Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Have network indicators in domain-ip MISP objects use kill_chain_phases "Network activity" instead of "network" #47

Open
1 task done
cudeso opened this issue Jul 13, 2023 · 1 comment
Open
1 task done

Bug: Have network indicators in domain-ip MISP objects use kill_chain_phases "Network activity" instead of "network" #47

cudeso opened this issue Jul 13, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@cudeso
Copy link

cudeso commented Jul 13, 2023

MISP-STIX usage

MISP core

Expected behavior

Have network related indicators in MISP objects (such as domain-ip and ip-port) use the "Network activity" phase_name in the kill_chain_phases

"kill_chain_phases": [
                    {
                        "kill_chain_name": "misp-category",
                        "phase_name": "Network activity"
                    }
                ]

Actual behavior

Currently they use "phase_name": "network"
https://github.com/MISP/misp-stix/blob/f51194eb59c72d8955a9aa052a3d61c13e113f77/documentation/mapping/misp_objects_to_stix21.json#L779C18-L779C35

"kill_chain_phases": [
                    {
                        "kill_chain_name": "misp-category",
                        "phase_name": "network"
                    }
                ]

Steps to reproduce

Include a domain-ip object in a MISP export

Version

2.4.172

Python version

3.8

Relevant log output

No response

Extra attachments

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@cudeso cudeso added the bug Something isn't working label Jul 13, 2023
@chrisr3d
Copy link
Member

chrisr3d commented Sep 18, 2023
edited
Loading

I checked in details the difference between domain|ip attributes and domain-ip objects to make sure the issue you describe here does not concern attributes, which category is Network activity.

Now given an example of a domain-ip object as the following:

{
    "uuid": "a6ef17d6-91cb-4a05-b10b-2f045daf874c",
    "Object": [
        {
            "name": "domain-ip",
            "meta-category": "network",
            "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
            "description": "A domain and IP address seen as a tuple",
            "template_version": "11",
            "uuid": "dc624447-684a-488f-9e16-f78f717d8efd",
            "Attribute": [
                {
                    "uuid": "63fa4060-98d3-4768-b18d-cfbc52f2d0ff",
                    "object_relation": "domain",
                    "value": "circl.lu",
                    "type": "domain",
                    "category": "Network activity",
                    "disable_correlation": false,
                    "to_ids": true
                },
                {
                    "uuid": "30e94901-9247-4d28-9746-ca4c0086201c",
                    "object_relation": "hostname",
                    "value": "circl.lu",
                    "type": "hostname",
                    "disable_correlation": false,
                    "to_ids": true,
                    "category": "Network activity"
                },
                {
                    "uuid": "fcbaf339-615a-409c-915f-034420dc90ca",
                    "object_relation": "ip",
                    "value": "149.13.33.14",
                    "type": "ip-dst",
                    "category": "Network activity",
                    "disable_correlation": false,
                    "to_ids": true
                },
                {
                    "uuid": "ff192fba-c594-4eb2-8432-cd335ad6647d",
                    "object_relation": "port",
                    "value": "8443",
                    "type": "port",
                    "category": "Network activity",
                    "disable_correlation": false,
                    "to_ids": false
                }
            ],
            "distribution": "5",
            "sharing_group_id": "0"
        }
    ],
    "info": "MISP-STIX-Converter test event",
    "published": false,
    "date": "2020-10-25",
    "Org": {
        "name": "MISP-Project",
        "uuid": "a0c22599-9e58-4da4-96ac-7051603fa951"
    },
    "Orgc": {
        "name": "MISP-Project",
        "uuid": "a0c22599-9e58-4da4-96ac-7051603fa951"
    }
}

The network phase name comes from the meta-category field as defined here and here

It is then intended to have the meta-category.
In this case, all the attributes are of type Network activity and it could make sense to have it as the category used to build the killchain phases.
But for automation purposes we always took the meta-category field as we can have different categories among different attributes (for instance, for files we could have Payload delivery, Artifacts dropped, External analysis, etc.)

I am still open for a discussion if you think we should change the way we generate the killchain phases.
Let me know what you think of it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cudeso @chrisr3d