OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Stix 2.0 email parsing question

First you need to think about which things you want someone to "look for" to find this email in the future. Which are the important factors: the sender address, the message content, the attachment properties? Which metadata about the email is what "indicates" it is malicious. This is what you want to include in the indicator.

Then, the specific instance of the email, COULD be encoded as observed_data. This should then include *all* of the properties of the email you think are relevant, including attachment metadata, etc.

Then, you can create a "sighting" relationship between the Indicator and the observed_data, pointing out that you saw this indicator at a specific date and time.

-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown




From:        Giampaolo Darelli <giampaolo.darelli@deepcyber.it>
To:        cti-users@lists.oasis-open.org
Date:        12/22/2018 07:11 PM
Subject:        [cti-users] Stix 2.0 email parsing question
Sent by:        <cti-users@lists.oasis-open.org>



Hello,
i'm working on a python  parser that parse email message (i.e. phishing) and transform it to stix 2.0 format.
In stix 1.2 i used to create an indicator with body of mail as description and email address and subject as cybox objects nested in the indicator

In stix 2.0 i  wonder what is the best way to store a mail message.

Right now i've created an indicator object:
indicator_email_object = stix2.Indicator(
    name="Email Indicator",
created = mail_date_stix2,
    modified=mail_date_stix2,
    description=campaign_name,
    labels=["malicious-activity"],
pattern ="[email-message:date = '" + mail_date_stix2 +"'] AND [email-message:from_ref.value ='"+ attacker_mail + "']",

object_marking_refs=[marking_def_white]
)
And store the data as pattern.
Is this the right way to proceed?Or should i create an ObservedData object with 2 objects of type email-addr and email-message and link it to an indicator?

Thanks to any one willing to help,
Regards,
Giampaolo



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]