[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-comment] Using relationships in Intrusion Set and Indicator objects
Yuval:1. With respect to your two options, I personally like the expressiveness of your 2nd option.
2. With respect to your database search, aren't you really enriching SDOs by identifying multiple instances of SCOs that indicate Indicator SDOs? [Or, you might also find multiple Sightings of the same SCO, in which case you can also use the Sightings SDO.] For creating these objects it will be important to use the Patterning Language described in Section 9 of the final STIX 2.1 standard. Note that the pattern property is a required property of the Indicator SDO. There are some good examples of the Patterning language syntax (embedded in the STIX 2.1 JSON as ANTLR snippets) in section 9.8 of the standard. Also, are you familiar with this project? It might be of value to you: https://www.marktechpost.com/2023/05/15/can-llm-already-serve-as-a-database-interface-meet-bird-a-big-bench-for-large-scale-database-grounded-text-to-sqls/
Jane *************************** R. Jane Ginn, MSIA, MRP Secretary, TAC TC OASIS jg@ctin.us +1(928)399-0509 Member: CTI TC - OpenC2 TC - CACAO TC - CSAF TC Observer: OCA (PACE - IOB - Kestrel - CASP) *************************** On 5/15/2023 4:43 AM, Yuval Intrater wrote:
Hello,I am working on a project that involves using STIX to represent threat intelligence. I have a couple of questions regarding the usage of relationships:1. Should I connect an SCO directly to an Intrusion Set object? According to section 5.5 in STIX Best Practices document, one should use an Infrastructure object to connect an SCO to an object that is a part of the offensive or defensive activity of an attack. Does it also apply to connecting an SCO to an Intrusion set?For example, my research contains three objects: An Intrusion Set named APT0, an Infrastructure of APT0's C2 servers, and an IP address of one of the C2 servers. Which option should I use to represent my knowledge? (The two options are attached to this email)If the second option is not recommended, is there another recommended way in which an analyst can easily understand whether an SCO is part of an intrusion set?2. I am using variousÂpublic databases to actively enrich new SCOs based on their common properties. I want to create an object representing the query I should run in a particular database. I thought about using an Indicator object for this, but I am unsure of how I should make a relationship between an Indicator object and its corresponding database. For example, if all the C2s in my research are open in port 12345 TCP, I would search for new servers using Shodan or Censys. How can I define that this particular indicator needs to be queried on Censys or Shodan?Thank you in advance, This publicly archived list offers a means to provide input to the OASIS Cyber Threat Intelligence (CTI) Technical Committee. In order to verify user consent to the Feedback License terms and to minimize spam in the list archive, subscription is required before posting. Subscribe: cti-comment-subscribe@lists.oasis-open.org Unsubscribe: cti-comment-unsubscribe@lists.oasis-open.org List help: cti-comment-help@lists.oasis-open.org List archive: http://lists.oasis-open.org/archives/cti-comment/ Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Committee: https://www.oasis-open.org/committees/cti/ Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]