STIX 2.1 Indicator SDO#

This page provides details on how the STIX 2.1 Indicator SDO is handled by EclecticIQ Intelligence Center.

Tip

STIX Patterns and how they are ingested is covered separately in STIX 2.1 STIX Patterns.

Ingestion#

New in version 2.9.0.

STIX 2.1 Indicator SDOs are ingested to produce indicator entities on EclecticIQ Intelligence Center.

The following table shows how STIX 2.1 Indicator SDO fields are mapped to indicator entities:

EclecticIQ Indicator field

Mapped from STIX 2.1

Example

Description

.entities[].data.title

  • .name

STIX 2.1 Indicator

The Title of an Indicator entity,

taken from the Indicator SDO’s name.

.entities[].data.id

  • .id

indicator–4c631d2f-ee4e-5116-8163-994c951fb9d9

The STIX ID of an Indicator entity.

Indicator SDO’s STIX 2.1 ID is mapped here.

.entities[].data.description

  • .description

Description of indicator

The description of an Indicator entity. Displayed as the “Analysis” field on EclecticIQ Intelligence Center.

Indicator SDO’s description field is mapped here.

.entities[].data.types[]

  • Derived from .pattern

File Hash Watchlist

The Indicator sub-type of an Indicator entity.

When an Indicator SDO is ingested, the resulting entity’s Indicator sub-type is derived from the STIX Pattern contained in its .pattern field.

See Map Indicator Types.

.entities[].data.confidence

  • .confidence

Medium

See “Confidence Scales” in STIX 2.1 Common Properties.

.entities[].test_mechanisms[]

  • .pattern

Various

Tests mechanisms are found under the Characteristics section of the entity builder on EclecticIQ Intelligence Center.

STIX Patterns are ingested to produce these test mechanisms, and observables.

See STIX 2.1 STIX Patterns.

.entities[].data.type

  • N/A

Indicator

This is always set to “Indicator”.

For more information about Indicator SDO sub-types and indicator entity sub-types, see Map Indicator Types.

.entities[].extracts[]

  • .pattern

Various

See STIX 2.1 STIX Patterns.

.entities[].meta.tags[]

  • .labels[]

  • .indicator_types[]

  • .kill_chain_phasess[]

malicious-activity, unknown

Free-form tags on Indicator entities.

The following data types in Indicator SDOs are ingested as free-form tags on Indicator entities:

.entities[].meta.taxonomy_paths[]

  • .kill_chain_phasess[] where the kill_chain_name lockheed-martin-cyber-kill-chain

Kill chain phase - Reconnaissance

See Map kill chain phases below.

.entities[].meta.estimated_observed_time

  • .created

2017-12-21T19:00:00+00:00

The Estimated time > Observed field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s created field.

.entities[].meta.estimated_threat_start_time

  • .valid_from

2017-12-21T19:00:00+00:00

The Estimated time > Start time field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s valid_from field.

.entities[].meta.estimated_end_start_time

  • .valid_until

2017-12-21T19:00:00+00:00

The Estimated time > End time field in the resulting Indicator entity is set to the timestamp found in the ingested SDO’s valid_until field.

.entities[].data.producer

  • .created_by_ref

identity–f6e43aa5-76cc-45ca-9b06-be2d65f26bfb

The Producer field of the Indicator entity.

The Indicator entity inherits the Identity set in the Indicator SDO’s created_by_ref field.

.entities[].data.handling[]

  • STIX 2.1 Statement Marking Objects

Various

Stores marking structures such as terms of use statements.

STIX 2.1 Statement Marking Objects map to this field. See STIX 2.1 Data Markings.

.entities[].data.meta.tlp_color

  • STIX 2.1 TLP Marking Objects

GREEN

Stores TLP color.

For more information on how STIX 2.1 TLP Marking Objects map to this field, see STIX 2.1 Data Markings.

Map Indicator Types#

Indicator SDOs and EclecticIQ Indicator entities each have their own sub-types:

STIX 2.1 Indicator SDO sub-types and EclecticIQ Indicator sub-types do not map directly to each other. Instead, see the following sections:

Map Indicator SDO sub-types to EclecticIQ entity tags#

STIX 2.1 Indicator SDO sub-types are listed in their .indicator_types[] field.

When that SDO is ingested, these .indicator_types[] are set as tags (.entities[].meta.tags[]) on the resulting EclecticIQ Indicator entity, and look like this:

Indicator Type - <§10.10 Indicator Type Vocabulary>

# For example:

Indicator Type - anomalous-activity

Map patterns to EclecticIQ Indicator entity sub-type#

EclecticIQ Indicator entity have two “type” fields:

  • .entities[].data.type is always set to “Indicator”

  • .entities[].data.types[] is a list of sub-types

When a STIX 2.1 Indicator SDO is ingested, the resulting EclecticIQ Indicator entity derives its sub-types (.entities[].data.types[]) from the STIX 2.1 STIX Patterns (.pattern) contained in the ingested Indicator SDO.

EclecticIQ Intelligence Center looks at the .pattern field of the ingested SDO, and adds one sub-type to the resulting Indicator entity for each SCO type listed in the following table:

Detected SCO type

Resulting Indicator entity sub-type

domain-name:value

Domain Watchlist

email-addr:value

Email Watchlist

ipv4-addr:value

IP Watchlist

ipv6-addr:value

IP Watchlist

url:value

URL Watchlist

user-account:account_login

Login Name

file:hashes

File Hash Watchlist

Map kill chain phases#

An Indicator SDO may contain one or more kill chain phases (§2.11). When the SDO is ingested, these kill chain phases are added to the list of tags (.entities[].meta.tags[]) on the resulting entity.

However, Lockheed Martin Kill Chain phases are mapped differently. See Map Lockheed Martin Kill Chain phases.

Map general kill chain phases#

By default, kill chain phases in Indicator SDOs are mapped to the .entities[].meta.tags[] field in resulting EclecticIQ entities on ingestion.

This produces tags named as follows:

<.kill_chain_phases.kill_chain_name> - <.kill_chain_phases.phase_name>

E.g.

extended-cyber-kill-chain - internal-exploitation

When an indicator entity is exported as a STIX 2.1 bundle, EclecticIQ Intelligence Center checks its .entities[].meta.tags[] field and exports all members that match the format <key> - <value> as STIX 2.1 kill chain phases, like this:

"kill_chain_phases": {
    "kill_chain_name": <key>,
    "phase_name": <value>
}

Map Lockheed Martin Kill Chain phases#

§2.11 defines a special kill_chain_name for Lockheed Martin Cyber Kill Chain phases: lockheed-martin-cyber-kill-chain.

So, when EclecticIQ Intelligence Center encounters a SDO kill chain phase (kill_chain_phasess) with the attribute "kill_chain_name": "lockheed-martin-cyber-kill-chain", it ingests that kill chain phase as a taxonomy node in the resulting EclecticIQ entity’s taxonomy_paths field instead.

Tip

taxonomy_paths and tags are displayed as “Tags” in the entity builder on EclecticIQ Intelligence Center, but are two different fields in the EclecticIQ data model.

For more information, see Taxonomy and Tags.

The following table maps Lockheed Martin Kill Chain the phase_name in STIX 2.1 SDOs to EclecticIQ taxonomy_paths:

Caution

§2.11 specifies that STIX 2.1 values for phase_name should be in lowercase and use hyphens instead of spaces or underscores, but does not specify a vocabulary for Lockheed Martin Cyber Kill Chain phase names.

This table shows the values that EclecticIQ Intelligence Center expects.

Expected STIX 2.1 phase_name

Resulting taxonomy_paths node name

reconnaissance

Kill chain phase - Reconnaissance

weaponization

Kill chain phase - Weaponization

delivery

Kill chain phase - Delivery

exploitation

Kill chain phase - Exploitation

installation

Kill chain phase - Installation

command-and-control

Kill chain phase - Command and Control

actions-on-objectives

Kill chain phase - Actions on Objectives

When an Indicator entity with a Lockheed Martin Kill Chain phase is exported to STIX 2.1, this mapping is reversed.

Mapping STIX Patterns to observables#

For more information on how STIX Patterns are processed to produce EclecticIQ Observables, see STIX 2.1 STIX Patterns.

Export and outgoing feeds#

New in version 2.9.0.

When an EclecticIQ Indicator entity is exported or sent through an outgoing feed as a STIX 2.1 object, one of these cases occur:

Case 1#

If an Indicator entity:

  • was produced by ingesting an Indicator SDO,

  • and has not been modified since ingestion,

then the original Indicator SDO is preserved in the Indicator entity’s original_stix21_objects field.

Exporting this entity then reproduces the original STIX 2.1 Indicator SDO in full.

Case 2#

If an Indicator entity:

  • was not produced by ingesting an Indicator SDO (i.e. does not have an original_stix21_objects field)

  • OR was produced by ingesting an Indicator SDO, but was modified after ingestion,

then EclecticIQ Intelligence Center checks for these further cases:

Case 2.1#

If the Indicator entity one or more of these test mechanisms types:

  • YARA

  • SNORT

  • Generic with a Description field set to stix (a STIX Pattern)

then the pattern contained inside the rule is set as the .pattern for the resulting Indicator SDO.

This means that when one or more test mechanisms exist in an EclecticIQ Indicator entity, its related observables are ignored when you export that entity as STIX 2.1. You must modify the test mechanism to reflect those changes in order for them to show up in the exported STIX 2.1 SDO.

For information on how test mechanism fields are mapped, see STIX 2.1 STIX Patterns.

Case 2.2#

If the Indicator entity does not contain a test mechanism listed in Case 2.1, then the resulting .pattern field is constructed from the observables related to that Indicator entity.

This produces a list of “Comparison Expressions” joined by the “OR” operator. For example, [ipv4-addr:value = 'Peter' OR ipv4-addr:value = '192.168.1.1'].

Example result#

Exporting the following EclecticIQ Indicator as STIX 2.1:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    {
      "attachments": [],
      "data": {
        "description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR",
        "handling": [],
        "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
        "original_stix21_objects": [
          {
            "created": "2018-01-17T11:11:13.000Z",
            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
            "description": "STIX 2.1 Interoperability Part 1, §2.2.3.2, Indicator IPv4 Address CIDR",
            "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
            "labels": [
              "malicious-activity"
            ],
            "modified": "2018-01-17T11:11:13.000Z",
            "name": "198.51.100.0",
            "pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "spec_version": "2.1",
            "type": "indicator",
            "valid_from": "2018-01-01T00:00:00Z"
          },
          {
            "created": "2018-01-17T11:11:13.000Z",
            "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
            "identity_class": "organization",
            "modified": "2018-01-17T11:11:13.000Z",
            "name": "ACME Corp, Inc.",
            "spec_version": "2.1",
            "type": "identity"
          }
        ],
        "producer": {
          "description": "",
          "identity": {
            "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
            "name": "ACME Corp, Inc.",
            "type": "identity"
          },
          "references": [],
          "time_start": "2018-01-01T00:00:00+00:00",
          "type": "information-source"
        },
        "test_mechanisms": [
          {
            "description": "stix",
            "producer": {
              "description": "",
              "identity": {
                "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
                "name": "ACME Corp, Inc.",
                "type": "identity"
              },
              "references": [],
              "time_start": "2018-01-01T00:00:00+00:00",
              "type": "information-source"
            },
            "specification": {
              "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
            },
            "test_mechanism_type": "generic",
            "type": "test-mechanism"
          }
        ],
        "timestamp": "2018-01-17T11:11:13+00:00",
        "title": "198.51.100.0",
        "type": "indicator",
        "types": [
          {
            "value": "IP Watchlist"
          }
        ]
      },
      "enrichment_extracts": [],
      "external_url": "https://tip.example.com/entity/4c631d2f-ee4e-5116-8163-994c951fb9d9",
      "extracts": [
        {
          "instance_meta": {
            "link_types": [
              "observed"
            ],
            "paths": []
          },
          "kind": "ipv4",
          "meta": {},
          "value": "198.51.100.0/24"
        },
        {
          "instance_meta": {
            "link_types": [
              "test-mechanism"
            ],
            "paths": [
              "test_mechanisms[]"
            ]
          },
          "kind": "rule",
          "meta": {},
          "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
        }
      ],
      "id": "4c631d2f-ee4e-5116-8163-994c951fb9d9",
      "meta": {
        "estimated_observed_time": "2018-01-17T11:11:13+00:00",
        "estimated_threat_start_time": "2018-01-01T00:00:00+00:00",
        "first_ingest_time": "2021-08-04T10:13:00.601145+00:00",
        "half_life": 30,
        "ingest_time": "2021-08-04T10:13:00.601145+00:00",
        "source_reliability": null,
        "tags": [
          "malicious-activity"
        ],
        "title": "198.51.100.0",
        "tlp_color": null
      },
      "relevancy": 6.99824575659087e-14,
      "sources": [
        {
          "name": "TP51058_group",
          "source_id": "fb1a6aad-86da-467f-aba0-6464dd677cb0",
          "source_type": "group"
        }
      ]
    }
  ],
  "entity_counts": {
    "indicator": 1
  },
  "outgoing_feed_name": "Exported Entities",
  "Intelligence Center-version": "2.10.dev0",
  "timestamp": "2018-01-17T11:11:13+00:00"
}

produces the resulting STIX 2.1 bundle:

{
    "objects": [
    {
        "id": "indicator--4c631d2f-ee4e-5116-8163-994c951fb9d9",
        "name": "198.51.100.0",
        "type": "indicator",
        "labels": ["malicious-activity"],
        "created": "2018-01-17T11:11:13.000Z",
        "pattern": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']",
        "modified": "2018-01-17T11:11:13.000Z",
        "valid_from": "2018-01-01T00:00:00Z",
        "description": "STIX 2.1 Interoperability Part 1, §72.2.3.2, Indicator IPv4 Address CIDR",
        "pattern_type": "stix",
        "spec_version": "2.1",
        "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "pattern_version": "2.1"
    },
    {
        "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
        "name": "ACME Corp, Inc.",
        "type": "identity",
        "created": "2018-01-17T11:11:13.000Z",
        "modified": "2018-01-17T11:11:13.000Z",
        "spec_version": "2.1",
        "identity_class": "organization"
    }],
    "type": "bundle",
    "id": "bundle--bb8831db-5e1a-4bea-a472-f84d508d3807"
}