Let's take a simple example. Imagine we are writing a report about the Roma225 campaign from December 2018.
First, we create the campaign and targeted victim objects. The campaign object has a description and is well labeled (you can open the object details by clicking on the object icon):
We've identified attack patterns relevant to this campaign, so we can add these as objects, too:
It is very useful to attach new information to existing intelligence. We can do this by using library objects. In this example, we reference to MITRE ATT&CK techniques T1112, T1060, T1170, and T1346/PRE-T1123, represented as attack pattern objects.
It is time to add relevant indicators to the graph:
Now we are ready to formulate our hypotheses.
We are going to use ACH (Analysis of Competing hypothesis) approach by adding 2 mutually exclusive hypothesis objects (custom STIX2 objects with type x-eclecticiq-hypothesis), one named "Gorgon Group is associated with Roma225 Campaign" and another "Gorgon Group is not associated with Roma225 Campaign". These objects are linked to evidence entities that support them by relationships with a custom type x-evidence-of.
Finally, we evaluate our hypotheses and write a report
To tidy things up, we add the author's Identity object and TLP Marking Definition object. Our STIX2 graph is ready:
Acknowledgements: Original report and STIX2 bundle were created by Caitlin Huey.