![]() (I’ll take a timeout to let you read that section). STIX suggests several practices for creating and using IDs that you can see on our Suggested Practices page. The other important attribute is As you might expect, the is a globally unique ID given to an instance of a construct in STIX. In this case, the package conforms to STIX 1.2. This version attribute is strongly suggested when creating content and indicates which version of STIX the package conforms to. One attribute you’ll see on STIX_Package is version. It also contains the namespace prefix declarations and schema location attribute, as described above. This element is a wrapper around a header, which contains metadata about the information in the package, and the lists of components (indicators in this case) that make up the package. STIX_PackageĪt the top level of almost every STIX document will be the STIX_Package element. This is simply a hint to XML editors so that they can automatically find the schemas and validate against them. You’ll also notice a schemaLocation attribute with these schema namespaces mapped to the actual schema (separated by spaces). When you consume content, you will probably see various namespaces instead of example to represent whoever is producing the content you’re consuming. In this case, we just use “example” because this is an example. It is used to prefix STIX and CybOX IDs with the conceptual “producer” of the content. This is a special namespace in that it’s used in instance content and does not have an associated schema. We’ll walk through what these are and how to use them later. These namespaces define the CybOX and STIX default vocabularies, respectively. The Address Object, for example, represents address: IP Address, E-mail Addresses, etc. CybOX defines 80+ objects that each represent a certain type of Cyber Observable. This namespace contains a CybOX “Object”. This tutorial will walk through how to use both STIX and CybOX, so don’t worry if you don’t know how to use it. STIX uses CybOX to represent Cyber Observables. ![]() This namespace contains the CybOX Observable structure (sometimes considered the 8th STIX component). Each of the 7 (8 if you count CybOX) core STIX components are in their own schema and namespace. This namespace contains the STIX Indicator component. This is the core STIX schema, which defines the STIX_Package element and the STIXType type. You’ll see this used later on in the content as part of xsi:type. This is a standard XML Schema Instance namespace. ![]() To walk through the various schemas that you’ll see being defined: Prefix This is because of an intentional design decision made by the STIX team to ensure that the schemas were modular and could be used independent of each other. If you’re used to XML, you might notice that even this short STIX document contains quite a few namespace prefix declarations. Let’s get started at the very top by looking through the XML Namespace declarations. In STIX, this is done using the Indicator construct, utilizing CybOX observables: the CybOX observable is a pattern that matches data that can be observed (IP addresses in network traffic, for example) while the STIX indicator describes what it means when the CybOX pattern matches. The intent of this file (if it were a real file and not an example) would be to provide a list of IP address that are suspected (or known) to be malicious. It’s very similar to the one hosted on the STIX sample page except I’ve modified the schemaLocation attribute to use the online schemas so you can validate it without a local copy of the schemas. Get Startedįirst, download the IP Watchlist sample we’ll be working with. If you don’t, it’s suggested that you either use higher-level tooling when working with STIX or read up on XML before looking into STIX. You should know what elements are, what attributes are, what validation means, and other basic concepts. Eclipse is an open-source option that is somewhat less fully-featured but should get the job done.įinally, this tutorial does assume intermediate knowledge of XML. Most of the STIX team uses either Oxygen or XMLSpy, which are both commercial products. You also should have good XML tools in order to work with STIX. The best place to do that is by going to the Getting Started page and reading through the whitepaper and other materials linked from there. Prior to going through this walkthrough, you should understand the general concept of what STIX is, what problems it is designed to solve, and how it is used to solve those problems. Specifically, we’ll look at a watchlist for IP addresses to see how STIX can be used to describe indicators of malicious activity. This walkthrough will look at a simple STIX document and look through it piece by piece to help describe basic STIX concepts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |