Giters

opencybersecurityalliance / stix-shifter

This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.

Home Page:https://stix-shifter.readthedocs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Use `software` SCO to represent `pe` attributes in elastic_ecs connector mappings

Harmedox opened this issue · comments

commented

The pe attributes in the file SCO object of the elastic_ecs connector mapping files can be better represented using the software SCO object, implemented as a reference from the file object.

"software_ref.name": "file.pe.original_file_name"
"software_ref.vendor": "file.pe.company"
"software_ref.version": "file.pe.file_version"

The solution should have this format:

{
        "0": {
            "type": "file",
            "x_software_ref": "1",
            "name": "svchost.exe",
            "hashes": {
                "SHA-256": "aaaa1111bbbb2222aaaa1111bbbb2222aaaa1111bbbb2222aaaa1111bbbb2222",
                "MD5": "00001111aaaa00001111aaaa00001111"
            }
        },
        "1": {
            "type": "software",
            "vendor": "Microsoft Corporation",
            "version": "10.0.17763.1 (WinBuild.160101.0800)",
            "name": "svchost.exe"
        }
    }