chrisr3d
commented
1 year ago I checked in details the difference between domain|ip attributes and domain-ip objects to make sure the issue you describe here does not concern attributes, which category is Network activity.
Now given an example of a domain-ip object as the following:
{
"uuid": "a6ef17d6-91cb-4a05-b10b-2f045daf874c",
"Object": [
{
"name": "domain-ip",
"meta-category": "network",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"description": "A domain and IP address seen as a tuple",
"template_version": "11",
"uuid": "dc624447-684a-488f-9e16-f78f717d8efd",
"Attribute": [
{
"uuid": "63fa4060-98d3-4768-b18d-cfbc52f2d0ff",
"object_relation": "domain",
"value": "circl.lu",
"type": "domain",
"category": "Network activity",
"disable_correlation": false,
"to_ids": true
},
{
"uuid": "30e94901-9247-4d28-9746-ca4c0086201c",
"object_relation": "hostname",
"value": "circl.lu",
"type": "hostname",
"disable_correlation": false,
"to_ids": true,
"category": "Network activity"
},
{
"uuid": "fcbaf339-615a-409c-915f-034420dc90ca",
"object_relation": "ip",
"value": "149.13.33.14",
"type": "ip-dst",
"category": "Network activity",
"disable_correlation": false,
"to_ids": true
},
{
"uuid": "ff192fba-c594-4eb2-8432-cd335ad6647d",
"object_relation": "port",
"value": "8443",
"type": "port",
"category": "Network activity",
"disable_correlation": false,
"to_ids": false
}
],
"distribution": "5",
"sharing_group_id": "0"
}
],
"info": "MISP-STIX-Converter test event",
"published": false,
"date": "2020-10-25",
"Org": {
"name": "MISP-Project",
"uuid": "a0c22599-9e58-4da4-96ac-7051603fa951"
},
"Orgc": {
"name": "MISP-Project",
"uuid": "a0c22599-9e58-4da4-96ac-7051603fa951"
}
}The network phase name comes from the meta-category field as defined here and here
It is then intended to have the meta-category.
In this case, all the attributes are of type Network activity and it could make sense to have it as the category used to build the killchain phases.
But for automation purposes we always took the meta-category field as we can have different categories among different attributes (for instance, for files we could have Payload delivery, Artifacts dropped, External analysis, etc.)
I am still open for a discussion if you think we should change the way we generate the killchain phases. Let me know what you think of it
MISP-STIX usage
MISP core
Expected behavior
Have network related indicators in MISP objects (such as domain-ip and ip-port) use the "Network activity" phase_name in the kill_chain_phases
Actual behavior
Currently they use "phase_name": "network" https://github.com/MISP/misp-stix/blob/f51194eb59c72d8955a9aa052a3d61c13e113f77/documentation/mapping/misp_objects_to_stix21.json#L779C18-L779C35
Steps to reproduce
Include a domain-ip object in a MISP export
Version
2.4.172
Python version
3.8
Relevant log output
No response
Extra attachments
No response
Code of Conduct