How to analyze STIX v1.2 Logs in detail
Note for Readers: Please read it carefully to understand every bit of it.
Log Analysis:
Note: It is recommended to always open Logs in some kind of code editor like VSCode or Brackets or Sublime Text etc.
Below pasted a sample log for your understanding which I have referred in this blog.
First let’s understand it’s code structure.
Root Element
<stix:STIX_Package>
Namespaces
xmlns:CustomObj(Custom Object)xmlns:incident(Incident)xmlns:cybox(CYBOX, used for describing observables)xmlns:stixCommon(Common STIX elements)xmlns:stix(Root namespace for STIX elements)xmlns:example(Custom/example namespace)xmlns:xlink(Linking support for XML)xmlns:ds(Digital signature XML namespace)xmlns:xs(XML Schema)xmlns:xsi(XML Schema Instance)
*CybOX (Cyber Observable eXpression) is a standardized language for representing cyber observables, whether dynamic events or stateful properties that are observable in the operational cyber domain.
STIX Core Tags
<stix:Observables>: Contains observable objects.<cybox:Observable>: Represents a single observable.<cybox:Object>: Defines a specific observable object.<cybox:Properties>: Specifies properties of an observable object.<stix:Incidents>: Groups all incidents within the package.<stix:Incident>: Represents an individual incident.
Incident Tags
<incident:Title>: Title or summary of the incident.<incident:Time>: Defines the time details of an incident.<incident:First_Malicious_Action>: Specifies the timestamp of the first malicious action.<incident:Related_Observables>: Links related observables to the incident.<incident:Related_Observable>: Refers to a specific observable related to the incident.
STIX Common Tags
<stixCommon:Observable>: A reference to a common observable element within the STIX package.
Let’s understand each element and code block in a bit more depth.
<stix:STIX_Package> : is the root element in a STIX document. It serves as a container for all the threat intelligence data included in that document. Essentially, the <stix:STIX_Package> represents a structured collection of cyber threat intelligence information, which may include indicators, observables, incidents, threat actors, and more. It has several namespaces (collection of objects which has unique names) like:
xmlns:CustomObj, or
xmlns:incident etc.
These namespaces represents the type of STIX document and acts as metadata of the document. It tells about the type of STIX document it is. These data are taken into considerations by various devices or tools like SIEM, TIP, EDR/NDR, IDS/IPS etc.
id=”example:Package-674d52e9-d711–41a4–95b6–33d961c42fb6" version=”1.2">
This line gives the unique STIX file ID and the STIX version it is using. Again, these are metadata used by EDRs and these type of devices.
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="example:Observable-a0c3e174-a122–4747–8be3–826936a95ae6">
<cybox:Object id="example:Custom-bcca26d1-d540–4658-a773-ae49dd3d8d3b">
<cybox:Properties xsi:type="CustomObj:CustomObjectType" custom_name="desktop-b0smthc">
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>STIX Observables is a central concept used to represent specific, observable pieces of data related to cyber threat activity. Observables describe data points or events that are observable in the environment and can be associated with malicious activity or other cybersecurity events.
It has several other sub-tags like cybox:Observable, cybox:Object, and cybox:Properties.
<stix:Observables cybox_major_version=”2" cybox_minor_version=”1" cybox_update_version=”0">
This line states that the observation and understanding of the event is done by CybOX whose schema’s (database) major version is 2, minor version is 1 and update version is 0. These data helps in understanding which type of CybOX DB is used to formulate and curate this STIX file.
<cybox:Observable id=”example:Observable-a0c3e174-a122–4747–8be3–826936a95ae6">
In this line, <cybox:Observable> tag represents an individual observable, which is a piece of data (or indicator) related to a cyber threat or activity that is being described in this STIX package. The id attribute is an unique identifier for the observable. It helps differentiate this specific observable from others in the package.
<cybox:Object id=”example:Custom-bcca26d1-d540–4658-a773-ae49dd3d8d3b”>
In this line, <cybox:Object>tag represents the object being observed. An object can be anything that is being tracked or monitored for signs of a cybersecurity threat. The id attribute is an unique identifier for the object within the observable.
<cybox:Properties xsi:type=”CustomObj:CustomObjectType” custom_name=”desktop-b0smthc”>
In this line, <cybox:Properties> tag contains the properties of the object. It describes the specific details of the object being observed. The attribute “xsi:type” defines the type of object in an XML Schema instance. The “CustomObj:CustomObjectType” indicates that this is a custom object type defined in a custom namespace (CustomObj). This means that the object being described here is not a standard CyBox object but one that has been specifically created for this context. The attribute “custom_name” is a custom property that provides a value for the object. In this case, custom_name refers to the name of a custom object (e.g., a device or a host in the network). The value desktop-b0smthc suggests that the object being observed is a host or a system with the name “desktop-b0smthc.”
<stix:Incidents>
<stix:Incident id="example:incident-e3d2500a-c84a-42cc-a363-d4fbae1015b6" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked ssh on finance-finacle-server decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6"></stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident><stix:Incidents> This line is a container element for one or more incidents within a STIX package. It contains all the incidents that took place.<stix:Incident id=”example:incident-e3d2500a-c84a-42cc-a363-d4fbae1015b6" timestamp=”2024–11–08T07:18:21.381000+00:00" xsi:type=’incident:IncidentType’>
This line represents a single incident. There can be multiple <stix:Incident> tags based on total number of incidents occured. The attribute id represents the unique identification of the incident, timestamp shows the exact UTC formatted time when the incident took place, and xsi:type represents the type of XSI incident defined for STIX schema.
<incident:Title>desktop-b0smthc attacked ssh on finance-finacle-server decoy</incident:Title>
This line tells us the summary of the incident or the attack took place. The value explains that the incident involves a machine named desktop-b0smthc attempting an attack (via SSH) on a decoy system called finance-finacle-server.
<incident:Time>
<incident:First_Malicious_Action precision=”second”>2024–10–10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
This <incident:Time> block represents the precise time the attack took place.
<incident:Related_Observables>
This is a container tag that holds references to observables related to the incident.
<incident:Related_Observable>
This tag represents a single related observable. There can be multiple tags like this based how many observables are there
<stixCommon:Observable idref=”example:Observable-a0c3e174-a122–4747–8be3–826936a95ae6">
The idref attribute is a reference to the observable that is related to the incident.
</stixCommon:Observable>
This tag represents an observable that is being referenced in the incident.
</incident:Related_Observable>
</incident:Related_Observables>
Well, so this is how we analyze STIX logs and gain info regarding any attack that took place.
STIX logs can get extremely cluttered, huge, and lengthy. Make sure to use any designated program to fetch things out.
SAMPLE LOG:
I have added some extra spaces for better readability
<stix:STIX_Package
xmlns:CustomObj="http://cybox.mitre.org/objects#CustomObject-1"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:example="http://example.com"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
id="example:Package-674d52e9-d711-41a4-95b6-33d961c42fb6" version="1.2">
<stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
<cybox:Observable id="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
<cybox:Object id="example:Custom-bcca26d1-d540-4658-a773-ae49dd3d8d3b">
<cybox:Properties xsi:type="CustomObj:CustomObjectType" custom_name="desktop-b0smthc">
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Incidents>
<stix:Incident id="example:incident-e3d2500a-c84a-42cc-a363-d4fbae1015b6" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked ssh on finance-finacle-server decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
<stix:Incident id="example:incident-bf759db5-32a8-4850-95a3-b5d822a03427" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked ssh on engineering-cms-windows decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
<stix:Incident id="example:incident-4890ffda-e7be-4d54-accc-9b0fa050d89d" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked ssh on finance-atm-switch-server decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
<stix:Incident id="example:incident-8c6f085b-5578-441e-b812-4af77fa2208b" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked network on development-developer-portals-server decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
<stix:Incident id="example:incident-54b065f0-b23c-4eb1-b3c0-b4b5746dd04d" timestamp="2024-11-08T07:18:21.381000+00:00" xsi:type='incident:IncidentType'>
<incident:Title>desktop-b0smthc attacked network on crms-88 decoy</incident:Title>
<incident:Time>
<incident:First_Malicious_Action precision="second">2024-10-10T06:56:52.000Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Observable idref="example:Observable-a0c3e174-a122-4747-8be3-826936a95ae6">
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
</stix:Incident>
</stix:Incidents>
</stix:STIX_Package>
