STIX 2.1 STIX Patterns#
New in version 2.9.0.
When an STIX 2.1 Indicator SDO is ingested to
produce EclecticIQ Indicator entities,
the STIX Patterns contained in their .pattern
field are processed to produce:
observables related to the resulting indicator entity
a test mechanism, embedded in the resulting indicator entity
The following sections explain how STIX Patterns map to observables and test mechanisms.
Tip
A pattern in a STIX 2.1 Indicator SDO looks like this:
// ...
"pattern": "[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']",
"pattern_type": "stix",
// ...
The
pattern
field contains a STIX Pattern compliant with §9.3 STIX Patterns.The
pattern_type
field contains a “type” value, defined in §10.19 Pattern Type Vocabulary.
Map STIX Pattern to observables#
EclecticIQ observables are limited in the amount of information they can capture in comparison to STIX 2.1 Cyber-observable Objects.
As a result, conversion of STIX Patterns to observables
and the reverse without an original_stix21_objects
field
(see STIX 2.1 Indicator SDO) or a test mechanism
(see Map STIX Pattern to test mechanism) may result
in observables that capture less information than
the original STIX Pattern.
The following sections details what such conversions entail:
Ingest STIX Pattern to produce observables#
When an Indicator SDO is ingested,
its .patterns
field is processed
to produce EclecticIQ observables.
Tip
For a full list of supported observable types, see STIX 2.1 Cyber-observable Objects.
EclecticIQ Intelligence Center converts each “Comparison Expression” (§9.1) to observables. The type of the observables resulting from this are derived from the “Object Path” within the comparison expression.
For example,
the comparison expression user-account:display_name = 'Bluejay'
is ingested to produce a name
observable, with value Bluejay
.
The table below describes how observation operators (§9.5) (and the observation expressions formed with them) are supported.
Observation operator |
Support |
Example pattern |
Resulting observable(s) |
Description |
---|---|---|---|---|
|
Not supported |
N/A |
||
|
Not supported |
N/A |
||
|
Not supported |
N/A |
||
|
Partial |
|
|
EclecticIQ Observables do not have properties that allow it to preserve the constraints indicated by these operators. Those constraints are ignored and the operators all treated as conjunctive when the pattern is processed. |
|
✅ |
|
|
Supported. |
|
Not supported |
|
|
Known issue. EclecticIQ observables don’t have properties that allow it to express negative observations. Currently, this produces an observable, treating the expression as a positive observation. |
|
Partial |
|
|
Known issue. Observables don’t have properties to let it represent ‘more than’ or ‘less than’ comparisons, and are currently interpreted as ‘equality’ comparisons. |
|
Not supported |
|
|
Known issue. Patterns with an |
|
Not supported |
Observables currently don’t have a pattern matching mechanism. |
||
|
Not supported |
Observables currently don’t have a pattern matching mechanism. |
||
|
Not supported |
Observables currently don’t have a pattern matching mechanism. |
Export observables to STIX Pattern#
When an EclecticIQ Indicator is exported as an Indicator SDO, EclecticIQ Intelligence Center will first check if it has:
an
original_stix21_objects
fieldtest mechanisms
If the indicator has neither, the resulting .pattern
field
of the Indicator SDO is then constructed from its related observables.
The resulting pattern is a list SCOs (expressed as §9.5 Observation Expressions), joined by the “OR” operator. For example:
"[url:value = 'https://www.5z8.info/foo' OR domain-name:value = 'www.5z8.info']"
For a list of observable to SCO mappings, see STIX 2.1 Cyber-observable Objects.
Map STIX Pattern to test mechanism#
Ingest STIX Pattern to test mechanism#
A STIX 2.1 Indicator SDO is ingested to produce
a corresponding EclecticIQ Indicator entity.
Each Indicator SDO contains a STIX Pattern in
its .pattern
field that is, on ingestion,
set as a test mechanism in the resulting Indicator entity.
The following table shows how fields from an Indicator SDO are mapped to its resulting test mechanism (contained in the resulting indicator entity):
STIX 2.1 Indicator SDO |
EclecticIQ Indicator entity |
---|---|
|
Depends on
|
|
Various. See Map STIX pattern_type to test mechanism. |
|
|
The resulting test mechanism looks like this:
{
// ...
"test_mechanisms": [
{
"description": "stix",
"producer": {
"description": "",
"identity": {
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "ACME Corp, Inc.",
"type": "identity"
},
"references": [],
"time_start": "2018-01-01T00:00:00+00:00",
"type": "information-source"
},
"specification": {
"value": "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
},
"test_mechanism_type": "generic",
"type": "test-mechanism"
}
]
// ...
}
Map STIX pattern_type to test mechanism#
Test mechanism types are derived from the
.pattern_type
(§10.19 Pattern Type Vocabulary)
field in the ingested SDO.
EclecticIQ Intelligence Center maps these .pattern_type
values as follows:
Indicator SDO |
EclecticIQ Indicator test mechanism |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
If the Indicator SDO has a .pattern_type
field
that contains a value not listed here,
the pattern is still ingested and
sets these properties on the test mechanism
of the resulting Indicator entity:
Setting the Type (
test_mechanism[].pattern_type
) of the test mechanism to:Generic
Setting the Description (
test_mechanism[].description
) of the test mechanism to:.pattern_type
of the Indicator SDO
Export test mechanism to STIX Pattern#
Single test mechanism#
When exporting an EclecticIQ indicator that contains
one test mechanism, it results in an Indicator SDO with
its .pattern
and .pattern_type
fields mapped as follows:
EclecticIQ Indicator field |
Indicator SDO field |
Description |
---|---|---|
|
|
|
|
|
|
Multiple test mechanisms#
When exporting an EclecticIQ Indicator that contains more than one test mechanism, then one Indicator SDO is produced per test mechanism.
For example:
Let’s say we want to export an EclecticIQ Indicator entity titled “http://maliciousdomain.example.com” and containing three test mechanisms:
a YARA test mechanism
a SNORT test mechanism
a STIX 2.1 test mechanism (with Type set to “Generic”, and Description field set to “stix”)
Exporting that Indicator entity to STIX 2.1 will produce three separate Indicator SDOs named “http://maliciousdomain.example.com”, containing one test mechanism from above each:
Indicator SDO “http://maliciousdomain.example.com” with
.pattern
field taking its value from the YARA test mechanism.Indicator SDO “http://maliciousdomain.example.com” with
.pattern
field taking its value from the SNORT test mechanism.Indicator SDO “http://maliciousdomain.example.com” with
.pattern
field taking its value from the STIX 2.1 test mechanism.
Relationships for multiple test mechanisms#
When exporting an EclecticIQ Indicator that:
contains more than one test mechanism, and
is related to another EclecticIQ Indicator,
the resulting series of Indicator SDOs will have these relationships (see also diagrams below):
The first test mechanism for each of the related indicator entities each produce an Indicator SDO. For these exported indicator entities, only these SDOs are connected by a related-to SRO (§5).
If an indicator entity contains more than one test mechanism, these test mechanims produce one Indicator SDO each. Except for the first test mechanism, all subsequent test mechanisms produce an SDO that is related to the SDO produced from the first test mechanism.
To illustrate, let’s say that we have:
EclecticIQ Indicator 1
Test mechanism A
Test mechanism B
Test mechanism C
EclecticIQ Indicator 2
Test mechanism X
Test mechanism Y
Test mechanism Z
EclecticIQ Indicator 1 is related to EcleticIQ Indicator 2
When exported, these two indicator entities produce one Indicator SDO per test mechanism. So “Test mechanism A” results in “Indicator SDO A”, and so on.
The resulting relationship tree is shown in the following diagram: