Cyber-observable Objects for Digital Forensics
The goal of the project is to create a list of customized STIX™ Cyber-observable Objects for facilitating digital forensic investigations. We follow the STIX specification for customizing objects. The most important rule to create a new object type:
- The value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
Table of Contents (updating)
- SCOs for digital forensics
- Other extension
Windows Event Object
Type Name: x-windows-evt
Properties
| Property Name |
Type |
Description |
| type (required) |
string |
The value of this property MUST be windows-security-evt. |
| id (required) |
identifier |
The ID of a secuity type. |
| log_name (required) |
enum |
The value of this property MUST come from the log-nam-enum enumeration. |
| logged_time (required) |
timestamp |
|
| source |
string |
|
| event_id |
integer |
|
| task_category |
string |
|
| computer |
string |
The name of the computer. |
| user_account_ref |
identifier |
The user account that is associated with the evewnt. |
| belongs_to_ref (required) |
identity |
The relation describes that event is a part of file or artifact (e.g., cache, memory). |
Relationships
| Source |
Relationship Type |
Target |
Description |
Log Name Enumeration
Enumeration Name: log-name-enum
| Vocabulary Value |
Description |
| application |
|
| security |
|
| setup |
|
| system |
|
| forwarded-events |
|
Browser History Event Object
Type Name: x-browser-history-evt
Properties
| Property Name |
Type |
Description |
| type (required) |
string |
The value of this property MUST be browser-history. |
| id (required) |
identifier |
The ID of a browser history record. |
| url |
string |
|
| title |
string |
The title of a web page has been visited. |
| visit_time |
timestamp |
The last time visited. |
| visit_count |
integer |
The number of times visited |
| browser_name |
string |
The values for this property SHOULD come from the browser-name-ov open vocabulary. |
| browser_ref |
identifier |
The value type for this property SHOULD software. |
| file_requested_ref |
identifier |
The ID of the file the http requested. |
| user_account_ref |
identifier |
The user account that is associated with record. |
| belongs_to_ref (required) |
identifier |
The relation describes that event is a part of file or artifact (e.g., cache, memory). |
Relationships
| Source |
Relationship Type |
Target |
Description |
Browser Name Open Vocabulary
Vocabulary Name: browser-name-ov
| ocabulary Value |
Description |
| chrome |
Google chrome browser |
| ie |
Internet explore |
| edge |
Microsoft Edge |
| firefox |
Mozilla Firefox |
| safari |
Apple Safari |
| chromium |
Open source Chrome alternative |
| opera |
|
| maxthon |
|
| brave |
|
| 360-secure |
360 Secure Browser |
| tor |
|
| other |
|
threat-actor-type-ov external reference
| Vocabulary Value |
Description |
| criminal-intellectual-property-theft |
An individual that intentionally deprives someone of his or her intellectual property |
| criminal-ransomware |
|
| criminal-business-email-compromise |
|
| criminal-identity-theft |
|
| criminal-spoofing-and-phishing |
|
| criminal-memory-laundry |
|
| insider-disgruntled-sabotage |
|
| insider-disgruntled-violence |
|
| insider-disgruntled-theft |
|
| insider-disgruntled-fraud |
|
| insider-disgruntled-espionage |
|
| insider-disgruntled-embarrassing |
|
| insider-disgruntled-harassing |
|
| illegal-possessor |
An individual that owns, produces, distributes illegal information and device. |
| online- predators |
An individual that makes sexual advances to minors. |
references:
