Support for 2nd degree relations

[pcoccoli]

All the relations supported by FIND are "first" degree: a direct reference from one SCO to another. While trying to write a hunt for DLL hijacking, I hit this:

dropper = FIND process CREATED dlls
[ERROR] UnsupportedRelation: unsupported relation "process--created--file"
check for supported relations and entity types in the documentation.

While STIX lacks and reference between process and file aside from binary_ref/image_ref, most stix-shifter connectors use the extension x-oca-event SCO, which include a process_ref and a file_ref. Certain events, like Windows Sysmon File Create events, are likely mapped so that those 2 refs in a single x-oca-event could represent the "process--created--file" relation. This should be true when the provider is the right Windows channel and code is the proper event ID.

There are likely lots of other 2nd degree relations, like network-traffic's src_ref and dst_ref objects (this could be a CONNECTED relation).

[subbyte]

Good task to upgrade FIND.

We can choose to expose the 1st degree relation of process--x-oca-event and x-oca-event--file, or not to expose it for this issue.

• If not, the implementation is 2nd degree relation resolution, while what users see if 1st degree (it is OK).
• If exposed, this needs to involve:
  • Treating x-oca-event as an entity for now or starting the type of event as a first-class citizen (needed in the long run).
  • Thinking how to express relation process--x-oca-event, or generally, relation between entity and event.