参考:https://blog.csdn.net/sinat_36005594/article/details/90449781
对存储在Elasticsearch中的opencti数据结构进行初步分析:
opencti中存储的数据结构一、opencti_stix_meta_relationships
查询方法:
GET opencti_stix_meta_relationships-000001/_search
{
"query": {
"match_all": {}
}
}
结果:
{
"_index" : "opencti_stix_meta_relationships-000001",
"_type" : "_doc",
"_id" : "df0e7176-93f7-452d-ba97-1261512b0654",
"_score" : 1.0,
"_source" : {
"id" : "df0e7176-93f7-452d-ba97-1261512b0654",
"fromType" : "Vulnerability",
"toType" : "Organization",
"base_type" : "RELATION",
"parent_types" : [
"basic-relationship",
"stix-relationship",
"stix-meta-relationship"
],
"internal_id" : "df0e7176-93f7-452d-ba97-1261512b0654",
"standard_id" : "relationship-meta--4e1dc53a-f683-4967-9212-cb2b9a0e4e96",
"entity_type" : "created-by",
"created_at" : "2021-04-07T23:18:27.024Z",
"updated_at" : "2021-04-07T23:18:27.024Z",
"i_created_at_day" : "2021-04-07",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"connections" : [
{
"internal_id" : "1dd1dd82-8023-4d81-a121-20bb2e47b7a1",
"name" : "CVE-2006-6382",
"types" : [
"Vulnerability",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object"
],
"role" : "created-by_from"
},
{
"internal_id" : "0f3d6159-44cc-4428-8038-c5043f6ab54f",
"name" : "The MITRE Corporation",
"types" : [
"Organization",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object",
"Identity"
],
"role" : "created-by_to"
}
]
}
},
二、GET opencti_stix_domain_objects
GET opencti_stix_domain_objects-000001/_search
{
"query": {
"match_all": {}
}
}
结果:
{
"_index" : "opencti_stix_domain_objects-000001",
"_type" : "_doc",
"_id" : "31cc267c-5017-47b4-8335-827bf552346c",
"_score" : 1.0,
"_source" : {
"name" : "CVE-2009-4138",
"description" : "drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.",
"x_opencti_base_score" : null,
"x_opencti_base_severity" : null,
"x_opencti_attack_vector" : null,
"x_opencti_integrity_impact" : null,
"x_opencti_availability_impact" : null,
"confidence" : 15,
"revoked" : false,
"lang" : "en",
"created" : "2009-12-16T19:30:00.000Z",
"modified" : "2017-09-19T01:29:00.000Z",
"internal_id" : "31cc267c-5017-47b4-8335-827bf552346c",
"standard_id" : "vulnerability--51def72d-a513-5af5-addc-c63f310d6003",
"entity_type" : "Vulnerability",
"x_opencti_stix_ids" : [
"vulnerability--89ec61ca-9788-11eb-a640-417ffb2643b9"
],
"spec_version" : "2.1",
"created_at" : "2021-04-08T03:20:28.029Z",
"updated_at" : "2021-04-08T03:20:28.029Z",
"i_created_at_day" : "2021-04-08",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"id" : "31cc267c-5017-47b4-8335-827bf552346c",
"base_type" : "ENTITY",
"parent_types" : [
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object"
],
"rel_created-by.internal_id" : [
"0f3d6159-44cc-4428-8038-c5043f6ab54f"
],
"rel_external-reference.internal_id" : [
"52f4bc2e-5fb6-4120-9971-66666a78cfe4",
"22f0f6c6-71e4-4d91-9fc1-1fe0e2db354e",
"b79c45a4-42e1-4b95-be30-1ea9680834c7",
"5a544dd0-f86d-4cb6-8c0e-88e8c0b930ef",
"8eac1f91-f105-433e-8f64-414730c81cd7",
"66b95194-4f54-4bcc-a42f-ab60adb0a899",
"84a00df5-e7f1-49e8-b2f2-ac2c967d427f",
"ed124ea0-d69e-4eec-b292-44dfa8377245",
"441f73a6-2ad9-4667-991f-4de86729cc9e",
"750c1ed1-04e8-4327-993c-b0f23dba86b6",
"bd9f3bdf-9826-411f-9f20-081a18d8c543",
"b4c3a16c-7fd8-4151-9f03-97d9432cb8ba",
"ef5feefa-dd88-46cc-934e-d5d940b3f451",
"ea0b1708-a2bb-4327-8472-7b6313cc6384",
"e692d4dd-340b-4bc4-b350-588b888013ed",
"5f2e9622-c8ee-4a9e-a0b5-8383c3b24e90",
"3e46c2d9-e861-4692-8633-69efd8d07879",
"a6d722da-69f7-4a42-9e54-6fe3f5f311ea"
]
}
},
三、 opencti_stix_cyber_observables
GET opencti_stix_cyber_observables-000001/_search
{
"query": {
"match_all": {}
}
}
结果:
{
"_index" : "opencti_stix_cyber_observables-000001",
"_type" : "_doc",
"_id" : "b094a78b-bab6-42bb-8ec5-f86a4d42124b",
"_score" : 1.0,
"_source" : {
"x_opencti_score" : 50,
"x_opencti_description" : null,
"hashes" : {
"SHA-256" : "d9b13ef49c80375e0a8cf20b840b1e8283b35c1a1a6adcbb4173eb25490530e0"
},
"size" : null,
"name" : null,
"name_enc" : null,
"magic_number_hex" : null,
"mime_type" : null,
"ctime" : null,
"mtime" : null,
"atime" : null,
"x_opencti_additional_names" : null,
"internal_id" : "b094a78b-bab6-42bb-8ec5-f86a4d42124b",
"standard_id" : "file--94a5693c-93ee-5e09-a21e-df17b4d753a6",
"entity_type" : "StixFile",
"x_opencti_stix_ids" : [
"file--94a5693c-93ee-5e09-a21e-df17b4d753a6"
],
"spec_version" : "2.1",
"created_at" : "2021-04-07T09:54:38.065Z",
"updated_at" : "2021-04-07T09:54:38.065Z",
"i_created_at_day" : "2021-04-07",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"id" : "b094a78b-bab6-42bb-8ec5-f86a4d42124b",
"base_type" : "ENTITY",
"parent_types" : [
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Cyber-Observable"
],
"rel_created-by.internal_id" : [
"f396717c-b5a7-4161-bf8c-72e16abb2a12"
],
"rel_object-marking.internal_id" : [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"rel_object-label.internal_id" : [
"51c149d0-54cd-474c-ac20-e91ae6c77306",
"34822c3f-f369-47f0-a134-c07abf943f09",
"436240ca-1826-405b-9039-60a7ea08d1a8",
"c4e59686-6efd-4503-b54f-f0b606da2c12",
"2a72fa18-b384-4fdf-b27e-915835f32aa4"
],
"rel_based-on.internal_id" : [
"e7fb6e5e-fb50-429c-9572-0792d88cf480"
],
"rel_object.internal_id" : [
"77083d0e-77b1-45e5-89d2-664da510dc28"
]
}
},
四、opencti_stix_core_relationships
GET opencti_stix_core_relationships-000001/_search
{
"query": {
"match_all": {}
}
}
结果:
{
"_index" : "opencti_stix_core_relationships-000001",
"_type" : "_doc",
"_id" : "82a4185f-9f2b-4f3a-8b7d-ed99b4be6d66",
"_score" : 1.0,
"_source" : {
"internal_id" : "82a4185f-9f2b-4f3a-8b7d-ed99b4be6d66",
"standard_id" : "relationship--864e909f-5459-4bbf-9eef-6b95f4a6fae9",
"entity_type" : "indicates",
"created_at" : "2021-04-07T11:47:46.283Z",
"updated_at" : "2021-04-07T11:47:46.283Z",
"x_opencti_stix_ids" : [
"relationship--5cab7cce-ab2c-4c66-b785-f2e8dbad6a4b"
],
"spec_version" : "2.1",
"revoked" : false,
"confidence" : 15,
"lang" : "en",
"created" : "2021-04-07T09:54:55.546Z",
"modified" : "2021-04-07T09:54:55.546Z",
"relationship_type" : "indicates",
"description" : "",
"start_time" : "1970-01-01T00:00:00.000Z",
"stop_time" : "5138-11-16T09:46:40.000Z",
"i_created_at_day" : "2021-04-07",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"i_start_time_day" : "1970-01-01",
"i_start_time_month" : "1970-01",
"i_start_time_year" : "1970",
"i_stop_time_day" : "5138-11-16",
"i_stop_time_month" : "5138-11",
"i_stop_time_year" : "5138",
"id" : "82a4185f-9f2b-4f3a-8b7d-ed99b4be6d66",
"fromType" : "Indicator",
"toType" : "Malware",
"parent_types" : [
"basic-relationship",
"stix-relationship",
"stix-core-relationship"
],
"base_type" : "RELATION",
"connections" : [
{
"internal_id" : "d6e52867-dad4-46b4-9402-a404d7b53bf4",
"name" : "280a6c99f5fb7f11a06514a2d92ce4d1b6534d5d6461d1fa893937fdcdca7f86",
"types" : [
"Indicator",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object"
],
"role" : "indicates_from"
},
{
"internal_id" : "028d054e-3afe-4304-8514-0795f9ea4a1e",
"name" : "Cobalt Strike - S0154",
"types" : [
"Malware",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object"
],
"role" : "indicates_to"
}
],
"rel_created-by.internal_id" : [
"f396717c-b5a7-4161-bf8c-72e16abb2a12"
],
"rel_object-marking.internal_id" : [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"rel_object.internal_id" : [
"f6afff93-f65c-4f55-8c12-66969e24e1fe"
]
}
},
五、 opencti_stix_meta_objects
GET opencti_stix_meta_objects-000001/_search
{
"query": {
"match_all": {}
}
}
结果:
{
"_index" : "opencti_stix_meta_objects-000001",
"_type" : "_doc",
"_id" : "066fd9c9-388c-46d0-9918-e3803552a94e",
"_score" : 1.0,
"_source" : {
"source_name" : "NIST NVD",
"description" : null,
"url" : "https://nvd.nist.gov/vuln/detail/CVE-2015-8039",
"external_id" : null,
"created" : "2021-04-08T10:28:01.180Z",
"modified" : "2021-04-08T10:28:01.180Z",
"internal_id" : "066fd9c9-388c-46d0-9918-e3803552a94e",
"standard_id" : "external-reference--ef15da9d-d70f-50e6-8382-40a35a7af4da",
"entity_type" : "External-Reference",
"x_opencti_stix_ids" : [ ],
"spec_version" : "2.1",
"created_at" : "2021-04-08T10:28:01.180Z",
"updated_at" : "2021-04-08T10:28:01.180Z",
"i_created_at_day" : "2021-04-08",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"id" : "066fd9c9-388c-46d0-9918-e3803552a94e",
"base_type" : "ENTITY",
"parent_types" : [
"Basic-Object",
"Stix-Object",
"Stix-Meta-Object"
],
"rel_external-reference.internal_id" : [
"74367a88-c3ec-4da9-8a45-e6bff0c98745"
]
}
},
marking-definition
{
"_index": "opencti_stix_meta_objects-000001",
"_type": "_doc",
"_id": "f148ee04-a293-43e0-85b1-a7bdac7a82e3",
"_version": 1,
"_score": null,
"fields": {
"standard_id": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"x_opencti_color": [
"#ffffff"
],
"x_opencti_order": [
1
],
"i_created_at_day": [
"2021-04-07T00:00:00.000Z"
],
"base_type.keyword": [
"entity"
],
"spec_version": [
"2.1"
],
"parent_types": [
"Basic-Object",
"Stix-Object",
"Stix-Meta-Object"
],
"x_opencti_stix_ids.keyword": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"created_at": [
"2021-04-07T09:25:03.101Z"
],
"internal_id.keyword": [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"x_opencti_color.keyword": [
"#ffffff"
],
"definition.keyword": [
"tlp:white"
],
"id.keyword": [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"base_type": [
"ENTITY"
],
"updated_at": [
"2021-04-07T09:25:03.101Z"
],
"standard_id.keyword": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"modified": [
"2021-04-07T09:25:03.101Z"
],
"parent_types.keyword": [
"basic-object",
"stix-object",
"stix-meta-object"
],
"definition": [
"TLP:WHITE"
],
"id": [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"definition_type.keyword": [
"tlp"
],
"i_created_at_year.keyword": [
"2021"
],
"internal_id": [
"f148ee04-a293-43e0-85b1-a7bdac7a82e3"
],
"definition_type": [
"TLP"
],
"created": [
"2021-04-07T09:25:03.101Z"
],
"i_created_at_month": [
"2021-04-01T00:00:00.000Z"
],
"entity_type.keyword": [
"marking-definition"
],
"spec_version.keyword": [
"2.1"
],
"i_created_at_year": [
"2021"
],
"entity_type": [
"Marking-Definition"
],
"x_opencti_stix_ids": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
"highlight": {
"id.keyword": [
"@kibana-highlighted-field@f148ee04-a293-43e0-85b1-a7bdac7a82e3@/kibana-highlighted-field@"
]
},
"sort": [
1617787503101
]
}
六、opencti_internal_objects
{
"_index" : "opencti_internal_objects-000001",
"_type" : "_doc",
"_id" : "209d5dc8-b871-4d57-984d-fb7f69a6f81a",
"_score" : 1.0,
"_source" : {
"name" : "KNOWLEDGE_KNUPDATE_KNDELETE",
"description" : "Delete knowledge",
"attribute_order" : 300,
"internal_id" : "209d5dc8-b871-4d57-984d-fb7f69a6f81a",
"standard_id" : "capability--be60f4fc-8d91-59f6-925a-1b211a06d086",
"entity_type" : "Capability",
"created_at" : "2021-04-07T09:25:03.610Z",
"updated_at" : "2021-04-07T09:25:03.610Z",
"i_created_at_day" : "2021-04-07",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"id" : "209d5dc8-b871-4d57-984d-fb7f69a6f81a",
"base_type" : "ENTITY",
"parent_types" : [
"Basic-Object",
"Internal-Object"
]
}
},
七、案例分析
将https://otx.alienvault.com/pulse/6019b7d8f25640334bd72d00中的报告转换成opencti中的数据结构。
(1)报告
(2)恶意代码
(3)indictor
(4)observable
与indictor相互based_on。
rel_object.internal_id: f2c3a058-9b3c-4e70-a0b7-aa215733b9f9
hostname(url与之类似):
文件:
(5)relationships
针对nested的查询需求、方法和原理,参考:https://blog.csdn.net/laoyang360/article/details/82950393;数组的查询方法,参考:https://www.cnblogs.com/dongruiha/p/12201195.html?utm_medium=referral&utm_source=itdadao。
opencti_stix_meta_relationships中connections为nested结构:
查询54cf693f-d2ca-4885-b3d0-0948b9e413dd相关的关系:
GET opencti_stix_meta_relationships-000001/_search
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "connections",
"query": {
"bool": {
"must": [
{
"match": {
"connections.internal_id": "54cf693f-d2ca-4885-b3d0-0948b9e413dd"
}
}
]
}
}
}
}
]
}
}
}
结果:
{
"_index" : "opencti_stix_meta_relationships-000001",
"_type" : "_doc",
"_id" : "3c59f927-3286-4466-9314-c99c9a8973d5",
"_score" : 55.832546,
"_source" : {
"id" : "3c59f927-3286-4466-9314-c99c9a8973d5",
"fromType" : "Malware",
"toType" : "Organization",
"base_type" : "RELATION",
"parent_types" : [
"basic-relationship",
"stix-relationship",
"stix-meta-relationship"
],
"internal_id" : "3c59f927-3286-4466-9314-c99c9a8973d5",
"standard_id" : "relationship-meta--de122abb-cda4-4da7-9f78-97fa743271b5",
"entity_type" : "created-by",
"created_at" : "2021-04-13T22:40:16.002Z",
"updated_at" : "2021-04-13T22:40:16.002Z",
"i_created_at_day" : "2021-04-13",
"i_created_at_month" : "2021-04",
"i_created_at_year" : "2021",
"connections" : [
{
"internal_id" : "54cf693f-d2ca-4885-b3d0-0948b9e413dd",
"name" : "Supply Chain",
"types" : [
"Malware",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object"
],
"role" : "created-by_from"
},
{
"internal_id" : "f396717c-b5a7-4161-bf8c-72e16abb2a12",
"name" : "AlienVault",
"types" : [
"Organization",
"Basic-Object",
"Stix-Object",
"Stix-Core-Object",
"Stix-Domain-Object",
"Identity"
],
"role" : "created-by_to"
}
]
}
},
网友评论