cti-users message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-users] Stix 2.0 email parsing question
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Giampaolo Darelli <giampaolo.darelli@deepcyber.it>
- Date: Wed, 2 Jan 2019 10:48:42 -0400
First you need to think about which things
you want someone to "look for" to find this email in the future.
Which are the important factors: the sender address, the message content,
the attachment properties? Which metadata about the email is what "indicates"
it is malicious. This is what you want to include in the indicator.
Then, the specific instance of the email,
COULD be encoded as observed_data. This should then include *all* of the
properties of the email you think are relevant, including attachment metadata,
etc.
Then, you can create a "sighting"
relationship between the Indicator and the observed_data, pointing out
that you saw this indicator at a specific date and time.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
From:
Giampaolo Darelli <giampaolo.darelli@deepcyber.it>
To:
cti-users@lists.oasis-open.org
Date:
12/22/2018 07:11 PM
Subject:
[cti-users]
Stix 2.0 email parsing question
Sent by:
<cti-users@lists.oasis-open.org>
Hello,
i'm working on a python parser that parse email
message (i.e. phishing) and transform it to stix 2.0 format.
In stix 1.2 i used to create an indicator with body of
mail as description and email address and subject as cybox objects nested
in the indicator
In stix 2.0 i wonder what is the best way to store
a mail message.
Right now i've created an indicator object:
indicator_email_object = stix2.Indicator(
name="Email Indicator",
created = mail_date_stix2,
modified=mail_date_stix2,
description=campaign_name,
labels=["malicious-activity"],
pattern ="[email-message:date = '" + mail_date_stix2
+"'] AND [email-message:from_ref.value ='"+ attacker_mail + "']",
object_marking_refs=[marking_def_white]
)
And store the data as pattern.
Is this the right way to proceed?Or should i create an
ObservedData object with 2 objects of type email-addr and email-message
and link it to an indicator?
Thanks to any one willing to help,
Regards,
Giampaolo
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]