STIX 2.1 Cyber-observable Objects

EclecticIQ Intelligence Center implements support for the STIX Cyber-observable Objects (SCOs) listed on this page.

Ingestion

New in version 2.9.0.

Ingesting STIX 2.1 SCOs produces EclecticIQ Observables on EclecticIQ Intelligence Center.

For example, ingesting this SCO of file type:

{
    "type": "file",
    "id": "file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d",
    "spec_version": "2.1",
    "hashes": {
        "MD5": "1717b7fff97d37a1e1a0029d83492de1",
        "SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea"
    },
    "size": 83968,
    "name": "resume.pdf"
},

Produces two observables on EclecticIQ Intelligence Center:

• a hash-md5 observable

• a hash-sha1 observable

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  //...
  "extracts": [
    {
      "instance_meta": {
        "link_types": [
          "observed"
        ],
        "paths": []
      },
      "kind": "hash-sha1",
      "meta": {},
      "value": "c79a326f8411e9488bdc3779753e1e3489aaedea"
    },
    {
      "instance_meta": {
        "link_types": [
          "observed"
        ],
        "paths": []
      },
      "kind": "hash-md5",
      "meta": {},
      "value": "1717b7fff97d37a1e1a0029d83492de1"
    },
    //...
  ],
  //...
}

The table below shows how SCO types translate to Intelligence Center observable types.

SCO types not listed here will not produce observables on STIX 2.1 object ingestion, but are preserved in the .original_stix21_objects field of the resulting parent entity.

SCO type	EclecticIQ observable type
autonomous-system:number	asn
domain-name:value	domain
email-addr:value	email
email-addr:display_name	name
email-message:subject	email-subject
file:hashes.MD5	hash-md5
file:hashes.SHA-1	hash-sha1
file:hashes.SHA-256	hash-sha256
file:hashes.SHA-512	hash-sha512
file:name	file
ipv4-addr:value	ipv4 Supports CIDR formatted values.
ipv6-addr:value	ipv6 Supports CIDR formatted values.
mac-addr:value	mac48
mutex:name	mutex
network-traffic:src_port	port
network-traffic:dst_port	port
software:name	product
software:vendor	company
url:value	uri
user-account:account_login	handle
user-account:display_name	name
windows-registry-key:key	winregistry
process:command_line	process

Export and outgoing feeds

New in version 2.9.0.

When observables are exported by SCOs, such as when you export or pack STIX 2.1 Observed Data SDO, EclecticIQ Intelligence Center applies the following type conversion:

EclecticIQ observable Type	SCO type
asn	autonomous-system:number
domain	domain-name:value
email	email-addr:value
email-subject	email-message:subject
hash-md5	file:hashes.MD5
hash-sha1	file:hashes.SHA1
hash-sha256	file:hashes.SHA256
hash-sha512	file:hashes.SHA512
file	file:name
ipv4	ipv4-addr:value
ipv6	ipv6-addr:value
mac48	mac-addr:value
mutex	mutex:name
port	network-traffic:dst-port
uri	url:value
winregistry	windows-registry-key:key
process	process:command_line