How to analyze STIX v2.1 Logs in detail
Note for Readers: Please read it carefully to understand every bit of it
Log Analysis:
Note: It is recommended to always open Logs in some kind of code editor like VSCode or Brackets or Sublime Text etc.
Below pasted a sample log for your understanding which I have referred in this blog.
First let’s understand it’s code structure. Now unlike v1.2, v2.1 is fairly very easy to understand and grasping the entire scenario is easier in less time.
So it has several keys like id and objects.
“id” identifies the STIX bundle which is nothing but a packed repository of incident related data
“objects” is an array containing the objects (incidents and observed data) that belong to this bundle.
Now, every attack or incident is separated using {}. Let’s take one example:
{
"created": "2024-11-08T09:15:27.623Z", -> Timestamp of the incident got triggered
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z", -> A description of the incident. It includes the TIME_OF_FIRST_MALICIOUS_ACTION, which marks the start of the malicious activity.
"id": "incident--cb464733-f2ae-458c-bbd0-a53f400365bc", -> A unique identifier for the incident.
"modified": "2024-11-08T09:15:27.623Z", -> The timestamp when the incident was last modified.
"name": "desktop-b0smthc attacked ssh on finance-finacle-server decoy", -> The name of the incident, which describes the attack and target.
"spec_version": "2.1", -> The version of the STIX specification (in this case, 2.1).
"type": "incident" -> The type of object, which here is incident. This indicates the object describes a security incident.
},Now, at the end of STIX v.1 logs there is one more objects which tells about the object’s event data we have capturesd and when it was observed. Basically, we clicked on dektop-b0smthc to get the STIX v2.1 logs. So, this desktop-b0smthc is an attacker and performed some attacks. So, what all incidents are related to this attacker from this entire STIX logs is mentioned in “object_refs” array. And, several other details regarding the attacker is also mentioned, like first observed, last observed, number of times it was observed etc.
Example:
{
"created": "2024-11-08T09:15:27.623Z", → The timestamp when the observed data was created.
"first_observed": "2024-11-08T09:15:27.623Z", → The first time the observed data was seen.
"id": "observed-data--27c5b93c-a27a-4ad7-a6e2-00b06ecbd044", → A unique identifier for the observed data object i.e. attacker
"last_observed": "2024-11-08T09:15:27.623Z", → The last time the observed data was seen.
"modified": "2024-11-08T09:15:27.623Z", → The last modified time the observed data was seen.
"number_observed": 5, → The number of times the incidents were observed. In this case, it shows that these incidents occurred 5 times.
"spec_version": "2.1", → The version of the STIX specification
"object_refs": [ → This is an array of all the incidents found.
"incident--cb464733-f2ae-458c-bbd0-a53f400365bc",
"incident--f58a29bf-f6ba-4e37-8526-7be9901422ab",
"incident--631cf326-f237-43fa-8c74-1e5c4bc70592",
"incident--c33cea12-a973-426f-b1f9-62cd9e584e26",
"incident--b95692f3-d1ef-4f2e-8fda-4f1a31cde349"
],
"type": "observed-data" → This indicates that it is an observed data, means that this objects which is an attacker, was being observed doing the attacks.
}At the very end, there will be one more field:
"type": "bundle" → This represents that the type of the file is bundle, means it is a repository or directory containing all the incidents bundled/packed together.
}Well, this is how we analyze STIX v2.1 logs which is much more easier than v1.2 logs.
SAMPLE LOG:
I have added some extra spaces for better readability
{
"id": "bundle--86713b6c-2997-44f9-8959-45147c9ed763",
"objects": [
{
"created": "2024-11-08T09:15:27.623Z",
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z",
"id": "incident--cb464733-f2ae-458c-bbd0-a53f400365bc",
"modified": "2024-11-08T09:15:27.623Z",
"name": "desktop-b0smthc attacked ssh on finance-finacle-server decoy",
"spec_version": "2.1",
"type": "incident"
},
{
"created": "2024-11-08T09:15:27.623Z",
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z",
"id": "incident--f58a29bf-f6ba-4e37-8526-7be9901422ab",
"modified": "2024-11-08T09:15:27.623Z",
"name": "desktop-b0smthc attacked ssh on engineering-cms-windows decoy",
"spec_version": "2.1",
"type": "incident"
},
{
"created": "2024-11-08T09:15:27.623Z",
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z",
"id": "incident--631cf326-f237-43fa-8c74-1e5c4bc70592",
"modified": "2024-11-08T09:15:27.623Z",
"name": "desktop-b0smthc attacked ssh on finance-atm-switch-server decoy",
"spec_version": "2.1",
"type": "incident"
},
{
"created": "2024-11-08T09:15:27.623Z",
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z",
"id": "incident--c33cea12-a973-426f-b1f9-62cd9e584e26",
"modified": "2024-11-08T09:15:27.623Z",
"name": "desktop-b0smthc attacked network on development-developer-portals-server decoy",
"spec_version": "2.1",
"type": "incident"
},
{
"created": "2024-11-08T09:15:27.623Z",
"description": "\n\nTIME_OF_FIRST_MALICIOUS_ACTION:\n\t2024-10-10T06:56:52.000Z",
"id": "incident--b95692f3-d1ef-4f2e-8fda-4f1a31cde349",
"modified": "2024-11-08T09:15:27.623Z",
"name": "desktop-b0smthc attacked network on crms-88 decoy",
"spec_version": "2.1",
"type": "incident"
},
{
"created": "2024-11-08T09:15:27.623Z",
"first_observed": "2024-11-08T09:15:27.623Z",
"id": "observed-data--27c5b93c-a27a-4ad7-a6e2-00b06ecbd044",
"last_observed": "2024-11-08T09:15:27.623Z",
"modified": "2024-11-08T09:15:27.623Z",
"number_observed": 5,
"spec_version": "2.1",
"object_refs": [
"incident--cb464733-f2ae-458c-bbd0-a53f400365bc",
"incident--f58a29bf-f6ba-4e37-8526-7be9901422ab",
"incident--631cf326-f237-43fa-8c74-1e5c4bc70592",
"incident--c33cea12-a973-426f-b1f9-62cd9e584e26",
"incident--b95692f3-d1ef-4f2e-8fda-4f1a31cde349"
],
"type": "observed-data"
}
],
"type": "bundle"
}
