[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] RE: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report
Hi Ivan I had a chance to review the document and perform a dry run of FireEye MAS analysis data. I have a few observations, one recommendation, and a sample that I
am attaching. Examples show “static_analysis_data” as a key but the property table shows “static_analysis_resutls” & “dynamic_analysis_results” as fields. Am I reading this
wrong? Dns_query as a cybox object has been dropped from STIX 2.0 specs part 4, but I dound this very valueable. I could not represent a dns query and result in STIX
2.1 without that object wihout losing the meaning. Is there a reason it was dropped when CyBox was included in STIX specifications? Recommendation: my thought: If all cybox objects could be collectively written in one section under “observable_data”, and All observation/environment/results that reference observables, just make a reference to it, the implementation becomes cleaner. It is also easier to manage programmatically. I have the following in attached example: Sightings
àsighiting of ref
à malware ref Sighting
à observed data refs
à observable data Malware
à samples (Can this just be a reference)
à observable data Malware
à Analysis_tools (Can this just be a reference)
à observable data Malware
à Analysis_environment (Can this just be a reference)
à observable data Malware
à results
à Observables data Observable_data
à observables I am attaching a FireEye sample converted (it may get rejected although it does not have any confidential data but perimeter rules may just drop this). Thanks Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Kirillov, Ivan A. [mailtoikirillov@mitre.org]
Hi Sudobh, You can find it in the STIX 2.1 Working Draft 01, here:
https://docs.google.com/document/d/1bkMmU1PxlwlAwjrMmyWV147rvLcRs2x62FicHbpH2gU/edit#heading=h.cabdb5lryb9q Regards, Ivan From: <cti@lists.oasis-open.org> on behalf of "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Bret Jordan [mailtoBret_Jordan@symantec.com]
Subodh, You should look at the changes we have made to the STIX 2.1 Malware object. I think this should get you more than 80-90% of the way. Bret From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org>
on behalf of Kirillov, Ivan A. <ikirillov@mitre.org> Hi Subodh, This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not
the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]