Simple "pure" JSON serialization of JSON-LD example STIX content from the "Malicious E-mail Indicator with Attachment" idiom

malicious-email-indicator-with-attachment-mod1.json

{
	"@id": "example:Package-8b8ed1c1-f01d-4393-ac65-97017ed15876",
	"@type": "stix:Package",
	"stix:indicators": [
		{
			"@id": "example:indicator-8cf9236f-1b96-493d-98be-0c1c1e8b62d7",
			"@type": "ind:Indicator",
			"ind:indicatorType": "stixVocabs:IndicatorTypeVocab-1.1:Malicious_E-mail",
			"ind:observable": {"@id": "example:Observable-437f0c20-ab26-4400-9f6a-fc395da3ddd9"},
			"stixc:confidence": {
				"stixc:timestamp": "2014-10-31T15:52:13.127950Z",
				"stixc:value": "stixVocabs:HighMediumLowVocab-1.0:High"
			},
			"stixc:timestamp": "2014-10-31T15:52:13.127931Z",
			"stixc:title": "Malicious E-mail"
		}, {
			"@id": "example:indicator-b06b0eb7-61dd-4338-a094-0290c380fbd8",
			"@type": "ind:Indicator",
			"ind:indicatorType": "stixVocabs:IndicatorTypeVocab-1.1:Malicious_E-mail",
			"ind:observable": {"@id": "example:Observable-e9926796-6b52-463c-8be1-0ab66e9adb1c"},
			"stixc:confidence": {
				"stixc:timestamp": "2014-10-31T15:52:13.127225Z",
				"stixc:value": "stixVocabs:HighMediumLowVocab-1.0:Low"
			},
			"stixc:timestamp": "2014-10-31T15:52:13.126999Z",
			"stixc:title": "Malicious E-mail Subject Line"
		}, {
			"@id": "example:indicator-2e17f6fe-3a4d-438a-911a-e509ba1b9933",
			"@type": "ind:Indicator",
			"ind:indicatorType": "stixVocabs:IndicatorTypeVocab-1.1:Malicious_E-mail",
			"ind:observable": {"@id": "example:Observable-9c9869a2-f822-4682-bda4-e89d31b18704"},
			"stixc:confidence": {
				"stixc:timestamp": "2014-10-31T15:52:13.127775Z",
				"stixc:value": "stixVocabs:HighMediumLowVocab-1.0:Low"
			},
			"stixc:timestamp": "2014-10-31T15:52:13.127668Z",
			"stixc:title": "Malicious E-mail Attachment"
		}
	],
	"stix:TTPs": [
		{
			"@id": "example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484",
			"@type": "ttp:TTP",
			"stixc:timestamp": "2014-10-31T15:52:13.126765Z",
			"stixc:title": "Phishing"
		}
	],
	"cybox:observables": {
		"cybox:observable": [
			{
				"@id": "example:Observable-9c9869a2-f822-4682-bda4-e89d31b18704",
				"@type": "cybox:Observable",
				"cybox:observedEntity": {
					"@id": "example:EmailMessage-9d56af8e-5588-4ed3-affd-bd769ddd7fe2",
					"@type": "emailMsgObj:EmailMessage",
					"emailMsgObj:attachments": [{"@id": "example:File-c182bcb6-8023-44a8-b340-157295abc8a6"}]
				}
			}, {
				"@id": "example:Observable-437f0c20-ab26-4400-9f6a-fc395da3ddd9",
				"@type": "cybox:Observable",
				"cybox:observedEntity": {
					"@id": "example:EmailMessage-0dc3478e-153a-412f-8718-7e9ee65b8084",
					"@type": "emailMsgObj:EmailMessage",
					"emailMsgObj:attachments": [{"@id": "example:File-c182bcb6-8023-44a8-b340-157295abc8a6"}],
					"emailMsgObj:header.subject": {
						"@type": "cyboxc:pattern",
						"@value": "StartsWith( '[IMPORTANT] Please Review Before' )"
					}
				}
			}, {
				"@id": "example:Observable-e9926796-6b52-463c-8be1-0ab66e9adb1c",
				"@type": "cybox:Observable",
				"cybox:observedEntity": {
					"@id": "example:EmailMessage-38afa5c9-ef26-4948-928b-0230521c67b7",
					"@type": "emailMsgObj:EmailMessage",
					"emailMsgObj:header.subject": {
						"@type": "cyboxc:pattern",
						"@value": "StartsWith( '[IMPORTANT] Please Review Before' )"
					}
				}
			}
		],
		"cybox:ObjectPool": [
			{
				"@id": "example:File-c182bcb6-8023-44a8-b340-157295abc8a6",
				"@type": "fileObj:File",
				"fileObj:fileExtension": {
					"@type": "cyboxc:pattern",
					"@value": "Equals( 'doc.exe' )"
				},
				"fileObj:fileName": {
					"@type": "cyboxc:pattern",
					"@value": "StartsWith( 'Final Report' )"
				}
			}
		]
	},
	"stix:relationships": [
		{
			"@id": "example:Relationship-91a98baca7528928aca2bd3c3afb89c5c063580b",
			"@type": "ind:indicatedTTP",
			"stixc:to": "example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484",
			"stixc:from": "example:indicator-8cf9236f-1b96-493d-98be-0c1c1e8b62d7"
		}, {
			"@id": "example:Relationship-fd03727b704b20f0f32f59a2a024daf39a56b1d9",
			"@type": "ind:indicatedTTP",
			"stixc:to": "example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484",
			"stixc:from": "example:indicator-b06b0eb7-61dd-4338-a094-0290c380fbd8"
		}, {
			"@id": "example:Relationship-a7142d45bc1d641ffb231abae34a7d3245573a16",
			"@type": "ind:indicatedTTP",
			"stixc:to": "example:ttp-d7b066aa-4091-4276-a142-29d5d81c3484",
			"stixc:from": "example:indicator-2e17f6fe-3a4d-438a-911a-e509ba1b9933"
		}, {
			"@id": "example:Relationship-1b2e978554d80a2295747becfb4b67ffe3df0d27",
			"@type": "cybox:relatedObjects",
			"cyboxc:objectRelationshipType": "cyboxVocabs:ObjectRelationshipVocab-1.1:Contains",
			"stixc:to": "example:File-c182bcb6-8023-44a8-b340-157295abc8a6",
			"stixc:from": "example:EmailMessage-9d56af8e-5588-4ed3-affd-bd769ddd7fe2"
		}
	]
}

Part of the annoyance of the XML was the prevalence of alias:construct throughout. I have no desire to carry that over into JSON.

So, for example, can we get rid of stixc:to and just use to, please?

Having cybox:objectpool inside ObservableCompositon looks odd. It also makes ObservableComposition overly complex.

ObservableComposition should only contain _Observable_s. That would eliminate an entire level of data structure:

observables.observable[#] => observables[#]

In general, this example is overly wordy. Let's work hard to eliminate all noise, even at the expense of "extensibility".

This is how I'd prefer to interact with the data: https://gist.github.com/guitarmanvt/ef75c4620aed8306370b