diff --git a/README.md b/README.md index c2f251f..3616ee3 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ to automate permission inheritance and policy enforcement at the schema level us ### [Cyber threat intelligence](https://github.com/vaticle/typedb-examples/tree/master/cyber-threat-intelligence) -A guided tutorial to learn how to use TypeDB in a Cyber Threat Intelligence (CTI) context in order to identify threats using powerful queries and inferenced ruling. +Learn how to use TypeDB in a cyber threat intelligence (CTI) context in order to identify threats using powerful queries and rule-inference. ## Advanced diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md index 72e88ec..d71af65 100644 --- a/cyber-threat-intelligence/README.md +++ b/cyber-threat-intelligence/README.md @@ -1,33 +1,34 @@ -# Cyber Threat Intelligence +# Cyber threat intelligence ## Introduction -In this demo, you'll learn how to use TypeDB as the database for a Cyber Threat Intelligence context. We'll cover -some basic operations like listing the identities and subtyped of it with the help of type-inferenced queries. +In this demo, you'll learn how to use TypeDB as the database in a cyber threat intelligence context. We'll cover +some basic operations like listing identities and their subtypes with the help of type-inference. We will then move on to some more advanced examples that take advantage of rules. -We'll see how we can automate threats discovery at the schema level with the creation of a new rule. +We'll see how we can automate threat discovery at the schema level with the creation of a new rule. ## Required knowledge This demo assumes knowledge of: -- General identity and access management concepts. - TypeDB's transaction system. - All basic TypeQL syntax elements. - TypeDB Studio's interface. For more information, please see our [documentation](https://docs.vaticle.com/docs/general/introduction). +General knowledge of STIX2.1 would be a plus. + ## Getting started Start your TypeDB server and open TypeDB Studio. Make sure you are on a `schema-write` transaction and run the following TypeQL file: -```schema.tql``` +```define-schema.tql``` Then switch to a `data-write` transaction and run the following: -```dataset.tql``` +```insert-data.tql``` Remember to click on the green tick after running each of these scripts to commit the changes to the database. @@ -35,5 +36,5 @@ Remember to click on the green tick after running each of these scripts to commi To get started, try running the examples. They are intended to be run once each and in order, so be aware that running them more than once or out of order might generate data errors. If anything goes wrong, you can run the -`dataset.tql` script again to reset everything. All the examples use `data` sessions, but you'll have to switch +`insert-data.tql` script again to reset everything. All the examples use `data` sessions, but you'll have to switch between `read` and `write` transactions depending on the queries in the example, and remember to commit after writes. diff --git a/cyber-threat-intelligence/define-schema.tql b/cyber-threat-intelligence/define-schema.tql new file mode 100644 index 0000000..e70ae6f --- /dev/null +++ b/cyber-threat-intelligence/define-schema.tql @@ -0,0 +1,1625 @@ +define + +# Based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#-disnqa06jm5 + +### 1 Base Entities ### + +stix-entity sub entity, + abstract; + +stix-object sub stix-entity, + owns stix-type, + owns stix-id @key, + owns custom-attribute, + + plays granular-marking:marking; + +stix-core-object sub stix-object, + owns spec-version, + + plays object-marking:marked, + plays created-by:created, + plays derivation:derived-from, + plays derivation:deriving, + plays duplicate-of:duplicated-object; + + +stix-domain-object sub stix-core-object, + owns created, + owns modified, + owns revoked, + owns labels, + owns confidence, + owns langs, + + # Rel + plays sighting:sighting-of, + plays external-references:referencing, + + # RRel + plays kill-chain-phases:used, + plays sighting:observed-data, + plays external-references:referenced; + + +stix-cyber-observable-object sub stix-core-object, + owns defanged, + + # Rel + plays external-references:referencing, + plays contains-ref:containing, + + # RRel + plays external-references:referenced; + +stix-sub-object sub stix-entity, + owns created, + owns modified, + + plays granular-marking:marking; + + +### 2 Data Types ### + +external-reference sub stix-sub-object, + owns source-name, + owns description, + owns url-link, + owns external-id, + + plays hashes:hashes-owner, + plays external-references:referenced; + +kill-chain-phase sub stix-sub-object, + owns kill-chain-name, + owns kill-chain-phase-name, + + plays kill-chain-phases:using; + +### 3 SDOs ### + +attack-pattern sub stix-domain-object, + owns name, + owns description, + owns aliases, + + # Rel + plays delivers:delivering, + plays targets:targeting, + plays uses:using, + + # RRel + plays indicates:indicated, + plays uses:used, + plays mitigates:mitigated; + +campaign sub stix-domain-object, + owns name, + owns description, + owns aliases, + owns first-seen, + owns last-seen, + owns objective, + + # Rel + plays targets:targeting, + plays attributed-to:attributing, + plays uses:using, + plays compromises:compromising, + plays originates-from:originating, + + # RRel + plays indicates:indicated; + +course-of-action sub stix-domain-object, + owns name, + owns description, + owns action, + + # Rel + plays investigates:investigating, + plays mitigates:mitigating, + plays remediates:remediating; + +grouping sub stix-domain-object, + owns name, + owns description, + owns context; + + + +identity sub stix-domain-object, + owns name, + owns description, + owns stix-role, + owns identity-class, + owns sector, + owns contact-information, + + plays created-by:creator, + + # Rel + plays located-at:locating, + plays uses:using, + + # RRel + plays uses:used, + plays targets:targeted, + plays attributed-to:attributed, + plays impersonates:impersonated; + +individual sub identity; +group sub identity; +system sub identity; +organization sub identity; +class sub identity; +id-unknown sub identity; + +incident sub stix-domain-object, + owns name, + owns description; + +indicator sub stix-domain-object, + owns name, + owns description, + owns indicator-type, + owns pattern, + owns pattern-type, + owns pattern-version, + owns valid-from, + owns valid-until, + + # Rel + plays indicates:indicating, + plays based-on:basing, + + # RRel + plays investigates:investigated, + plays mitigates:mitigated; + +infrastructure sub stix-domain-object, + owns name, + owns description, + owns infrastructure-types, + owns aliases, + owns first-seen, + owns last-seen, + + # Rel + plays delivers:delivering, + plays uses:using, + plays located-at:locating, + plays communicates-with:communicating, + plays consist-of:consisting, + plays controls:controlling, + plays have:having, + plays hosts:hosting, + + # RRel + plays controls:controlled, + plays communicates-with:communicated, + plays compromises:compromised, + plays indicates:indicated, + plays uses:used, + plays targets:targeted, + plays hosts:hosted, + plays beacons-to:beaconed-to, + plays exfiltrates-to:exfiltrated-to, + plays ownerships:owned; + +intrusion-set sub stix-domain-object, + owns name, + owns description, + owns aliases, + owns first-seen, + owns last-seen, + owns goals, + owns sophistication, + owns resource-level, + owns primary-motivation, + owns secondary-motivations, + + # Rel + plays targets:targeting, + plays uses:using, + plays attributed-to:attributing, + plays compromises:compromising, + plays originates-from:originating, + plays hosts:hosting, + plays ownerships:owning, + + # RRel + plays indicates:indicated, + plays attributed-to:attributed, + plays authored-by:authored; + +malware sub stix-domain-object, + owns name, + owns description, + owns malware-types, + owns is-family, + owns aliases, + owns first-seen, + owns last-seen, + owns architecture-execution-envs, + owns implementation-languages, + owns capabilities, + + # Rel + plays targets:targeting, + plays uses:using, + plays originates-from:originating, + plays controls:controlling, + plays hosts:hosting, + plays authored-by:authoring, + plays beacons-to:beaconing-to, + plays exfiltrates-to:exfiltrating-to, + plays downloads:downloading, + plays drops:dropping, + plays exploits:exploiting, + plays variant-of:varianted-from, + plays communicates-with:communicating, + + # RRel + plays attributed-to:attributed, + plays controls:controlled, + plays remediates:remediated, + plays mitigates:mitigated, + plays uses:used, + plays delivers:delivered, + plays indicates:indicated, + plays downloads:downloaded, + plays drops:dropped, + plays variant-of:varianted, + plays characterizes:characterized, + plays analysis-of:analysed, + plays static-analysis-of:analysed, + plays dynamic-analysis-of:analysed; + +location sub stix-domain-object, + owns name, + owns description, + owns latitude, + owns longitude, + owns precision, + owns region, + owns country, + owns administrative-area, + owns city, + owns street-address, + owns postal-code, + + # RRel + plays targets:targeted, + plays originates-from:originated, + plays located-at:located; + +malware-analysis sub stix-domain-object, + owns product, + owns version, + owns configuration-version, + owns module, + owns analysis-engine-version, + owns analysis-definition-version, + owns submitted, + owns analysis-started, + owns analysis-ended, + owns result-name, + owns result, + + # Rel + plays characterizes:characterizing, + plays analysis-of:analysing, + plays static-analysis-of:analysing, + plays dynamic-analysis-of:analysing; + +note sub stix-domain-object, + owns note-abstract, + owns content, + owns authors; + +opinion sub stix-domain-object, + owns explanation, + owns authors, + owns opinion-enum; + +observed-data sub stix-domain-object, + owns first-observed, + owns last-observed, + owns number-observed, + + # RRel + plays based-on:based, + plays consist-of:consisted; + +report sub stix-domain-object, + owns name, + owns description, + owns report-type, + owns published; + +threat-actor sub stix-domain-object, + owns name, + owns description, + owns aliases, + owns stix-role, + owns first-seen, + owns last-seen, + owns goals, + owns resource-level, + owns primary-motivation, + owns secondary-motivations, + owns sophistication, + owns personal-characteristics, + owns roles, + owns threat-actor-types, + + # Rel + plays targets:targeting, + plays uses:using, + plays attributed-to:attributing, + plays compromises:compromising, + plays located-at:locating, + plays impersonates:impersonating, + plays hosts:hosting, + plays ownerships:owning, + + # RRel + plays attributed-to:attributed, + plays indicates:indicated, + plays authored-by:authored; + +tool sub stix-domain-object, + owns name, + owns description, + owns tool-types, + owns aliases, + owns first-seen, + owns last-seen, + owns tool-version, + + # Rel + plays delivers:delivering, + plays targets:targeting, + plays uses:using, + plays have:having, + plays drops:dropping, + + # RRel + plays uses:used, + plays indicates:indicated, + plays mitigates:mitigated, + plays hosts:hosted, + plays downloads:downloaded, + plays drops:dropped; + +custom-object sub stix-domain-object, + owns name, + owns description, + owns aliases, + owns first-seen, + owns last-seen, + owns objective, + + # Rel + plays delivers:delivering, + plays targets:targeting, + plays uses:using, + + # RRel + plays uses:used, + plays mitigates:mitigated; + +vulnerability sub stix-domain-object, + owns name, + owns description, + + # RRel + plays targets:targeted, + plays mitigates:mitigated, + plays remediates:remediated, + plays have:had, + plays exploits:exploited; + +### 5 SROs ### +stix-core-relationship sub relation, + # Required + owns spec-version, + owns stix-id @key, + owns created, + owns modified, + owns stix-type, + + # Optional + owns description, + owns revoked, + owns labels, + owns confidence, + owns langs, + owns custom-attribute, + + relates source, + relates target, + + plays created-by:created, + plays granular-marking:marking, + plays external-references:referenced; + +delivers sub stix-core-relationship, + relates delivering as source, + relates delivered as target; + +targets sub stix-core-relationship, + relates targeting as source, + relates targeted as target; + +attributed-to sub stix-core-relationship, + relates attributing as source, + relates attributed as target; + +uses sub stix-core-relationship, + relates using as source, + relates used as target; + +indicates sub stix-core-relationship, + relates indicating as source, + relates indicated as target; + +compromises sub stix-core-relationship, + relates compromising as source, + relates compromised as target; + +originates-from sub stix-core-relationship, + relates originating as source, + relates originated as target; + +investigates sub stix-core-relationship, + relates investigating as source, + relates investigated as target; + +mitigates sub stix-core-relationship, + relates mitigating as source, + relates mitigated as target; + +remediates sub stix-core-relationship, + relates remediating as source, + relates remediated as target; + +located-at sub stix-core-relationship, + relates locating as source, + relates located as target; + +impersonates sub stix-core-relationship, + relates impersonating as source, + relates impersonated as target; + +based-on sub stix-core-relationship, + relates basing as source, + relates based as target; + +communicates-with sub stix-core-relationship, + relates communicating as source, + relates communicated as target; + +consist-of sub stix-core-relationship, + relates consisting as source, + relates consisted as target; + +controls sub stix-core-relationship, + relates controlling as source, + relates controlled as target; + +have sub stix-core-relationship, + relates having as source, + relates had as target; + +hosts sub stix-core-relationship, + relates hosting as source, + relates hosted as target; + +authored-by sub stix-core-relationship, + relates authoring as source, + relates authored as target; + +beacons-to sub stix-core-relationship, + relates beaconing-to as source, + relates beaconed-to as target; + +exfiltrates-to sub stix-core-relationship, + relates exfiltrating-to as source, + relates exfiltrated-to as target; + +downloads sub stix-core-relationship, + relates downloading as source, + relates downloaded as target; + +drops sub stix-core-relationship, + relates dropping as source, + relates dropped as target; + +exploits sub stix-core-relationship, + relates exploiting as source, + relates exploited as target; + +variant-of sub stix-core-relationship, + relates varianted-from as source, + relates varianted as target; + +characterizes sub stix-core-relationship, + relates characterizing as source, + relates characterized as target; + +analysis sub stix-core-relationship, + relates analysing as source, + relates analysed as target; + +analysis-of sub analysis; +static-analysis-of sub analysis; +dynamic-analysis-of sub analysis; + +ownerships sub stix-core-relationship, + relates owning as source, + relates owned as target; + +ref sub relation, + relates source, + relates target; + +from-ref sub ref; +sender-ref sub ref; +raw-email-ref sub ref; +body-raw-ref sub ref; +parent-directory-ref sub ref; +content-ref sub ref; +optional-header sub ref, + relates from as source; +belongs-to-ref sub ref; +src-ref sub ref; +dst-ref sub ref; +src-payload-ref sub ref; +dst-payload-ref sub ref; +encapsulated-by-ref sub ref; +massage-body-data-ref sub ref; +creator-user-ref sub ref; +image-ref sub ref; +parent-ref sub ref; +message-body-data-ref sub ref, + relates from as source; + +derivation sub relation, + relates derived-from, + relates deriving; + +duplicate-of sub relation, + relates duplicated-object; + + +sighting sub stix-core-relationship, + owns first-seen, + owns last-seen, + owns count, + owns summary, + + relates sighting-of, + relates observed-data; + + + +### 6 SCOs ### + +artifact sub stix-cyber-observable-object, + owns mime-type, + owns payload-bin, + owns url-link, + owns encryption-algorithm, + owns decryption-key, + + # RRel + plays body-raw-ref:target, + plays raw-email-ref:target, + plays content-ref:target, + plays message-body-data-ref:target; + +autonomous-system sub stix-cyber-observable-object, + owns number, + owns name, + owns rir, + + # RRel + plays belongs-to-refs:belonging; + +directory sub stix-cyber-observable-object, + owns path, + owns path-enc, + owns ctime, + owns mtime, + owns atime, + + # Rel + plays contains-ref:contained, + + # RRel + plays parent-directory-ref:target; + +domain-name sub stix-cyber-observable-object, + owns stix-value, + + # Rel + plays resolves-to-refs:resolved, + + # RRel + plays resolves-to-refs:resolving, + plays communicates-with:communicated; + + +email-addr sub stix-cyber-observable-object, + owns stix-value, + owns display-name, + + # Rel + plays belongs-to-ref:source, + + # RRel + plays from-ref:target, + plays sender-ref:target, + plays to-refs:to, + plays cc-refs:to, + plays bcc-refs:to; + +email-message sub stix-cyber-observable-object, + owns is-multipart, + owns date, + owns content-type, + owns message-id, + owns subject, + owns body, + + # Rel + plays from-ref:source, + plays sender-ref:source, + plays to-refs:from, + plays cc-refs:from, + plays bcc-refs:from, + plays received-lines:owner, + plays body-multipart:to, + plays raw-email-ref:source; + + +email-mime-part sub stix-sub-object, + owns body, + owns content-type, + owns content-disposition, + + # Rel + plays body-raw-ref:source, + + # RRel + plays body-multipart:from; + +file sub stix-cyber-observable-object, + owns size, + owns name, + owns name-enc, + owns magic-number-hex, + owns mime-type, + owns ctime, + owns mtime, + owns atime, + + # Rel + plays hashes:hashes-owner, + plays parent-directory-ref:source, + plays contains-ref:contained, + plays content-ref:source, + + # RRel + plays downloads:downloaded, + plays body-raw-ref:target, + plays image-ref:target, + plays service-dll-refs:to; + +archive-ext sub file, + owns comment; + +ntfs-ext sub file, + owns sid, + + # Rel + plays alternate-data-streams:from; + +alternate-data-stream sub file, + + # RRel + plays alternate-data-streams:to; + +pdf-ext sub stix-cyber-observable-object, + owns version, + owns is-optimized, + owns pdfid0, + owns pdfid1, + + # Rel + plays document-info-dict:document-owner; + +raster-image-ext sub file, + owns image-height, + owns image-width, + owns bits-per-pixel, + + # Rel + plays exif-tags:exif-owner; + +windows-pebinary-ext sub file, + owns pe-type, + owns imphash, + owns machine-hex, + owns number-of-sections, + owns time-date-stamp, + owns pointer-to-symbol-table-hex, + owns number-of-symbols, + owns size-of-optional-header, + owns characterstics-hex, + + # Rel + plays optional-header:from, + plays sections:from; + +windows-pe-optional-header-type sub entity, + owns magic-hex, + owns major-linker-version, + owns minor-linker-version, + owns size-of-code, + owns size-of-initialized-data, + owns size-ofuninitialized-data, + owns address-of-entry-point, + owns base-of-code, + owns base-of-data, + owns image-base, + owns section-alignment, + owns file-alignment, + owns major-os-version, + owns minor-os-version, + owns major-image-version, + owns minor-image-version, + owns major-subsystem-version, + owns minor-subsystem-version, + owns win32-version-value-hex, + owns size-of-image, + owns size-of-headers, + owns checksum-hex, + owns subsystem-hex, + owns dll-characteristics-hex, + owns size-of-stack-reserve, + owns size-of-stack-commit, + owns size-of-heap-reserve, + owns size-of-heap-commit, + owns loader-flags-hex, + owns number-of-rva-and-sizes, + + # Rel + plays hashes:hashes-owner, + + # RRel + plays optional-header:target; + +windows-pe-section sub entity, + owns name, + owns size, + owns entropy, + + # Rel + plays hashes:hashes-owner, + + # RRel + plays sections:to; + +ipv4-address sub stix-cyber-observable-object, + owns stix-value, + + # Rel + plays resolves-to-refs:resolved, + plays belongs-to-refs:belonged, + + # RRel + plays resolves-to-refs:resolving, + plays communicates-with:communicated; + + + +ipv6-address sub stix-cyber-observable-object, + owns stix-value, + + # Rel + plays resolves-to-refs:resolved, + plays belongs-to-refs:belonged, + + # RRel + plays resolves-to-refs:resolving, + plays communicates-with:communicated; + + +mac-addr sub stix-cyber-observable-object, + owns stix-value, + + # RRel + plays resolves-to-refs:resolving; + + +mutex sub stix-cyber-observable-object, + owns name; + + +network-traffic sub stix-cyber-observable-object, + owns start, + owns end, + owns is-active, + owns src-port, + owns dst-port, + + # Rel + plays src-ref:source, + plays dst-ref:source, + plays src-payload-ref:source, + plays dst-payload-ref:source, + plays encapsulated-by-ref:source, + plays protocols:from, + plays ipfix:ipfix-owner, + plays encapsulates-refs:encapsulated, + + # RRel + plays encapsulates-refs:encapsulating, + plays encapsulated-by-ref:target, + plays opened-connection-refs:opening; + +http-request-ext sub network-traffic, + owns request-method, + owns request-value, + owns request-version, + owns message-body-length, + + # Rel + plays request-header:header-owner, + plays message-body-data-ref:from; + +icmp-ext sub network-traffic, + owns icmp-type-hex, + owns icmp-code-hex; + +socket-ext sub network-traffic, + owns address-family, + owns is-blocking, + owns is-listening, + owns socket-type, + owns socket-descriptor, + owns socket-handle, + + # Rel + plays options:options-owner; + +tcp-ext sub network-traffic, + owns src-flags-hex, + owns dst-flags-hex; + +process sub stix-cyber-observable-object, + owns is-hidden, + owns pid, + owns created-time, + owns cwd, + owns command-line, + + # Rel + plays environment-variables:variables-owner, + plays opened-connection-refs:opened, + plays creator-user-ref:source, + plays image-ref:source, + plays parent-ref:source, + plays child-refs:parent, + + # RRel + plays parent-ref:target, + plays child-refs:child; + +windows-process-ext sub process, + owns aslr-enabled, + owns dep-enabled, + owns priority, + owns owner-sid, + owns window-title, + owns integrity-level, + + # Rel + plays startup-info:info-owner; + +windows-service-ext sub process, + owns service-name, + owns display-name, + owns group-name, + owns start-type, + owns service-type, + owns service-status, + owns descriptions, + + # Rel + plays service-dll-refs:from; + +software sub stix-cyber-observable-object, + owns name, + owns spe, + owns swid, + owns vendor, + owns version, + owns languages; + +url sub stix-cyber-observable-object, + owns stix-value, + + # RRel + plays communicates-with:communicated; + + +user-account sub stix-cyber-observable-object, + owns user-id, + owns credential, + owns account-login, + owns account-type, + owns display-name, + owns is-service-account, + owns is-privileged, + owns can-escalate-privs, + owns is-disabled, + owns account-created, + owns account-expires, + owns credential-last-changed, + owns account-first-login, + owns account-last-login, + + # RRel + plays belongs-to-ref:target, + plays creator-user-ref:target; + +unix-account-ext sub user-account, + owns gid, + owns home-dir, + owns shell, + owns groups; + + +windows-registry-key sub stix-cyber-observable-object, + owns attribute-key, + owns modified-time, + owns number-subkeys, + + # Rel + plays values:from, + plays creator-user-ref:source; + +windows-registry-value-type sub stix-cyber-observable-object, + owns name, + owns data, + owns data-type, + + # RRel + plays values:to; + +x509-certificate sub stix-cyber-observable-object, + owns is-self-signed, + owns version, + owns serial-number, + owns signature-algorithm, + owns issuer, + owns validity-not-before, + owns validity-not-after, + owns subject, + owns subject-public-key-algorithm, + owns subject-public-key-modulus, + owns subject-public-key-exponent, + + # Rel + plays hashes:hashes-owner; + +x509-v3-extensions sub x509-certificate, + owns basic-constraints, + owns name-constraints, + owns policy-constraints, + owns key-usage, + owns extended-key-usage, + owns subject-key-identifier, + owns authority-key-identifier, + owns subject-alternative-name, + owns issuer-alternative-name, + owns subject-directory-attributes, + owns crl-distribution-points, + owns inhibit-any-policy, + owns private-key-usage-period-not-before, + owns private-key-usage-period-not-after, + owns certificate-policies, + owns policy-mappings; + +marking-definition sub stix-object, + owns created, + owns modified, + owns name, + owns spec-version, + + plays created-by:created, + plays data-marking:marking, + plays external-references:referencing; + +statement-marking sub marking-definition, + owns statement; + +tlp-marking sub marking-definition, + owns color; + +list sub relation, + relates list-item, + relates owner; + +linked-list sub list, + plays first-element:list, + plays last-element:list, + plays list-element:list; + +first-element sub relation, + relates first, + relates list; + +last-element sub relation, + relates last, + relates list; + +list-element sub relation, + relates element, + relates list; + +node sub relation, + relates next, + relates listed, + + # Rel + plays node:next, + + # RRel + plays list-element:element, + plays last-element:last, + plays first-element:first; + +dict sub relation, + relates dict-item, + relates owner, + owns key-abstract, + abstract; + + +hashes sub dict, + relates hash-value as dict-item, + relates hashes-owner as owner, + owns hash-algorithm as key-abstract; + +document-info-dict sub dict, + relates document-info as dict-item, + relates document-owner as owner, + owns key as key-abstract; + +exif-tags sub dict, + relates exif-tag as dict-item, + relates exif-owner as owner, + owns key as key-abstract; + +ipfix sub dict, + relates ipfix-field as dict-item, + relates ipfix-owner as owner, + owns key as key-abstract; + +request-header sub dict, + relates header as dict-item, + relates header-owner as owner, + owns key as key-abstract; + +options sub dict, + relates option as dict-item, + relates options-owner as owner, + owns key as key-abstract; + +environment-variables sub dict, + relates variable as dict-item, + relates variables-owner as owner, + owns key as key-abstract; + +startup-info sub dict, + relates info as dict-item, + relates info-owner as owner, + owns key as key-abstract; + +additional-header-fields sub relation, + relates dict-item, + relates owner, + + plays header-fields:owner, + + owns key; + +header-fields sub list, + plays additional-header-fields:dict-item; + +external-references sub list, + relates referencing as list-item, + relates referenced as owner; + +kill-chain-phases sub list, + relates using as list-item, + relates used as owner; + +data-marking sub list, + relates marking as list-item, + relates marked as owner, + + plays granular-marking:marking; + +object-marking sub list, + relates marking as list-item, + relates marked as owner; + +granular-marking sub list, + relates marking as list-item, + relates marked as owner; + +created-by sub list, + relates creator as list-item, + relates created as owner; + +resolves-to-refs sub list, + relates resolving as list-item, + relates resolved as owner; + +belongs-to-refs sub list, + relates belonging as list-item, + relates belonged as owner; + +contains-ref sub list, + relates containing as list-item, + relates contained as owner; + +to-refs sub list, + relates to as list-item, + relates from as owner; + +cc-refs sub list, + relates to as list-item, + relates from as owner; + +bcc-refs sub list, + relates to as list-item, + relates from as owner; + +body-multipart sub list, + relates to as list-item, + relates from as owner; + +alternate-data-streams sub list, + relates to as list-item, + relates from as owner; + +sections sub list, + relates to as list-item, + relates from as owner; + +protocols sub list, + relates to as list-item, + relates from as owner; + +encapsulates-refs sub list, + relates encapsulating as list-item, + relates encapsulated as owner; + +opened-connection-refs sub list, + relates opening as list-item, + relates opened as owner; + +child-refs sub list, + relates child as list-item, + relates parent as owner; + +service-dll-refs sub list, + relates to as list-item, + relates from as owner; + + +values sub list, + relates to as list-item, + relates from as owner; + +received-lines sub linked-list; + +stix-attribute-string sub attribute, + value string, + + plays granular-marking:marking, + abstract; + + +stix-type sub stix-attribute-string; +stix-id sub stix-attribute-string; +stix-role sub stix-attribute-string; +spec-version sub stix-attribute-string; +labels sub stix-attribute-string; +langs sub stix-attribute-string; +defanged sub stix-attribute-string; +source-name sub stix-attribute-string; +url-link sub stix-attribute-string; +external-id sub stix-attribute-string; +name sub stix-attribute-string; +name-enc sub stix-attribute-string; +magic-number-hex sub stix-attribute-string; +mime-type sub stix-attribute-string; +aliases sub stix-attribute-string; +objective sub stix-attribute-string; +action sub stix-attribute-string; +context sub stix-attribute-string; +identity-class sub stix-attribute-string; +sector sub stix-attribute-string; +infrastructure-types sub stix-attribute-string; +contact-information sub stix-attribute-string; +indicator-type sub stix-attribute-string; +pattern sub stix-attribute-string; +pattern-type sub stix-attribute-string; +pattern-version sub stix-attribute-string; +goals sub stix-attribute-string; +resource-level sub stix-attribute-string; +primary-motivation sub stix-attribute-string; +secondary-motivations sub stix-attribute-string; +malware-types sub stix-attribute-string; +architecture-execution-envs sub stix-attribute-string; +implementation-languages sub stix-attribute-string; +capabilities sub stix-attribute-string; +region sub stix-attribute-string; +country sub stix-attribute-string; +administrative-area sub stix-attribute-string; +city sub stix-attribute-string; +street-address sub stix-attribute-string; +postal-code sub stix-attribute-string; +version sub stix-attribute-string; +configuration-version sub stix-attribute-string; +module sub stix-attribute-string; +analysis-engine-version sub stix-attribute-string; +analysis-definition-version sub stix-attribute-string; +result-name sub stix-attribute-string; +result sub stix-attribute-string; +note-abstract sub stix-attribute-string; +content sub stix-attribute-string; +authors sub stix-attribute-string; +explanation sub stix-attribute-string; +opinion-enum sub stix-attribute-string; +report-type sub stix-attribute-string; +sophistication sub stix-attribute-string; +personal-characteristics sub stix-attribute-string; +roles sub stix-attribute-string; +threat-actor-types sub stix-attribute-string; +tool-types sub stix-attribute-string; +tool-version sub stix-attribute-string; +vulnerability-types sub stix-attribute-string; +kill-chain-name sub stix-attribute-string; +kill-chain-phase-name sub stix-attribute-string; +summary sub stix-attribute-string; +payload-bin sub stix-attribute-string; +decryption-key sub stix-attribute-string; +path sub stix-attribute-string; +path-enc sub stix-attribute-string; +rir sub stix-attribute-string; +display-name sub stix-attribute-string; +content-type sub stix-attribute-string; +message-id sub stix-attribute-string; +subject sub stix-attribute-string; +body sub stix-attribute-string; +content-disposition sub stix-attribute-string; +comment sub stix-attribute-string; +sid sub stix-attribute-string; +owner-sid sub stix-attribute-string; +pdfid0 sub stix-attribute-string; +pdfid1 sub stix-attribute-string; +pe-type sub stix-attribute-string; +imphash sub stix-attribute-string; +machine-hex sub stix-attribute-string; +pointer-to-symbol-table-hex sub stix-attribute-string; +characterstics-hex sub stix-attribute-string; +win32-version-value-hex sub stix-attribute-string; +checksum-hex sub stix-attribute-string; +subsystem-hex sub stix-attribute-string; +dll-characteristics-hex sub stix-attribute-string; +loader-flags-hex sub stix-attribute-string; +magic-hex sub stix-attribute-string; +request-method sub stix-attribute-string; +request-value sub stix-attribute-string; +request-version sub stix-attribute-string; +icmp-type-hex sub stix-attribute-string; +icmp-code-hex sub stix-attribute-string; +service-name sub stix-attribute-string; +subject-public-key-algorithm sub stix-attribute-string; +subject-public-key-modulus sub stix-attribute-string; +certificate-policies sub stix-attribute-string; +crl-distribution-points sub stix-attribute-string; +subject-directory-attributes sub stix-attribute-string; +key-usage sub stix-attribute-string; +subject-alternative-name sub stix-attribute-string; +subject-key-identifier sub stix-attribute-string; +extended-key-usage sub stix-attribute-string; +name-constraints sub stix-attribute-string; +policy-mappings sub stix-attribute-string; +policy-constraints sub stix-attribute-string; +basic-constraints sub stix-attribute-string; +inhibit-any-policy sub stix-attribute-string; +authority-key-identifier sub stix-attribute-string; +issuer-alternative-name sub stix-attribute-string; +data sub stix-attribute-string; +user-id sub stix-attribute-string; +priority sub stix-attribute-string; +stix-value sub stix-attribute-string; +cwd sub stix-attribute-string; +command-line sub stix-attribute-string; +account-login sub stix-attribute-string; +group-name sub stix-attribute-string; +dst-flags-hex sub stix-attribute-string; +src-flags-hex sub stix-attribute-string; +product sub stix-attribute-string; +spe sub stix-attribute-string; +exif-tag-string sub stix-attribute-string; +window-title sub stix-attribute-string; +statement sub stix-attribute-string; +home-dir sub stix-attribute-string; +account-type sub stix-attribute-string; +credential sub stix-attribute-string; +attribute-key sub stix-attribute-string; +shell sub stix-attribute-string; +swid sub stix-attribute-string; +vendor sub stix-attribute-string; +description sub stix-attribute-string; +descriptions sub stix-attribute-string; +languages sub stix-attribute-string; +groups sub stix-attribute-string; + +received sub stix-attribute-string, + plays node:listed; +document-info sub stix-attribute-string, + plays document-info-dict:document-info; +protocol sub stix-attribute-string, + plays protocols:to; +ipfix-string sub stix-attribute-string, + plays ipfix:ipfix-field; +header sub stix-attribute-string, + plays request-header:header; +environment-variable sub stix-attribute-string, + plays environment-variables:variable; +startup sub stix-attribute-string, + plays startup-info:info; + +issuer sub stix-attribute-string; +serial-number sub stix-attribute-string; +signature-algorithm sub stix-attribute-string; +subject-public-key-exponent sub stix-attribute-string; + +hash-value sub stix-attribute-string, + plays hashes:hash-value; +key-abstract sub stix-attribute-string, + abstract; +key sub key-abstract; +hash-algorithm sub key-abstract, + regex "^(MD5|SHA-1|SHA-256|SHA-512|SHA3-256|SHA3-512|SSDEEP|TLSH)$"; +encryption-algorithm sub stix-attribute-string, + regex "^(AES-256-GCM|ChaCha20-Poly1305|mime-type-indicated)$"; +address-family sub stix-attribute-string, + regex "^(AF-UNSPEC|AF-INET|AF-IPX|AF-APPLETALK|AF-NETBIOS|AF-INET6|AF-IRDA|AF-BTH)$"; +socket-type sub stix-attribute-string, + regex "^(SOCK-STREAM|SOCK-DGRAM|SOCK-RAW|SOCK-RDM|SOCK-SEQPACKET)$"; +opinion-enum sub stix-attribute-string, + regex "^(strongly-disagree|disagree|neutral|agree|strongly-agree)$"; +integrity-level sub stix-attribute-string, + regex "^(low|medium|high|system)$"; +data-type sub stix-attribute-string, + regex "^(REG-NONE|REG-SZ|REG-EXPAND-SZ|REG-BINARY|REG-DWORD|REG-DWORD-BIG-ENDIAN|REG-LINK|REG-MULTI-SZ|REG-RESOURCE-LIST|REG-FULL-RESOURCE-DESCRIPTION|REG-RESOURCE-REQUIREMENTS-LIST|REG-QWORD|REG-INVALID-TYPE)$"; +start-type sub stix-attribute-string, + regex "^(SERVICE-AUTO-START|SERVICE-BOOT-START|SERVICE-DEMAND-START|SERVICE-DISABLED|SERVICE-SYSTEM-ALERT)$"; +service-type sub stix-attribute-string, + regex "^(SERVICE-KERNEL-DRIVER|SERVICE-FILE-SYSTEM-DRIVER|SERVICE-WIN32-OWN-PROCESS|SERVICE-WIN32-SHARE-PROCESS)$"; +service-status sub stix-attribute-string, + regex "^(SERVICE-CONTINUE-PENDING|SERVICE-PAUSE-PENDING|SERVICE-PAUSED|SERVICE-RUNNING|SERVICE-START-PENDING|SERVICE-STOP-PENDING|SERVICE-STOPPED)$"; +color sub stix-attribute-string, + regex "^(white|green|amber|red|clear)$"; +stix-attribute-double sub attribute, + value double, + + plays granular-marking:marked, + abstract; + +number sub stix-attribute-double; +latitude sub stix-attribute-double; +longitude sub stix-attribute-double; +precision sub stix-attribute-double; +number-observed sub stix-attribute-double; +count sub stix-attribute-double; +entropy sub stix-attribute-double; +size-ofuninitialized-data sub stix-attribute-double; + +stix-attribute-integer sub attribute, + value long, + + plays granular-marking:marked, + abstract; + +size sub stix-attribute-integer; +gid sub stix-attribute-integer; +image-height sub stix-attribute-integer; +image-width sub stix-attribute-integer; +bits-per-pixel sub stix-attribute-integer; +confidence sub stix-attribute-integer; +number-of-sections sub stix-attribute-integer; +number-of-symbols sub stix-attribute-integer; +size-of-optional-header sub stix-attribute-integer; +major-linker-version sub stix-attribute-integer; +minor-linker-version sub stix-attribute-integer; +size-of-code sub stix-attribute-integer; +size-of-initialized-data sub stix-attribute-integer; +size-of-uninitialized-data sub stix-attribute-integer; +address-of-entry-point sub stix-attribute-integer; +base-of-code sub stix-attribute-integer; +base-of-data sub stix-attribute-integer; +image-base sub stix-attribute-integer; +section-alignment sub stix-attribute-integer; +file-alignment sub stix-attribute-integer; +major-os-version sub stix-attribute-integer; +minor-os-version sub stix-attribute-integer; +major-image-version sub stix-attribute-integer; +minor-image-version sub stix-attribute-integer; +major-subsystem-version sub stix-attribute-integer; +minor-subsystem-version sub stix-attribute-integer; +size-of-image sub stix-attribute-integer; +size-of-headers sub stix-attribute-integer; +size-of-stack-reserve sub stix-attribute-integer; +size-of-stack-commit sub stix-attribute-integer; +size-of-heap-reserve sub stix-attribute-integer; +size-of-heap-commit sub stix-attribute-integer; +number-of-rva-and-sizes sub stix-attribute-integer; +message-body-length sub stix-attribute-integer; +number-subkeys sub stix-attribute-integer; +exif-tag-int sub stix-attribute-integer; +src-port sub stix-attribute-integer; +dst-port sub stix-attribute-integer; +src-byte-count sub stix-attribute-integer; +dst-byte-count sub stix-attribute-integer; +src-packets sub stix-attribute-integer; +dst-packets sub stix-attribute-integer; +socket-descriptor sub stix-attribute-integer; +socket-handle sub stix-attribute-integer; +pid sub stix-attribute-integer; +option sub stix-attribute-integer, + plays options:option; +ipfix-integer sub stix-attribute-integer, + plays ipfix:ipfix-field; + +stix-attribute-boolean sub attribute, + value boolean, + + plays granular-marking:marked, + abstract; + +is-family sub stix-attribute-boolean; +is-optimized sub stix-attribute-boolean; +is-self-signed sub stix-attribute-boolean; +dep-enabled sub stix-attribute-boolean; +is-active sub stix-attribute-boolean; +is-hidden sub stix-attribute-boolean; +is-blocking sub stix-attribute-boolean; +is-listening sub stix-attribute-boolean; +can-escalate-privs sub stix-attribute-boolean; +is-service-account sub stix-attribute-boolean; +is-privileged sub stix-attribute-boolean; +can-escalate-privs sub stix-attribute-boolean; +is-disabled sub stix-attribute-boolean; +is-multipart sub stix-attribute-boolean; +aslr-enabled sub stix-attribute-boolean; +revoked sub stix-attribute-boolean; + +stix-attribute-timestamp sub attribute, + value datetime, + + plays granular-marking:marked, + abstract; + +date sub stix-attribute-timestamp; +ctime sub stix-attribute-timestamp; +atime sub stix-attribute-timestamp; +mtime sub stix-attribute-timestamp; +created sub stix-attribute-timestamp; +modified sub stix-attribute-timestamp; +submitted sub stix-attribute-timestamp; +valid-from sub stix-attribute-timestamp; +valid-until sub stix-attribute-timestamp; +first-observed sub stix-attribute-timestamp; +last-observed sub stix-attribute-timestamp; +analysis-started sub stix-attribute-timestamp; +analysis-ended sub stix-attribute-timestamp; +published sub stix-attribute-timestamp; +first-seen sub stix-attribute-timestamp; +last-seen sub stix-attribute-timestamp; +time-date-stamp sub stix-attribute-timestamp; +end sub stix-attribute-timestamp; +start sub stix-attribute-timestamp; +created-time sub stix-attribute-timestamp; +modified-time sub stix-attribute-timestamp; +account-created sub stix-attribute-timestamp; +account-expires sub stix-attribute-timestamp; +credential-last-changed sub stix-attribute-timestamp; +account-first-login sub stix-attribute-timestamp; +account-last-login sub stix-attribute-timestamp; +validity-not-before sub stix-attribute-timestamp; +validity-not-after sub stix-attribute-timestamp; +private-key-usage-period-not-after sub stix-attribute-timestamp; +private-key-usage-period-not-before sub stix-attribute-timestamp; + +custom-attribute sub attribute, value string, + plays granular-marking:marked, + owns attribute-type; + +attribute-type sub attribute, value string; + +rule linked-list-item: +when { + { (list: $x, first: $z) isa first-element;} + or { + (list: $x, element: $y) isa list-element; + $y (next: $z) isa node; + }; + $x isa linked-list; + $z isa node; + $y isa node; +} then { + (list: $x, element: $z) isa list-element; +}; + +rule last-element-linked-list: +when { + (list: $x, element: $y) isa list-element; + not { + $z isa node; + $y (next: $z); + }; + $x isa linked-list; + $y isa node; + $z isa node; +} then { + (list: $x, last: $y) isa last-element; +}; + +rule transitive-use: +when { + $x isa stix-domain-object; + $y isa stix-domain-object; + $z isa stix-domain-object; + $use1 (using: $x, used: $y) isa uses; + $use2 (using: $y, used: $z) isa uses; +} then { + (using: $x, used: $z) isa uses; +}; + +rule attributed-to-when-using: +when { + (attributing: $z, attributed: $x) isa attributed-to; + (using: $x, used: $y) isa uses; +} then { + (using: $z, used: $y) isa uses; +}; + +rule attributed-to-when-targeting: +when { + (attributing: $z, attributed: $x) isa attributed-to; + (targeting: $x, targeted: $y) isa targets; +} then { + (targeting: $z, targeted: $y) isa targets; +}; + + + + + + + + diff --git a/cyber-threat-intelligence/examples/01-list-id-unknown.tql b/cyber-threat-intelligence/examples/01-list-id-unknown.tql new file mode 100644 index 0000000..f904199 --- /dev/null +++ b/cyber-threat-intelligence/examples/01-list-id-unknown.tql @@ -0,0 +1,19 @@ +# Example 01: + +# Let's start by getting a list of id-unknown in the database. +# +# We are querying for a list of actors with unknown ids. +# $t and $attribute are variables, which are used in the query. +# The query is a get query containing a single pattern matching statement. +# The query will return all the entities of type id-unknown in the database and their attributes. + +match +$t isa id-unknown, has $attribute; + +#-------------------------------------------------- +# Exercise 01: + +# Edit this query to show only the name and description of our id-unknown. +# Type hints: name, description + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql new file mode 100644 index 0000000..f742e29 --- /dev/null +++ b/cyber-threat-intelligence/examples/02-list-identity.tql @@ -0,0 +1,20 @@ +# Example 02: + +# Now let's see a list of actors in the database. +# +# We are querying for a list of identities. +# We are using the match keyword to match the identity type. +# As we can see, we match both identities and subtypes of identity like organizations. + + +match +$t isa identity, has $attribute; + +#-------------------------------------------------- +# Exercise 02: + +# Edit this query to list only id-unknown and identity. +# Keyword hints: not +# Type hints: organization + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql new file mode 100644 index 0000000..0f1eabc --- /dev/null +++ b/cyber-threat-intelligence/examples/03-create-malware.tql @@ -0,0 +1,37 @@ +# Example 03: + +# Now let's insert a new threat actor, a new malware and create an attribution relation between them. +# We will also add a new malware, bravo-malware, as well as a new threat-actor, bravo-threat. +# We will then use them both to create a new attributed-to relation. + +insert +$bravo-ta isa threat-actor, + has spec-version "2.1", + has stix-id "bravo-threat", + has created 2022-05-07T14:22:14.760, + has modified 2022-05-07T14:22:14.760, + has name "Bravo Attacker", + has threat-actor-types "spy", + has threat-actor-types "criminal"; + +$bravo-ma isa malware, + has spec-version "2.1", + has stix-id "bravo-malware", + has created 2022-05-07T14:22:14.760, + has modified 2022-05-07T14:22:14.760, + has description "Bravo Malware"; + +(attributing: $bravo-ta, attributed: $bravo-ma) isa attributed-to, + has spec-version "2.01", + has stix-id "bravo-threat-attributed-to-bravo-id"; + +#-------------------------------------------------- +# Exercise 03: + +# Display the threat-actor created in this example. +# Then Write a new query to give bravo-threat a third threat actor type: "insider". +# Try re-display the treat-actor to see the results of this insert query. +# Keyword hints: match, insert +# Type hints: threat-actor, threat-actor-types, stix-id + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql new file mode 100644 index 0000000..38d0cc5 --- /dev/null +++ b/cyber-threat-intelligence/examples/04-assign-target.tql @@ -0,0 +1,24 @@ +# Example 04: + +# Now let's insert a new targets relation between a specific malware and a specific id-unknown. +# We will use the stix-id attribute to identify the malware and the name attribute to identify the id-unknown. +# We will also assign a stix-id attribute to identify the new targets relation. + +match +$bravo-id isa id-unknown, has name "Adversary Bravo"; +$bravo-ma isa malware, has stix-id "bravo-malware"; + +insert +(targeting: $bravo-ma, targeted: $bravo-id) isa targets, + has stix-id "bravo-targets"; + +#-------------------------------------------------- +# Exercise 04: + +# Write a new query to find the id-unknown with stix-id "bravo-id-unknown" as well as the malware with stix-id "bravo-malware" +# and then, create a uses relationship to descibe the fact that the id-unknown is using the malware. +# You will need to give a new unique stix-id to your uses relationship. +# Keyword hints: match, insert, has +# Type hints: id-unknown, malware, uses + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql new file mode 100644 index 0000000..f3ee04b --- /dev/null +++ b/cyber-threat-intelligence/examples/05-infered-uses.tql @@ -0,0 +1,31 @@ +# Example 05: + +# Now let's research the attack we described earlier using the id-unknown and threat-actor stix-id +# This query represents the following question: "Who targets the unknown id and what tool is used?" + +match +$t($x, $y) isa targets; +$c($a, $b) isa attributed-to; +$b has stix-id "bravo-threat"; +$x has stix-id "bravo-id-unknown"; + +#-------------------------------------------------- +# Exercise 05: + +# When we run this query, we get one result, but let's try toggling the inference button at the top to switch on +# TypeDB's rule-inference. Now if we run the query again, we get more attributes as well as a new relation +# shown in a green outline. This is because of a rule encoded into the schema: +# +# rule attributed-to-when-targeting: +# when { +# (attributing: $z, attributed: $x) isa attributed-to; +# (targeting: $x, targeted: $y) isa targets; +# } then { +# (targeting: $z, targeted: $y) isa targets; +# }; +# +# This rule makes uses relationship transitive, so if we know that a threat actor uses an unknown id, and that unknown +# id uses a target, then we can infer that the threat actor uses the target. This is a very powerful feature of TypeDB. +# + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql new file mode 100644 index 0000000..a53a136 --- /dev/null +++ b/cyber-threat-intelligence/examples/06-uses-chain.tql @@ -0,0 +1,24 @@ +# Example 06: + +# Next, we will use the stix-id to find the attack pattern using the malware created in Exercise 03. +# We will then create a uses relationship between the attack pattern and malware. + +match +$bravo-ap isa attack-pattern, has stix-id "attack-pattern-bravo"; +$bravo-ma isa malware, has stix-id "bravo-malware"; + +insert +$u1 (used: $bravo-ap, using:$bravo-ma) isa uses, + has stix-id "bravo-uses-1"; + +#-------------------------------------------------- +# Exercise 06: + +# With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor. +# Create a query that finds the attack pattern and malware that are used by the threat actor with stix-id "bravo-threat". +# To switch on explanations, toggle the "snapshot", "infer", and "explain" buttons to on. +# You can double click on the green infered uses relationship to get an explanation of what triggered the inferred rule. +# Keyword hints: match, or +# Type hints: attack-pattern, malware, threat-actor, uses, stix-id + +#-------------------------------------------------- diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql new file mode 100644 index 0000000..300419b --- /dev/null +++ b/cyber-threat-intelligence/examples/07-external-reference.tql @@ -0,0 +1,23 @@ +# Example 07: + +# From Example 06, we can see that some attack patterns have external references. +# We can use the same approach to find attack patterns that have external references. +# An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. + +match +$e isa external-reference; +$e has $eid; +$a isa attack-pattern; +$rel (referencing: $a, referenced: $e) isa external-references; + +#-------------------------------------------------- +# Exercise 07: + +# Find all attack patterns that have external references. +# Return the name of the attack pattern and the external reference ID. +# Order by the name of the attack pattern. +# Keyword hints: match, sort +# Type hints: attack-pattern, external-reference + +#-------------------------------------------------- + diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql new file mode 100644 index 0000000..af32805 --- /dev/null +++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql @@ -0,0 +1,22 @@ +# Example 08: + +# This example shows how to use a get query to find all the +# relationships between an attack pattern and an intrusion set that +# are referenced by a specific external reference. + +match +$a isa attack-pattern, has name $an; +$i isa intrusion-set, has name $in; +$rel (referencing: $a, referenced: $e) isa external-references; +$u (used: $a, using: $i) isa uses; + +#------------------------------------------------------------ +# Exercise 08: + +# Create an intrusion-set as well as a uses relation to link it to the malware owning "bravo-malware" as stix-id. +# You will need to provide a stix-id for both new intrusion-set and new uses relation. +# Modify the query from the Exercise 06 to include your intrusion-set as a potential roleplayer in the uses relationship. +# +# As we can see, two uses relations are infered, automatically creating a link between intrusion-set and threat-actor through attack-pattern. + +#------------------------------------------------------------ diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql new file mode 100644 index 0000000..626e10c --- /dev/null +++ b/cyber-threat-intelligence/examples/exercise-solutions.tql @@ -0,0 +1,95 @@ +# Solutions + +# The solutions to each of the exercises can be found here. To run the query in a solution: make sure the correct +# session and transaction type are selected, highlight the intended query, right click and select "Run Selection". + +#-------------------------------------------------- +# Exercise 01 solution: + +match +$t isa id-unknown, has name $n, has description $d; + +#-------------------------------------------------- +# Exercise 02 solution: + +match +$t isa identity, has $attribute; +not{$t isa organization;}; + +#-------------------------------------------------- +# Exercise 03 solution: + +#display +match +$t isa threat-actor, has stix-id $n; +$n = "bravo-threat"; + +#insert new threat-actor-types +match +$t isa threat-actor, has stix-id $n; +$n = "bravo-threat"; + +insert +$t has threat-actor-types "insider"; + + + +#-------------------------------------------------- +# Exercise 04 solution: + +match +$bravo-id isa id-unknown, has stix-id "bravo-id-unknown"; +$bravo-ma isa malware, has stix-id "bravo-malware"; + +insert +(used: $bravo-ma, using: $bravo-id) isa uses, + has stix-id "bravo-uses"; + +#-------------------------------------------------- +# Exercise 06 solution: + +match +{$bravo-1 isa attack-pattern, has stix-id "attack-pattern-bravo";} or +{$bravo-1 isa malware, has stix-id "bravo-malware";} or +{$bravo-1 isa threat-actor, has stix-id "bravo-threat";}; + +{$bravo-2 isa attack-pattern, has stix-id "attack-pattern-bravo";} or +{$bravo-2 isa malware, has stix-id "bravo-malware";} or +{$bravo-2 isa threat-actor, has stix-id "bravo-threat";}; + +$new ($bravo-1, $bravo-2) isa uses; + +#-------------------------------------------------- +# Exercise 07 solution: + +match + +$e isa external-reference, has url-link $c; +$e has $eid; +$a isa attack-pattern, has name $d; +$rel (referencing: $a, referenced: $e) isa external-references; sort $d; + +#-------------------------------------------------- +# Exercise 08 solution: + +# insert new intrusion-set and uses relation +match +$bravo-2 isa malware, has stix-id "bravo-malware"; + +insert +$intrusion isa intrusion-set, has stix-id "bravo-intrusion"; +$bravo-uses (using: $intrusion, used: $bravo-2) isa uses, has stix-id "bravo-uses-3"; + +# search for uses between attack-pattern, malware, threat-actor and intrusion-set +match +{$bravo-1 isa attack-pattern, has stix-id "attack-pattern-bravo";} or +{$bravo-1 isa malware, has stix-id "bravo-malware";} or +{$bravo-1 isa threat-actor, has stix-id "bravo-threat";} or +{$bravo-1 isa intrusion-set, has stix-id "bravo-intrusion";}; + +{$bravo-2 isa attack-pattern, has stix-id "attack-pattern-bravo";} or +{$bravo-2 isa malware, has stix-id "bravo-malware";} or +{$bravo-2 isa threat-actor, has stix-id "bravo-threat";} or +{$bravo-2 isa intrusion-set, has stix-id "bravo-intrusion";}; + +$new ($bravo-1, $bravo-2) isa uses; diff --git a/cyber-threat-intelligence/insert-data.tql b/cyber-threat-intelligence/insert-data.tql new file mode 100644 index 0000000..ae3aef8 --- /dev/null +++ b/cyber-threat-intelligence/insert-data.tql @@ -0,0 +1,507 @@ +# These examples below demonstrate how to use STIX 2.1 concepts for common use cases. +# They are useful for linking multiple concepts together and provide more detail regarding STIX objects and properties. +# Source: +# https://oasiss-open.github.io/cti-documentation/stix/examples.html + + +# Clean old data: + +match $t isa thing; delete $t isa thing; +match $t isa threat-actor; insert $t has full-name "Bravo"; + + +# Example from: https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile +# Identifying a Threat Actor Profile +insert +$ta isa threat-actor, has name "Disco Team Threat Actor Group", + has spec-version "2.1", + has stix-id "threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428", + has created 2014-11-19T23:39:03.893, + has modified 2014-11-19T23:39:03.893, + has aliases "disco-team@stealthemail.com", + has aliases "Equipo del Discoteca", + has description "This organized threat actor group operates to create profit from all types of crime.", + has aliases "Equipo del Discoteca", + has stix-role "agent", + has goals "Steal Credit Card Information", + has sophistication "expert", + has resource-level "organization", + has threat-actor-types "crime syndicate", + has primary-motivation "personal-gain"; +$id isa organization, has name "Disco Team", has spec-version "2.1", + has stix-id "identity--733c5838-34d9-4fbf-949c-62aba761184c", + has created 2016-08-23T18:05:49.307, has modified 2016-08-23T18:05:49.307, + has description "Disco Team is the name of an organized threat actor crime-syndicate.", + has contact-information "disco-team@stealthemail.com"; + +(attributing: $ta, attributed: $id) isa attributed-to, has spec-version "2.1", + has stix-id "relationship--a2e3efb5-351d-4d46-97a0-6897ee7c77a0", + has created 2020-02-29T18:01:28.577, + has modified 2020-02-29T18:01:28.577; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/indicator-for-malicious-url +# Identicator for malicious URL +insert +$in isa indicator, has name "Malicious site hosting downloader", + has spec-version "2.1", + has description "This organized threat actor group operates to create profit from all types of crime.", + has created 2014-06-29T13:49:37.079, + has modified 2014-06-29T13:49:37.079, + has stix-id "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f", + has pattern "[url:value = 'http://x4z9arb.cn/4712/']", + has pattern-type "stix", + has valid-from 2014-06-29T13:49:37.079, + has indicator-type "malicious-activity"; +$ma isa malware, has name "x4z9arb backdoor", + has spec-version "2.1", + has stix-id "malware--162d917e-766f-4611-b5d6-652791454fca", + has created 2014-06-30T09:15:17.182, + has modified 2014-06-30T09:15:17.182, + has description "This malware attempts to download remote files after establishing a foothold as a backdoor.", + has malware-types "backdoor", + has malware-types "remote-access-trojan", + has is-family false; +$kill-chain-phase isa kill-chain-phase, + has kill-chain-name "mandiant-attack-lifecycle-model", + has kill-chain-phase-name "establish-foothold"; + +(used: $ma, using: $kill-chain-phase) isa kill-chain-phases; +(indicating: $in, indicated: $ma) isa indicates, + has spec-version "2.1", + has stix-id "relationship--864af2ea-46f9-4d23-b3a2-1c2adf81c265", + has created 2020-02-29T18:03:58.029, + has modified 2020-02-29T18:03:58.029; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash +# Malware indicator for file hash +insert +$in isa indicator, has name "File hash for Poison Ivy variant", + has spec-version "2.1", + has stix-id "indicator--a932fcc6-exoeunthaoenut-476c-826f-cb970a5a1ade", + has created 2014-02-20T09:16:08.989, + has modified 2014-02-20T09:16:08.989, + has description "This file hash indicates that a sample of Poison Ivy is present.", + has indicator-type "malicious-activity", + has pattern "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", + has pattern-type "stix", + has valid-from 2014-02-20T09:00:00; +$m isa malware, has name "Poison Ivy", + has spec-version "2.1", + has stix-id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", + has created 2014-02-20T09:16:08.989, + has modified 2014-02-20T09:16:08.989, + has malware-types "remote-access-trojan", + has is-family false; +(indicating: $in, indicated: $m) isa indicates, + has spec-version "2.1", + has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", + has created 2020-02-29T18:09:12.808, + has modified 2020-02-29T18:09:12.808; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-an-indicator +# Sighting of an Indicator +insert +$malicious-url isa indicator, has name "Malicious URL", + has spec-version "2.1", + has stix-id "indicator--9299f726-ce06-492e-8472-2b52ccb53191", + has created 2017-02-27T13:57:10.515, + has modified 2017-02-27T13:57:10.515, + has description "This URL is potentially associated with malicious activity and is listed on several blacklist sites.", + has indicator-type "malicious-activity", + has pattern "[url:value = 'http://paypa1.banking.com']", + has pattern-type "stix", + has valid-from 2015-06-29T09:10:15.915; +$alpha isa organization, has name "Alpha Threat Analysis Org.", + has spec-version "2.1", + has stix-id "identity--39012926-a052-44c4-ae48-caaf4a10ee6e", + has created 2017-02-24T15:50:10.564, + has modified 2017-02-24T15:50:10.564, + has stix-role "Cyber Security", + has sector "technology", + has contact-information "info@alpha.org"; +$beta isa organization, has name "Beta Cyber Intelligence Company", + has spec-version "2.1", + has stix-id "identity--5206ba14-478f-4b0b-9a48-395f690c20a2", + has created 2017-02-26T17:55:10.442, + has modified 2017-02-26T17:55:10.442, + has stix-role "Cyber Security", + has sector "technology", + has contact-information "info@beta.com"; +(observed-data: $beta, sighting-of: $malicious-url) isa sighting, has stix-id "5206ba14-478f-4b0b-9a48-395f690c20a2"; +(creator: $alpha, created: $malicious-url) isa created-by; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-observed-data +# Sighting of Observed Data +insert +$pym isa organization, has name "Pym Technologies", + has spec-version "2.1", + has stix-id "identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", + has created 2013-04-14T13:07:49.812, + has modified 2013-04-14T13:07:49.812, + has sector "technology", + has contact-information "hank@pymtech.com"; +$oscorp isa organization, has name "Oscorp Industries", + has spec-version "2.1" , + has stix-id "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c", + has created 2017-01-14T13:07:49.812, + has modified 2017-01-14T13:07:49.812, + has sector "technology", + has contact-information "norman@oscorp.com"; +$malware isa malware, has name "Online Job Site Trojan", + has spec-version "2.1", + has stix-id "malware--ae560258-a5cb-4be8-8f05-013d6712295f", + has created 2014-02-20T09:16:08.989, + has modified 2014-02-20T09:16:08.989, + has description "Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.", + has malware-types "remote-access-trojan", + has is-family false; +$file isa file, + has stix-id "file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d", + has spec-version "2.1", + has size 83968, + has name "resume.pdf"; +$ploup isa hash-value; +$ploup "1717b7fff97d37a1e1a0029d83492de1"; +$plip isa hash-value; +$plip "1717b7fff97d37a1e1a0aa29d83492de1"; +(hash-value: $ploup, hashes-owner: $file) isa hashes, has hash-algorithm "MD5"; +(hash-value: $plip, hashes-owner: $file) isa hashes, has hash-algorithm "SHA-1"; +$data1 isa observed-data, + has spec-version "2.1", + has stix-id "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1", + has created 2017-02-28T19:37:11.213, + has modified 2017-02-28T19:37:11.213, + has first-observed 2017-02-27T21:37:11.213, + has last-observed 2017-02-27T21:37:11.213, + has number-observed 1; +$key isa windows-registry-key, + has stix-id "windows-registry-key--16b80d14-d574-5620-abad-10ff304b1c26", + has spec-version "2.1", + has attribute-key "HKEY-LOCAL-MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2"; +$data2 isa observed-data, + has spec-version "2.1", + has stix-id "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4", + has created 2017-02-28T19:37:11.213, + has modified 2017-02-28T19:37:11.213, + has first-observed 2017-02-27T21:37:11.213, + has last-observed 2017-02-27T21:37:11.213, + has number-observed 1; +(creator: $oscorp, created: $data2) isa created-by; +(creator: $oscorp, created: $data1) isa created-by; +(creator: $pym, created: $malware) isa created-by; +(sighting-of: $malware, observed-data: $data1, observed-data: $data2) isa sighting, + has spec-version "2.1", + has stix-id "sighting--779c4ae8-e134-4180-baa4-03141095d971", + has created 2017-02-28T19:37:11.213, + has modified 2017-02-28T19:37:11.213, + has first-seen 2017-02-28T19:07:24.856, + has last-seen 2017-02-28T19:07:24.857, + has count 1; +(referencing: $data1, referenced: $file) isa external-references; +(referencing: $data2, referenced: $key) isa external-references; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware +# Threat Actor Leveraging Attack Patterns and Malware +insert +$bravo-ta isa threat-actor, + has spec-version "2.1", + has stix-id "threat-actor-bravo", + has created 2015-05-07T14:22:14.760, + has modified 2015-05-07T14:22:14.760, + has name "Adversary Bravo", + has description "Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.", + has threat-actor-types "spy", + has threat-actor-types "criminal"; +$poison-ivy isa malware, + has spec-version "2.1", + has stix-id "malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4", + has created 2015-04-23T11:12:34.760, + has modified 2015-04-23T11:12:34.760, + has name "Poison Ivy Variant d1c6", + has is-family false, + has malware-types "remote-access-trojan"; +$kill-chain-phase isa kill-chain-phase, + has kill-chain-name "mandiant-attack-lifecycle-model", + has kill-chain-phase-name "initial-compromise"; +(used: $poison-ivy, using: $kill-chain-phase) isa kill-chain-phases; +$phishing isa attack-pattern, + has spec-version "2.1", + has stix-id "attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5", + has created 2015-05-07T14:22:14.760, + has modified 2015-05-07T14:22:14.760, + has name "Phishing", + has description "Spear phishing used as a delivery mechanism for malware."; +(used: $phishing, using: $kill-chain-phase) isa kill-chain-phases; + +$bravo-id isa id-unknown, + has spec-version "2.1", + has stix-id "bravo-id-unknown", + has created 2015-05-10T16:27:17.760, + has modified 2015-05-10T16:27:17.760, + has name "Adversary Bravo", + has description "Adversary Bravo is a threat actor that utilizes phishing attacks."; +# (using: $bravo-ta, used: $poison-ivy) isa uses, +# has spec-version "2.1", +# has stix-id "relationship--d44019b6-b8f7-4cb3-837e-7fd3c5724b87", +# has created 2020-02-29T18:18:08.661, +# has modified 2020-02-29T18:18:08.661; +# (using: $bravo-ta, used: $phishing) isa uses, +# has spec-version "2.1", +# has stix-id "relationship--3cd2d6f9-0ded-486b-8dca-606283a8997f", +# has created 2020-02-29T18:18:08.661, +# has modified 2020-02-29T18:18:08.661; +# (attributing: $bravo-ta, attributed: $bravo-id) isa attributed-to, +# has spec-version "2.1", +# has stix-id "relationship--56e5f1c8-08f3-4e24-9e8e-f87d844672ec", +# has created 2020-02-29T18:18:08.661, +# has modified 2020-02-29T18:18:08.661; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash +# Malware Indicator for File Hash +insert +$in isa indicator, has name "Malicious site hosting downloader", + has spec-version "2.1", + has description "File hash for Poison Ivy variant", + has created 2014-02-20T09:16:08.989, + has modified 2014-02-20T09:16:08.989, + has stix-id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade", + has pattern "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", + has pattern-type "stix", + has valid-from 2014-02-20T09:00:00, + has indicator-type "malicious-activity"; +$ma isa malware, has name "Poison Ivy", + has spec-version "2.1", + has stix-id "malware--fdd60b30-b67c-41aoeuaoeub9-f01faf20d111", + has created 2014-02-20T09:16:08.989, + has modified 2014-02-20T09:16:08.989, + has malware-types "backdoor", + has malware-types "remote-access-trojan", + has is-family false; + +(indicating: $in, indicated: $ma) isa indicates, + has spec-version "2.1", + has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcconkh-347a9572f69", + has created 2020-02-29T18:09:12.808, + has modified 2020-02-29T18:09:12.808; + +# Example from: https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is +# Defining Campaigns vs. Threat Actors vs. Intrusion Sets +insert + +$bravo-at isa attack-pattern, + has spec-version "2.1", + has stix-id "attack-pattern-bravo", + has created 2015-05-10T16:27:16.760, + has modified 2015-05-10T16:27:16.760, + has name "Attack Pattern Bravo"; + +$bpp-ta isa threat-actor, + has spec-version "2.1", + has stix-id "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "Fake BPP (Branistan Peoples Party)", + has threat-actor-types "nation-state", + has roles "director", + has goals "Influence the election in Branistan", + has sophistication "strategic", + has resource-level "government", + has primary-motivation "ideology", + has secondary-motivations "dominance"; + +$id1 isa identity, + has spec-version "2.1", + has stix-id "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "Franistan Intelligence", + has identity-class "organization"; + +$id2 isa identity, + has spec-version "2.1", + has stix-id "identity--ddfe7140-2ba4-48e4-b19a-df069432103b", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "Branistan Peoples Party", + has identity-class "organization"; + +$er1 isa external-reference, + has source-name "website", + has url-link "http://www.bpp.bn"; + +(referencing: $id2, referenced: $er1) isa external-references; + +$at1 isa attack-pattern, + has spec-version "2.1", + has stix-id "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a", + has created 2016-08-08T15:50:10.983, + has modified 2017-01-30T21:15:04.127, + has name "Content Spoofing"; + +$er2 isa external-reference, + has source-name "capec", + has url-link "https://capec.mitre.org/data/definitions/148.html", + has external-id "CAPEC-148"; + +(referencing: $at1, referenced: $er2) isa external-references; + +$at2 isa attack-pattern, + has spec-version "2.1", + has stix-id "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c", + has created 2016-08-08T15:50:10.983, + has modified 2017-01-30T21:15:04.127, + has name "HTTP Flood"; + +$er3 isa external-reference, + has source-name "capec", + has url-link "https://capec.mitre.org/data/definitions/488.html", + has external-id "CAPEC-488"; + +(referencing: $at2, referenced: $er3) isa external-references; + +$ca1 isa campaign, + has spec-version "2.1", + has stix-id "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "Operation Bran Flakes", + has description "A concerted effort to insert false information into the BPP's web pages.", + has aliases "OBF", + has first-seen 2016-01-08T12:50:40.123, + has objective "Hack www.bpp.bn"; + +$ca2 isa campaign, + has spec-version "2.1", + has stix-id "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "Operation Raisin Bran", + has description "A DDOS campaign to flood BPP web servers.", + has aliases "ORB", + has first-seen 2016-02-07T19:45:32.126, + has objective "Flood www.bpp.bn"; + +$is1 isa intrusion-set, + has spec-version "2.1", + has stix-id "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713", + has created 2016-08-08T15:50:10.983, + has modified 2016-08-08T15:50:10.983, + has name "APT BPP", + has description "An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks.", + has aliases "Bran-teaser", + has first-seen 2016-01-08T12:50:40.123, + has goals "Influence the Branistan election", + has goals "Disrupt the BPP", + has sophistication "strategic", + has resource-level "government", + has primary-motivation "ideology", + has secondary-motivations "dominance"; + +$ato1 (attributing: $ca1, attributed: $bpp-ta) isa attributed-to; +$ato1 has spec-version "2.1", + has stix-id "relationship--98765000-efdf-4a86-8681-36481ceae57f", + has created 2020-02-29T17:41:44.938, + has modified 2020-02-29T17:41:44.938; + +$ato2 (attributing: $ca2, attributed: $bpp-ta) isa attributed-to; +$ato2 has spec-version "2.1", + has stix-id "relationship--53a55c73-f2c8-47b9-8e50-ae34d8c5da4d", + has created 2020-02-29T17:41:44.938, + has modified 2020-02-29T17:41:44.938; + +$ato3 (attributing: $ca1, attributed: $is1) isa attributed-to; +$ato3 has spec-version "2.1", + has stix-id "relationship--5047c2c0-524b-4afd-9cd6-e197efe59495", + has created 2020-02-29T17:41:44.939, + has modified 2020-02-29T17:41:44.939; + +$ato4 (attributing: $ca2, attributed: $is1) isa attributed-to; +$ato4 has spec-version "2.1", + has stix-id "relationship--9cc131ca-b64d-4ab1-a300-5e4a0073280a", + has created 2020-02-29T17:41:44.939, + has modified 2020-02-29T17:41:44.939; + +$ato5 (attributing: $is1, attributed: $bpp-ta) isa attributed-to; +$ato5 has spec-version "2.1", + has stix-id "relationship--c171fd27-2a8a-42b7-8293-34016b70c1c8", + has created 2020-02-29T17:41:44.939, + has modified 2020-02-29T17:41:44.939; + +$ato6 (targeting: $is1, targeted: $id2) isa targets; +$ato6 has spec-version "2.1", + has stix-id "relationship--554e3341-d7b1-4b3c-a522-28ef52fbb49b", + has created 2020-02-29T17:41:44.939, + has modified 2020-02-29T17:41:44.939; + +$ato7 (using: $is1, used: $at1) isa uses; +$ato7 has spec-version "2.1", + has stix-id "relationship--06964095-5750-41fe-a9af-6c6a9d995489", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato8 (using: $is1, used: $at2) isa uses; +$ato8 has spec-version "2.1", + has stix-id "relationship--4fe5dab1-fd6d-41aa-b8b1-d3118a708284", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato9 (targeting: $ca1, targeted: $id2) isa targets; +$ato9 has spec-version "2.1", + has stix-id "relationship--d8b7932d-0ecb-4891-b021-c78ff2b63747", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato10 (targeting: $ca2, targeted: $id2) isa targets; +$ato10 has spec-version "2.1", + has stix-id "relationship--96cfbc6f-5c08-4372-b811-b90fbb2ec180", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato11 (using: $ca1, used: $at1) isa uses; +$ato11 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0a", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato12 (using: $ca2, used: $at2) isa uses; +$ato12 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0b", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato13 (impersonating: $bpp-ta, impersonated: $id2) isa impersonates; +$ato13 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0c", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato14 (targeting: $bpp-ta, targeted: $id2) isa targets; +$ato14 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0d", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato15 (attributing: $bpp-ta, attributed: $id1) isa attributed-to; +$ato15 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0e", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato16 (targeting: $ca2, targeted: $id1) isa targets; +$ato16 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0f", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato17 (using: $bpp-ta, used: $at1) isa uses; +$ato17 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b10", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; + +$ato18 (using: $bpp-ta, used: $at2) isa uses; +$ato18 has spec-version "2.1", + has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b11", + has created 2020-02-29T17:41:44.940, + has modified 2020-02-29T17:41:44.940; +