As Jason mentioned, MITRE has also been contributing to this on behalf of our sponsors at the Unfetter project. As you may have seen, last year we pushed an open source MITRE repository up called stix2patterns_translator (https://github.com/mitre/stix2patterns_translator)
that was the STIX 2.0 Pattern => Tool Query end of this.
After working with IBM for a bit on stix-shifter we realized that it made sense to just merge the efforts. Thus, all of the functionality in stix2patterns_translator has been merged into stix-shifter, and we’ll be deprecating that repo
to focus on stix-shifter. From my perspective, this is a huge win…now it’s a one-stop shop for either going STIX 2 Pattern => Query or from Results => STIX 2 Observed Data.
I’m excited to get this out there and I hope people can take a look and even (nudge nudge) make some pull requests for your favorite platforms. Hopefully we can start to help STIX 2 make inroads in the detection space – whether indicators,
ATT&CK analytics, or something else.
From: email@example.com <firstname.lastname@example.org>
On Behalf Of Jason Keirstead
Sent: Wednesday, September 12, 2018 12:28 PM
To: CTI-Stix-User <email@example.com>; firstname.lastname@example.org
Subject: [cti] New Open Source Project - STIX Shifter
On IBM Security's behalf I would like to send out a quick announcement on a major STIX 2 related open-source project that we have been working on for the past several months, in conjunction with
MITRE and the Unfetter project. While we have been doing all of the work in-public on Github, we have not been seeking to "advertise" the work until we felt it was ready for consumption and/or involvement by others - and we believe we have reached that threshold
The project is called
STIX Shifter (https://github.com/IBM/stix-shifter). What this
project is all about, is creating a platform library that you can embed and use in order to support STIX Patterning in your code, to query other cybersecurity products.
The library takes in STIX 2 Patterns as input, and "finds" data that matches the patterns inside various products that house repositories of cybersecurity data. Examples of such products include SIEM systems, endpoint management
systems, threat intelligence platforms, orchestration platforms, network control points, data lakes, and more. The library will also very shortly have the ability to actually reach out into these systems, and run the queries using their own native APIs.
In addition to "finding" the data using these patterns, STIX-Shifter uniquely also transforms the output from the sources into STIX 2 Observations. Why would we do that you ask?
To put it simply - so that all of the security data, regardless of the source, mostly looks and behaves the same. As anyone with experience in data science will tell you, the cleansing and normalizing of the data across domains, is one of the largest hurdles
to overcome with attempting to build cross-platform security analytics. This is one of the barriers we are attempting to break down with STIX Shifter, and hope that it can be the first step to enabling a better ecosystem to share analytics across products.
The project is now at the point where the base underpinnings are well fleshed out, and we have search modules either already released or in-the-works, for multiple information sources
(IBM QRadar, ElasticSearch, Splunk, IBM Big Fix), and we plan to add many more modules. We're hoping that by releasing all of this work as open source, we can encourage other products to support the use of STIX 2 Patterning - since by using it via this library,
they will automatically support federated queries across all of this growing list of platforms - so it is a win/win for vendors to consume it.
We have a significant and dedicated set of resources to work on this project continuously, so it is not going anywhere. I hope you want to get involved! If you're interested in getting
involved - either by consuming the code, or writing some modules - you can do so directly in Github, or feel free to reach out to me as well.
Lead Architect - IBM.Security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown