Email with Attachment creates attachment.zip

[hanymorcos]

I'm using STIX samples from https://stix.mitre.org/language/version1.1.1/samples.html. How are attachments handled in STIX 2.1? Where should the file attachments.zip exist? Should attachments.zip be created part of the transformation process?

https://raw.githubusercontent.com/STIXProject/schemas/version_1.1.1/samples/STIX_Email_wFullAttachment.xml

{
    "id": "bundle--075427ae-4021-410c-8d0b-2cde003a1e7b",
    "objects": [
        {
            "created": "2014-05-08T09:00:00.000Z",
            "first_observed": "2014-05-08T09:00:00.000Z",
            "id": "observed-data--9d299eb7-c089-465a-bf5f-d6283c251645",
            "last_observed": "2014-05-08T09:00:00.000Z",
            "modified": "2014-05-08T09:00:00.000Z",
            "number_observed": 1,
            "objects": {
                "0": {
                    "is_multipart": false,
                    "type": "email-message"
                },
                "1": {
                    "name": "attachments.zip",
                    "type": "file"
                }
            },
            "spec_version": "2.1",
            "type": "observed-data"
        }
    ],
    "type": "bundle"
}

[rpiazza]

Thanks @hanymorcos!

The elevator should have created a file or archive file which referenced an artifact. I'll look into this, but it might be beyond the capabilities of the elevator at this time.

[rpiazza]

I looked into this, and I was correct - the elevator doesn't handle this content. It is certainly legal STIX 1.x, but I don't think this would have been the optimal way to encode this email message. That was part of the problem with STIX 1.x, there were so many different ways to specify the same content.

For one, there is an <email:attachments> tag that I would probably have used instead of just having the attachment as a related object. Here is an example where that was done, and it is supported by the elevator.

<cybox:Object id="example:EmailMessage-9d56af8e-5588-4ed3-affd-bd769ddd7fe2">
            <cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
                        <EmailMessageObj:Attachments>
                            <EmailMessageObj:File object_reference="example:File-c182bcb6-8023-44a8-b340-157295abc8a6"/>
                        </EmailMessageObj:Attachments>
            </cybox:Properties>
            <cybox:Related_Objects>
                        <cybox:Related_Object id="example:File-c182bcb6-8023-44a8-b340-157295abc8a6">
                            <cybox:Properties xsi:type="FileObj:FileObjectType">
                                <FileObj:File_Name condition="StartsWith">Final Report</FileObj:File_Name>
                                <FileObj:File_Extension condition="Equals">doc.exe</FileObj:File_Extension>
                            </cybox:Properties>
                            <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
                        </cybox:Related_Object>
            </cybox:Related_Objects>
</cybox:Object>

I will keep this open as an enhancement request.