Documentation
¶
Overview ¶
Package observeddata implements the STIX 2.1 Observed Data object.
The following information comes directly from the STIX 2.1 specification.
Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means.
Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations.
Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered.
Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).
To support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time.
Index ¶
- type ObservedData
- func (o *ObservedData) Encode() ([]byte, error)
- func (o *ObservedData) EncodeToString() (string, error)
- func (o *ObservedData) GetPropertyList() []string
- func (o *ObservedData) SetFirstObserved(t interface{}) error
- func (o *ObservedData) SetFirstObservedToCurrentTime() error
- func (o *ObservedData) SetLastObserved(t interface{}) error
- func (o *ObservedData) SetLastObservedToCurrentTime() error
- func (o *ObservedData) SetNumberObserved(i int) error
- func (o *ObservedData) SetObjects(s string) error
- func (o *ObservedData) UnmarshalJSON(b []byte) error
- func (o *ObservedData) Valid() (bool, int, []string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ObservedData ¶
type ObservedData struct {
objects.CommonObjectProperties
FirstObserved string `json:"first_observed,omitempty" bson:"first_observed,omitempty"`
LastObserved string `json:"last_observed,omitempty" bson:"last_observed,omitempty"`
NumberObserved int `json:"number_observed,omitempty" bson:"number_observed,omitempty"`
Objects string `json:"objects,omitempty" bson:"objects,omitempty"`
properties.ObjectRefsProperty
}
ObservedData - This type implements the STIX 2 Observed Data SDO and defines all of the properties and methods needed to create and work with this object. All of the methods not defined local to this type are inherited from the individual properties.
func Decode ¶ added in v0.6.1
func Decode(data []byte) (*ObservedData, error)
Decode - This function is a simple wrapper for decoding JSON data. It will decode a slice of bytes into an actual struct and return a pointer to that object along with any errors.
func New ¶
func New() *ObservedData
New - This function will create a new STIX Observed Data object and return it as a pointer. It will also initialize the object by setting all of the basic properties.
func (*ObservedData) Encode ¶ added in v0.6.1
func (o *ObservedData) Encode() ([]byte, error)
Encode - This method is a simple wrapper for encoding an object into JSON
func (*ObservedData) EncodeToString ¶ added in v0.6.1
func (o *ObservedData) EncodeToString() (string, error)
EncodeToString - This method is a simple wrapper for encoding an object into JSON
func (*ObservedData) GetPropertyList ¶ added in v0.6.1
func (o *ObservedData) GetPropertyList() []string
GetPropertyList - This method will return a list of all of the properties that are unique to this object. This is used by the custom UnmarshalJSON for this object. It is defined here in this file to make it easy to keep in sync.
func (*ObservedData) SetFirstObserved ¶
func (o *ObservedData) SetFirstObserved(t interface{}) error
SetFirstObserved - This method takes in a timestamp in either time.Time or string format and updates the first observed property.
func (*ObservedData) SetFirstObservedToCurrentTime ¶
func (o *ObservedData) SetFirstObservedToCurrentTime() error
SetFirstObservedToCurrentTime - This methods sets the first observed time to the current time
func (*ObservedData) SetLastObserved ¶
func (o *ObservedData) SetLastObserved(t interface{}) error
SetLastObserved - This method takes in a timestamp in either time.Time or string format and updates the last observed property.
func (*ObservedData) SetLastObservedToCurrentTime ¶
func (o *ObservedData) SetLastObservedToCurrentTime() error
SetLastObservedToCurrentTime - This methods sets the last observed time to the current time
func (*ObservedData) SetNumberObserved ¶
func (o *ObservedData) SetNumberObserved(i int) error
SetNumberObserved - This method takes in an integer that represents the number of objects that were observed and updates the number observed property.
func (*ObservedData) SetObjects ¶
func (o *ObservedData) SetObjects(s string) error
SetObjects - This takes in a string value that represents represents a cyber observable JSON object and updates the objects property.
func (*ObservedData) UnmarshalJSON ¶ added in v0.6.1
func (o *ObservedData) UnmarshalJSON(b []byte) error
UnmarshalJSON - This method will over write the default UnmarshalJSON method to enable custom properties that this library does not know about. It will store them as map where the value of each key is a byte arrays. This way a tool that does know how to deal with them can then further process them after this is done. This will also allow the storage of the raw JSON data.
func (*ObservedData) Valid ¶ added in v0.6.1
func (o *ObservedData) Valid() (bool, int, []string)
Valid - This method will verify and test all of the properties on an object to make sure they are valid per the specification. It will return a boolean, an integer that tracks the number of problems found, and a slice of strings that contain the detailed results, whether good or bad.
Source Files