MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
Page: STIX2.0 to STIX2.1 changes
Pages
3rd party modules AddNewAttributes AuthenticationProject Categories & Types changes CheckList CommitMessageBestPractices Contributing to MISP Project CortexIntegration Critical aspects or features DeploymentTools EnhancedSighting Frequently Asked Questions Hackathon Hardening Home Max and min value for first_seen last_seen NewAttributes Notes: MISP STIX2 Planned features and functionalities Presentations about MISP or mentioning MISP Project dependencies Proxy RedisAllocation ReleaseCheckList Rename default branches master to main STIX2.0 to STIX2.1 changes Sharing guidelines TaxonomiesResearch Use cases UserInterface
1 STIX2.0 to STIX2.1 changes
Christian Studer edited this page 2020-06-29 16:34:06 +02:00
Table of Contents

Notes

STIX 2.1 Domain Objects

Attack Pattern

There is no way to specify if the attack pattern only describes ways that adversaries attempt to compromise targets or if they actually executed it.

Course of action

As for the attack pattern objects, we have no way to differentiate recommendations from actual courses of action taken.

The description of what a Course of Action is (A Course of Action is an action taken either to prevent an attack or to respond to an attack in progress.) is not 100% clear to make a difference.

Grouping

(Rather a note for us than actual comments on the implementation of the object)

We need to decide if we stick to reports, or use groupings in some cases for MISP events...

Objects not mapped at all at the moment in MISP

  • Campaign
  • Malware Analysis
  • Opinion

STIX 2.1 Cyber-Observable Objects

EmailAddress

There is still no way to have display names withtout the email address

File

Filenames and paths cannot be multiple.

Artifact

It would be helpful to have a filename property

Software

There is in this object a CPE property, which is absent from the Vulnerability object...

STIX2.0 to STIX2.1 changes

Domain Objects changes

Changes on existing objects

  • Attack Pattern new field: aliases (optional list of strings)
  • Identity new field: roles (optional list of strings)
  • Indicator new fields:
    • indicator_types: optional list of type open-vocab
    • pattern_type: required open-vocab
    • pattern_version: optional string
  • Malware new fields:
    • malware_types: optional list of open-vocab
    • is_family: required boolean
    • aliases: list of strings
    • first_seen / last_seen: optional timestamp
    • operating_system_refs: optional list of identifiers (references to observable software objects)
    • sample_refs: optional list of identifiers (references to observable file or artifact objects)
    • architecture_execution_envs, implementation_languages, capabilities: lists of type open-vocab
  • Observed Data: new field objects_refs (list of identifiers referencing Observable objects)
  • Threat Actor new fields:
    • threat_actor_types: optional list of type open-vocab
    • first_seen / last_seen: optional timestamp
  • Tool new fields:
    • tool_types: optional list of type open-vocab
    • aliases: optional list of strings

New objects

  • Grouping object: explicitly asserts that the referenced STIX objects have a shared context.
  • Infrastructure: describes any systems, software services and any associated physical or virtual resources intednde to support some purpose
  • Location: basic geographic location
  • Malware Analysis: captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family
  • Note: intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects
  • Opinion: assessment of the correctness of the information in a STIX Object produced by a different entity

Observable Objects changes

  • Artifact new fields:
    • encryption_algorithm: optional enumeration
    • decryption_key: optional string
  • Directory field name changes:
    • 'created' becomes 'ctime'
    • 'modified' becomes 'mtime'
    • 'accessed' becomes 'atime'
  • Email message new field: message_id (optional string)
  • File changes:
    • field name changes:
      • 'created' becomes 'ctime'
      • 'modified' becomes 'mtime'
      • 'accessed' becomes 'atime'
    • fields removed:
      • is_encrypted
      • encryption_algorithm
    • Archive extension field removed: version
    • Raster image extension field removed (extension not mapped): image_compression_algorithm
  • Network Traffic - Socket extension change: protocol_family field removed
  • Process fields changes:
    • Fields removed:
      • name
      • arguments
    • Field name change: 'created' becomes 'created_time'
  • Software new field: swid (Software Identification - optional string)
  • User Account changes:
    • new field: credential (optional string)
    • name change: 'password_last_changed' becomes 'credential_last_changed'
  • Windows Registry Key field change: 'modified' becomes 'modified_time'

Other changes

  • Marking definition changes:
    • Field removed: created
    • Field added: name (optional string)
    • New TLP marking definitions (the predefined marking definition that should be used as is)