OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Need to integrate MAEC and STIX into single report


Hi Subodh,

STIX 2.0 supports the inclusion of custom properties on all objects [1], so I would say that this is a completely legitimate way to associate a STIX Malware Object with MAEC data. However, I would just suggest changing the property name to "x_jpmorgan_maecreference" to better align with the suggested requirements for custom properties (see section 7.1.1).

[1] https://docs.google.com/document/d/1dIrh1Lp3KAjEMm8o2VzAmuV0Peu-jt9aAh1IHrjAroM/edit#heading=h.8072zpptza86

Regards,
Ivan Kirillov
MITRE

On 4/15/18, 9:40 PM, "cti@lists.oasis-open.org on behalf of Mr. Subodh Kumar" <cti@lists.oasis-open.org on behalf of subodh.kumar@jpmorgan.com> wrote:

    I am working on transforming Reversing Lab's malware report into STIX. Since malware section of STIX is not very detailed in STIX 2.0, I am using MAEC to describe details of malware.
    
    I have to connect STIX information with MAEC information, so that the software reading STIX package should be able to navigate STIX parts and MAEC part to capture all the information regarding malware.
    
    What is the recommended way to integrate MAEC information into STIX?
    
    My approach - 
    Added MAECReference number to malware object:
    
    malware: {
    .....
    MAECReference: "MAEC-nnn-nnn-nnnn"
    }
    
    MAEC: { id: "MAEC-nnn-nnn-nnnn"
    ...
    }
    
    Ingore the id for MAEC, it is a made up id.
    
    Is this a legit way? Can we use MAECRefernce as a custom attribute to accomplish this objective?
    
    Looking forward to guidance.
    Thanks
    Subodh



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]