Put the skills you learned about STIX 2.1 Patterning in last weeks post to the test.

I wanted to turn this weeks post into a game. The game is simple:

  1. Analyse the STIX 2.1 Pattern against the sample log line
  2. Determine if it makes a detection; true or false

Answers and explanations are at the end of the post.

Sample log lines

Below are samples from a Linux audit log (/var/log/audit/audit.log), a common file source for SIEM’s.

Assume the SIEM has aliased field names correctly (e.g. addr field resolves to an IPv4 address field in the data model, which in turn is mapped to the ipv4-addr STIX 2.1 SDO.)

2019-08-20 09:08:55:906 type=USER_LOGIN msg=audit(1566306445.906:280) user pid=2318 uid=0 auid 4294967295 ses=4294967295 username=unknown subj=system_u:system_r:sshd_t:s0-"(unknown)" exe="/usr/sbin/sshd" hostname=? addr=218.92.0.173 terminal=ssh res=failed'
2019-08-20 09:07:25:647 type=USER_LOGIN msg=audit(1566306445.647:242) user pid=2314 uid=0 auid 4294967295 ses=4294967295 username=mike subj=system_u:system_r:sshd_t:s0-"(mike)" exe="/usr/sbin/sshd" hostname=? addr=60.242.115.215 terminal=ssh res=failed'
2019-08-20 09:07:25:195 type=USER_LOGIN msg=audit(1566306445.195.262) user pid=2311 uid=0 auid 4294967295 ses=4294967295 username=mike subj=system_u:system_r:sshd_t:s0-"(mike)" exe="/usr/sbin/sshd" hostname=? addr=60.242.115.215 terminal=ssh res=failed'

Tip: See that the time is in descending order (the newest logs shown first).

Example 1: Using the OR Observation Expression

[ipv4-addr.value='218.92.0.173'] OR [ipv4-addr.value='1.1.1.1']

Example 2: Using the AND Observation Expression

[ipv4-addr.value='218.92.0.173'] AND [ipv4-addr.value='1.1.1.1']

Example 3: Using the FOLLOWEDBY Observation Expression

[ipv4-addr.value='60.242.115.215'] FOLLOWEDBY [user-account.account_login='mike']

Example 4: Using the != Comparison Operators

[ipv4-addr.value!='218.92.0.173']

Example 5: Using the > Comparison Operators

[process.pid>='2315']

Example 6: Parentheses Precedent

[ipv4-addr.value='218.92.0.173'] FOLLOWEDBY ([user-account.account_login='mike'] OR [user-account.account_login='david'])

Example 7: Using the WITHIN Observation Expression Qualifier

[ipv4-addr:value='60.242.115.215'] FOLLOWEDBY [ipv4-addr:value='218.92.0.173'] WITHIN 1 MINUTE

Example 8: Using the REPEATS Observation Expression Qualifier

([ipv4-addr:value='60.242.115.215'] FOLLOWEDBY [ipv4-addr:value='60.242.115.215']) REPEATS 2 TIMES

Answers

Example 1

TRUE - DETECTION (LOG LINE 1)

The statement IPv4 218.92.0.173 was True for one line (log line 1).

Example 2

FALSE - NO DETECTION

Both of the statements needed to be True to satisfy the AND operator, but only the IPv4 218.92.0.173 statement was ever true (log line 1).

Example 3

TRUE - DETECTION (LOG LINE 3 THEN 2)

The IPv4 address 60.242.115.215 (log line 3) is immediately followed by mike user account login (log line 2)

Example 4

TRUE - DETECTION (LOG LINE 2 AND 3)

The IPv4 address value 218.92.0.173 was not seen (log line 2 and 3)

Example 5

TRUE - DETECTION (LOG LINE 1)

Log line 1 is the only line where process ID is greater than pid=2315 (the other two lines have process IDs less than 2315)

Example 6

FALSE - NO DETECTION

The IPv4 address 218.92.0.173 must be followed by at least one of the statements in the parenthesis. Log line 1 contains 218.92.0.173 but does not have and logs that follow it (by time), thus this statement is not true for the 3 logs shown.

Example 7

FALSE - NO DETECTION

The IPv4 address 60.242.115.215 was seen at 09:07:25:647 (log line 2) then the IPv4 address 218.92.0.173 was seen at 09:08:55:906 (log line 1) which is more than 1 minute apart.

Example 8

FALSE - NO DETECTION

The IPv4 address 60.242.115.215 (log line 2) was follow IPv4 adress 218.92.0.173 (log line 1) but it was not repeated twice.

Bonus: How to Deal with Pattern Matches

Now you’ve had a few Pattern matches, they need to modelled.

If you start to use STIX Patterns for threat detection, you will probably want to represent the detection matches in STIX format too.

That is where the STIX Sighting SRO and Observed Data SDO can help.

STIX Pattern Matching Model

In the example below I’m using sighting SRO to show a Pattern inside the Indicator SRO [ipv4-addr:value='198.51.100.3' AND domain:value='example.com'] was matched 50 times.

The Observed Data SDO captures that information too, but also points to the specific things (SCOs) that were seen (the bits of the Pattern that matched). In this case it is a domain-name (example.com) and ipv4-addr (198.51.100.3);

{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "indicator_types": ["malicious-activity"],
    "name": "Some Malware",
    "description": "Some malware description",
    "pattern": "[ipv4-addr:value='198.51.100.3' AND domain:value='example.com']",
    "pattern_type": "stix",
    "valid_from": "2016-01-01T00:00:00Z"
},
{
	"type": "sighting",
   	"spec_version": "2.1",
   	"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
	"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
	"created": "2016-04-06T20:08:31.000Z",	"modified": "2016-04-06T20:08:31.000Z",
	"first_seen": "2015-12-21T19:00:00Z",
	"last_seen": "2015-12-21T19:00:00Z",
	"count": 50,
	"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
	"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
	"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
	"type": "observed-data",
	"spec_version": "2.1",
	"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
	"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
	"created": "2016-04-06T19:58:16.000Z",
	"modified": "2016-04-06T19:58:16.000Z",
	"first_observed": "2015-12-21T19:00:00Z",
	"last_observed": "2015-12-21T19:00:00Z",
	"number_observed": 50,
	"object_refs": [
		"ipv4-addr--efcd5e80-570d-4131-b213-62cb18eaa6a8",
		"domain-name--ecb120bf-2694-4902-a737-62b74539a41b"
	]
},
{
	"type": "domain-name",
	"spec_version": "2.1",
	"id": "domain-name--ecb120bf-2694-4902-a737-62b74539a41b",
	"value": "example.com",
	"resolves_to_refs": ["ipv4-addr--efcd5e80-570d-4131-b213-62cb18eaa6a8"]
},
{
	"type": "ipv4-addr",
	"spec_version": "2.1",
	"id": "ipv4-addr--efcd5e80-570d-4131-b213-62cb18eaa6a8",
	"value": "198.51.100.3"
}



Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.