Regarding relationship creation issues-Stix2_elevator #271
Comments
|
Hi @Rock910, A Sighting is a special SRO (STIX relationship object), and those were created because each Indicator had XML that looked like this: However, there is nothing in the STIX 1 XML file that references the Attack Patterns (TTPs), so no relationships were created by the elevator. What relationships were you expecting? If you want a relationship between an indicator and a TTP, you need to have a <Indicated_TTP> tag in the Indicator object. Feel free to ask further questions. |
|
Thank you! (Comes from StixViz software, same XML file) I appreciate the help, |
|
I think you might be misinterpreting the graph that stixviz is displaying. If you notice, the two icons that are directly related to the STIX icon contain a small gray circle. This represents the plural XML tag, e.g., , which has the 4 children tags. So the links represent "parent/child" relationships - which don't really indicate any CTI information, but just is a remnant of XML representation. As I mentioned before, the STIX 1 XML would need to explicitly contain tags that represent relationships between a TTP and an Indicator. |
|
Thanks!
So this takes in the JSON input, and I was expecting the attack pattern nodes to have edges also to this marking-definition node. Is this because of the parent/child relationships? I appreciate the help. |
|
What did you use to do the visualization of the STIX 2.1 elevator output? I used the STIX Visualizer (see https://github.com/oasis-open/cti-stix-visualization) and I got this graph, which looks good to me |
|
Very interesting! |
Greetings,
I have been using a simple test case XML: https://us-cert.cisa.gov/sites/default/files/2021-05/IB-21-10094.stix.xml to convert between Stix 1.0 and 2.0(JSON).
It seems that relationships are not created for the attack patterns but are created for indicators..
This is elusive to me because I obtain warnings which are related to indicators but not attack patterns(originally ttp).
I would expect warnings related to attack patterns because these are the relationships that are not created.
I manually fixed relationships in the JSON file but I'm wondering if there is any fix in this software itself.
I know there is a create_relationship function so it seems that it doesn't get called in my case for attack patterns but is called for my indicators.
Thanks,
Josh
Errors:
[!] Warning: indicator--14f2a766-5548-4695-80f0-cbfbc8713ab8: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--14f2a766-5548-4695-80f0-cbfbc8713ab8: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--5aa68ee7-23f3-4878-ac80-df0d282aced4: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--fd892230-1414-4826-be9d-90cbdc8c1263: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--fd892230-1414-4826-be9d-90cbdc8c1263: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--06265258-b912-408f-988d-bec8b265456a: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--68eb0c6a-6731-4b7e-815a-cef6d13d3177: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--d729d79c-b10b-4b5f-b4fd-bc42033a2956: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--e7ff94c9-0c61-4486-96e9-8a503bfd34ca: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--c15f7991-ab84-4e9b-8725-7fc91feb58c1: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--eabf6ac9-b9a0-4c4e-962c-4f14c3218b56: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--fc96fcd9-fdc5-4085-b4fc-3c52cb12d772: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--fc96fcd9-fdc5-4085-b4fc-3c52cb12d772: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--8b99cc2f-b3cc-4e99-b698-dcf18b076fe0: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--8b99cc2f-b3cc-4e99-b698-dcf18b076fe0: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--857371ca-f3da-4f7b-b300-6f850a3456ab: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--857371ca-f3da-4f7b-b300-6f850a3456ab: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--ec423a5b-86f6-4c23-bc39-0b4bce44b82c: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--ec423a5b-86f6-4c23-bc39-0b4bce44b82c: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--d603f077-5302-4636-99e1-28a82edef51d: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--d603f077-5302-4636-99e1-28a82edef51d: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--74880055-c1d1-4a44-bcd0-659e82f94a57: {214} indicator_types contains a value not in the indicator-type-ov vocabulary.
[!] Warning: indicator--74880055-c1d1-4a44-bcd0-659e82f94a57: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--f90eb6f1-dd9d-4d39-a7bc-d4c6bf8cda93: {303} Both the name and description properties SHOULD be present.
[!] Warning: indicator--fe9abb4c-4202-42a0-b9d3-afee67798641: {303} Both the name and description properties SHOULD be present.
The text was updated successfully, but these errors were encountered: