Back to Documentation

Soltra Edge Build

A prime feature of Soltra Edge is the builder. The Soltra Edge builder allows a Soltra Edge admin or user of the appliance to author STIX documents without having to hand form XML, negating any human error in document creation as well as speeding creation time to publish.

Understanding STIX

STIX is a structured language for cyber threat intelligence. STIX allows different organizations to share CTI in a consistent and machine-readable way.

For a greater understanding of STIX, please visit the Oasis STIX site located here: https://oasis-open.github.io/cti-documentation/.

Creating a STIX document in Soltra Edge

The builder in Soltra Edge is available in the navigation bar and on the Dashboard page.

 

 

Before you can create a STIX document using the Soltra Edge Build feature, you must ensure you have a Namespace Alias and Namespace URI to author content.

 

 

Setting the Namespace Alias and Namespace URI is done in Settings > System Settings.

 

Creating an Indicator

Click Build > Indicator in the navigation bar.

 

 

Once you select Indicator, your indicator is created however you need to create a title and add at least one Observable.

 

 

The General window allows you to further define this indicator by type, description, confidence level, producer, TLP, and handling caveats.

 

 

Quick Add

Quick Add allows one to add a large number of Observables to the Indicator being created quickly.

 

Note: you can add a max of 1000 Observables via Quick Add at one time.

 

Creating the required Observable

To create the required Observable, select “Observable” from the left menu pane and select the “Add” button.

 

 

In the Observable Builder, you have three areas to define your observable.

 

 

Create

Use the dropdown to determine the type observable you will be creating.

 

 

Batch Create

Use the dropdown to determine the type observable you will be creating.

 

 

Link to Existing

Use the search window to link the observable you are creating to an existing object.

 

 

Once you have populated the create, batch create, and link to existing options, use green button and select “Build Observable”.

 

 

Once the Observable is built, you are shown that you need to complete your indicator set up.

 

 

Note the “AND/OR” option for your observable.

 

 

To complete your Indicator set up, select General from the left menu pane and populate the necessary fields.

Once you have populated all required fields, select the red “Save” button. Once saved this button will turn green.

 

Prior to Indicator being saved.

 

Indicator saved.

 

Further Classifying your Indicator

Soltra Edge Build allows you to further classify the indicator by sharing it with a Trust Group, Adding Indicated TTPs, Related Indicators, and Suggested COAs.

Each area is located on the left menu pane.

 

 

Adding the Indicator to a Trust Group

Once your Indicator is built, select “Trust Group” from the left menu pane and select the Trust Group you want to share the indicator.

 

 

Other options

To understand Indicated TTPs, Related Indicators, and Suggested COAs, please see the following STIX documentation.

Indicated TTPs - http://stixproject.github.io/data-model/1.2/stixCommon/RelatedTTPType/

Related Indicators - http://stixproject.github.io/data-model/1.2/indicator/RelatedIndicatorsType/

Suggested COAs - http://stixproject.github.io/data-model/1.2/indicator/SuggestedCOAsType/

 

Other Objects

 

 

Soltra Edge allows you to build Campaign’s, Courses of Action, Exploit Target’s, Incidents, Threat Actors, and TTPs.

To learn more about these objects, please see the following site: http://stixproject.github.io/data-model/.

 

 

For more information, join the conversation in the Soltra Edge Forums at forums.soltra.com.