"spec_version": "2.1",
"last_observed": "2018-01-06T19:00:00Z",
"created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"first_observed": "2017-12-21T19:00:00Z",
"number_observed": 50,
"x_interop_description": "STIX 2.1 Interoperability Part 1, \\u00a72.3.5.1 Sighting + Indicator with IPv4 Address"
},
{
"id": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"name": "ACME Corp Sighting, Inc.",
"type": "identity",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"spec_version": "2.1",
"identity_class": "organization"
},
{
"id": "ipv4-addr--2b3e2c17-3144-5591-9c88-a605220f8c0c",
"type": "ipv4-addr",
"value": "198.51.100.1",
"spec_version": "2.1"
}],
"type": "bundle",
"id": "bundle--12a19289-cb69-4bde-9bb0-95e78db7cb83"
}