Hi cti-users,
I'm looking for some advice onÂencoding data in STIX 2.1.
I have what is essentially an incident report that I'd like to encode in STIX 2.1 JSON. It is essentially a table of data like this CSV example (but with more than one row):
src,dst,timestamp,ttp
1.1.1.1,2.2.2.2,2020-04-04T20:20:20.000Z,Exfiltration
Where the interpretation is that there was an event observed atÂ2020-04-04T20:20:20.000Z that is believed to be exfiltration from 1.1.1.1 to 2.2.2.2.
Is there a best practice for how to encode this kind of data in STIX? One option might be something like this, if I define my own relationship_type of "Exfiltration", but it feels like the Attack Pattern SDO was intended to cover part of this so maybe this isn't ideal.
{
 "type": "ipv4-addr",
 "spec_version": "2.1",
 "id": "ipv4-addr--1",
 "value": "1.1.1.1"
},
{
 "type": "ipv4-addr",
 "spec_version": "2.1",
 "id": "ipv4-addr--2",
 "value": "2.2.2.2",
},
{
 "type": "relationship",
 "spec_version": "2.1",
 "id": "relationship--7",
 "created": "2020-04-04T20:20:20.000Z",
 "modified": "2020-04-04T20:20:20.000Z",
 "relationship_type": "Exfiltration",
 "source_ref": "ipv4-addr--1",
 "target_ref": "ipv4-addr--2",
 "start_time": "2020-02-02T20:20:20.000Z",
 "stop_time": "2020-02-02T20:20:20.000Z"
}
Thanks!
Robert