STIX 2.1 STIX Patterns

New in version 2.9.0.

When an STIX 2.1 Indicator SDO is ingested to produce EclecticIQ Indicator entities, the STIX Patterns contained in their .pattern field are processed to produce:

• observables related to the resulting indicator entity

• a test mechanism, embedded in the resulting indicator entity

The following sections explain how STIX Patterns map to observables and test mechanisms.

Tip

A pattern in a STIX 2.1 Indicator SDO looks like this:

// ...
"pattern": "[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']",
"pattern_type": "stix",
// ...

• The pattern field contains a STIX Pattern compliant with §9.3 STIX Patterns.

• The pattern_type field contains a “type” value, defined in §10.19 Pattern Type Vocabulary.

Map STIX Pattern to observables

EclecticIQ observables are limited in the amount of information they can capture in comparison to STIX 2.1 Cyber-observable Objects.

As a result, conversion of STIX Patterns to observables and the reverse without an original_stix21_objects field (see STIX 2.1 Indicator SDO) or a test mechanism (see Map STIX Pattern to test mechanism) may result in observables that capture less information than the original STIX Pattern.

The following sections details what such conversions entail:

Ingest STIX Pattern to produce observables

When an Indicator SDO is ingested, its .patterns field is processed to produce EclecticIQ observables.

Tip

For a full list of supported observable types, see STIX 2.1 Cyber-observable Objects.

EclecticIQ Intelligence Center converts each “Comparison Expression” (§9.1) to observables. The type of the observables resulting from this are derived from the “Object Path” within the comparison expression.

For example, the comparison expression user-account:display_name = 'Bluejay' is ingested to produce a name observable, with value Bluejay.

The table below describes how observation operators (§9.5) (and the observation expressions formed with them) are supported.

Observation operator	Support	Example pattern	Resulting observable(s)	Description
REPEATS, TIMES	Not supported			N/A
WITHIN ... SECONDS	Not supported			N/A
START ... STOP ...	Not supported			N/A
AND, OR, FOLLOWEDBY	Partial	user-account:display_name = 'Bluejay' FOLLOWEDBY user-account:display_name = 'Chestnut'	name:Bluejay, name:Chestnut	EclecticIQ Observables do not have properties that allow it to preserve the constraints indicated by these operators. Those constraints are ignored and the operators all treated as conjunctive when the pattern is processed.
=	✅	user-account:display_name = 'Bluejay'	name:Bluejay	Supported.
!=	Not supported	user-account:display_name != 'Bluejay'	name:Bluejay	Known issue. EclecticIQ observables don’t have properties that allow it to express negative observations. Currently, this produces an observable, treating the expression as a positive observation.
>, <, <=, >=	Partial	user-account:display_name > 'Bluejay'	name:Bluejay	Known issue. Observables don’t have properties to let it represent ‘more than’ or ‘less than’ comparisons, and are currently interpreted as ‘equality’ comparisons.
IN	Not supported	user-account:display_name IN ('Bluejay','Chestnut', Acacia')	name:('Bluejay','Chestnut', Acacia')	Known issue. Patterns with an IN operator produces an observable containing the whole list, instead of producing one observable per item in the list.
LIKE, MATCHES	Not supported			Observables currently don’t have a pattern matching mechanism.
ISSUBSET, ISSUPERSET	Not supported			Observables currently don’t have a pattern matching mechanism.
EXISTS	Not supported			Observables currently don’t have a pattern matching mechanism.

Export observables to STIX Pattern

When an EclecticIQ Indicator is exported as an Indicator SDO, EclecticIQ Intelligence Center will first check if it has:

• an original_stix21_objects field

• test mechanisms

If the indicator has neither, the resulting .pattern field of the Indicator SDO is then constructed from its related observables.

The resulting pattern is a list SCOs (expressed as §9.5 Observation Expressions), joined by the “OR” operator. For example:

"[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']"

For a list of observable to SCO mappings, see STIX 2.1 Cyber-observable Objects.

Map STIX Pattern to test mechanism

Ingest STIX Pattern to test mechanism

A STIX 2.1 Indicator SDO is ingested to produce a corresponding EclecticIQ Indicator entity. Each Indicator SDO contains a STIX Pattern in its .pattern field that is, on ingestion, set as a test mechanism in the resulting Indicator entity.

The following table shows how fields from an Indicator SDO are mapped to its resulting test mechanism (contained in the resulting indicator entity):

STIX 2.1 Indicator SDO	EclecticIQ Indicator entity
.pattern	Depends on .pattern_type: generic: .entities[].data.test_mechanism[].specification.value For a list STIX 2.1 pattern types that map to the generic test mechanism type, see Map STIX pattern_type to test mechanism. yara: .entities[].data.test_mechanism[].rule.value snort: .entities[].data.test_mechanism[].rules[].value
.pattern_type	Various. See Map STIX pattern_type to test mechanism.
.created_by_ref	.entities[].data.test_mechanism[].producer.identity

The resulting test mechanism looks like this:

{
// ...
"test_mechanisms": [
          {
            "description": "stix",
            "producer": {
              "description": "",
              "identity": {
                "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
                "name": "ACME Corp, Inc.",
                "type": "identity"
              },
              "references": [],
              "time_start": "2018-01-01T00:00:00+00:00",
              "type": "information-source"
            },
            "specification": {
              "value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
            },
            "test_mechanism_type": "generic",
            "type": "test-mechanism"
          }
        ]
// ...
}

Map STIX pattern_type to test mechanism

Test mechanism types are derived from the .pattern_type (§10.19 Pattern Type Vocabulary) field in the ingested SDO.

EclecticIQ Intelligence Center maps these .pattern_type values as follows:

Indicator SDO .pattern_type	EclecticIQ Indicator test mechanism
stix	Type: Generic Description: stix
pcre	Type: Generic Description: pcre
sigma	Type: Generic Description: sigma
snort	Type: SNORT Description: N/A
suricata	Type: Generic Description: suricata
yara	Type: YARA Description: N/A

If the Indicator SDO has a .pattern_type field that contains a value not listed here, the pattern is still ingested and sets these properties on the test mechanism of the resulting Indicator entity:

1. Setting the Type (test_mechanism[].pattern_type) of the test mechanism to: Generic

2. Setting the Description (test_mechanism[].description) of the test mechanism to: .pattern_type of the Indicator SDO

Export test mechanism to STIX Pattern

Single test mechanism

When exporting an EclecticIQ indicator that contains one test mechanism, it results in an Indicator SDO with its .pattern and .pattern_type fields mapped as follows:

EclecticIQ Indicator field	Indicator SDO field	Description
entities[].data.test_mechanisms[].specification.value	.pattern	.pattern takes its value from the EclecticIQ test mechanism’s value field.
entities[].data.test_mechanisms[].test_mechanism_type	.pattern_type	.pattern_type is mapped from the EclecticIQ test mechanism’s test_mechanism_type and description fields. See Map STIX pattern_type to test mechanism.

Multiple test mechanisms

When exporting an EclecticIQ Indicator that contains more than one test mechanism, then one Indicator SDO is produced per test mechanism.

For example:

Let’s say we want to export an EclecticIQ Indicator entity titled “http://maliciousdomain.example.com” and containing three test mechanisms:

• a YARA test mechanism

• a SNORT test mechanism

• a STIX 2.1 test mechanism (with Type set to “Generic”, and Description field set to “stix”)

Exporting that Indicator entity to STIX 2.1 will produce three separate Indicator SDOs named “http://maliciousdomain.example.com”, containing one test mechanism from above each:

• Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the YARA test mechanism.

• Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the SNORT test mechanism.

• Indicator SDO “http://maliciousdomain.example.com” with .pattern field taking its value from the STIX 2.1 test mechanism.

Relationships for multiple test mechanisms

When exporting an EclecticIQ Indicator that:

• contains more than one test mechanism, and

• is related to another EclecticIQ Indicator,

the resulting series of Indicator SDOs will have these relationships (see also diagrams below):

• The first test mechanism for each of the related indicator entities each produce an Indicator SDO. For these exported indicator entities, only these SDOs are connected by a related-to SRO (§5).

• If an indicator entity contains more than one test mechanism, these test mechanims produce one Indicator SDO each. Except for the first test mechanism, all subsequent test mechanisms produce an SDO that is related to the SDO produced from the first test mechanism.

To illustrate, let’s say that we have:

• EclecticIQ Indicator 1

  • Test mechanism A

  • Test mechanism B

  • Test mechanism C

• EclecticIQ Indicator 2

  • Test mechanism X

  • Test mechanism Y

  • Test mechanism Z

• EclecticIQ Indicator 1 is related to EcleticIQ Indicator 2

Related EclecticIQ Indicators with multiple test mechanisms

When exported, these two indicator entities produce one Indicator SDO per test mechanism. So “Test mechanism A” results in “Indicator SDO A”, and so on.

The resulting relationship tree is shown in the following diagram:

Resulting relationships from exported indicator entities