STIX 2.1 Cyber-observable Objects#

EclecticIQ Intelligence Center implements support for the STIX Cyber-observable Objects (SCOs) listed on this page.

Ingestion#

New in version 2.9.0.

Ingesting STIX 2.1 SCOs produces EclecticIQ Observables on EclecticIQ Intelligence Center.

For example, ingesting this SCO of file type:

{
    "type": "file",
    "id": "file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d",
    "spec_version": "2.1",
    "hashes": {
        "MD5": "1717b7fff97d37a1e1a0029d83492de1",
        "SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea"
    },
    "size": 83968,
    "name": "resume.pdf"
},

Produces two observables on EclecticIQ Intelligence Center:

  • a hash-md5 observable

  • a hash-sha1 observable

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  //...
  "extracts": [
    {
      "instance_meta": {
        "link_types": [
          "observed"
        ],
        "paths": []
      },
      "kind": "hash-sha1",
      "meta": {},
      "value": "c79a326f8411e9488bdc3779753e1e3489aaedea"
    },
    {
      "instance_meta": {
        "link_types": [
          "observed"
        ],
        "paths": []
      },
      "kind": "hash-md5",
      "meta": {},
      "value": "1717b7fff97d37a1e1a0029d83492de1"
    },
    //...
  ],
  //...
}

The table below shows how SCO types translate to Intelligence Center observable types.

SCO types not listed here will not produce observables on STIX 2.1 object ingestion, but are preserved in the .original_stix21_objects field of the resulting parent entity.

SCO type

EclecticIQ observable type

autonomous-system:number

asn

domain-name:value

domain

email-addr:value

email

email-addr:display_name

name

email-message:subject

email-subject

file:hashes.MD5

hash-md5

file:hashes.SHA-1

hash-sha1

file:hashes.SHA-256

hash-sha256

file:hashes.SHA-512

hash-sha512

file:name

file

ipv4-addr:value

ipv4

Supports CIDR formatted values.

ipv6-addr:value

ipv6

Supports CIDR formatted values.

mac-addr:value

mac48

mutex:name

mutex

network-traffic:src_port

port

network-traffic:dst_port

port

software:name

product

software:vendor

company

url:value

uri

user-account:account_login

handle

user-account:display_name

name

windows-registry-key:key

winregistry

process:command_line

process

Export and outgoing feeds#

New in version 2.9.0.

When observables are exported by SCOs, such as when you export or pack STIX 2.1 Observed Data SDO, EclecticIQ Intelligence Center applies the following type conversion:

EclecticIQ observable Type

SCO type

asn

autonomous-system:number

domain

domain-name:value

email

email-addr:value

email-subject

email-message:subject

hash-md5

file:hashes.MD5

hash-sha1

file:hashes.SHA1

hash-sha256

file:hashes.SHA256

hash-sha512

file:hashes.SHA512

file

file:name

ipv4

ipv4-addr:value

ipv6

ipv6-addr:value

mac48

mac-addr:value

mutex

mutex:name

port

network-traffic:dst-port

uri

url:value

winregistry

windows-registry-key:key

process

process:command_line