Skip to content

STIX

STIX

About

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.

Product Details

Vendor URL: STIX

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: API

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: STIX

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
attack-pattern additional_attack_pattern
audience-industry security_result.about.asset.category
audience-region security_result.about.asset.location.country_or_region
confidence security_result.severity_details
created_by_ref additional_created_ref
id additional_id
identity_class additional_identity_class
indicator_types.0 metadata.description
malware security_result.threat_name
name security_result.summary
name metadata.product_log_id
name additional_definition
object_marking_refs.0 additional_object_ref
pattern_type metadata.product_name
pattern_version metadata.product_version
pattern.addr principal.ip
pattern.email-addr output.target.user.email_addresses
pattern.hashes target.process.file.md5
pattern.hashes target.file.sha1
pattern.hashes target.file.sha256
pattern.url output.target.url

Product Event Types

Event UDM Event Classification
General GENERIC_EVENT
Indicator INDICATOR

Log Sample

{"confidence":15,"created":"2023-07-24T14:27:53.883358Z","created_by_ref":"identity--#","id":"indicator--#","indicator_types":["url watchlist"],"labels":["attack-pattern:malspam","audience-industry:Insurance","malware:SocGholish","audience-region:Americas"],"lang":"en","modified":"2023-07-24T14:27:53.883358Z","name":"Member Submission: malspam activity potentially associated with SocGholish. Reported on 24 July 2023. (Alert ID: 28f0478f)","object_marking_refs":["marking-definition--#"],"pattern":"[url:value = 'https://url']","pattern_type":"stix","pattern_version":"2.1","spec_version":"2.1","type":"indicator","valid_from":"2023-07-24T14:27:51.110223Z"}

Sample Parsing

additional.fields["Created By Ref:"] = "identity--#
additional.fields["Indicator ID:"] = "indicator--#"
additional.fields["Object Marking Ref:"] = "marking-definition--#"
additional.fields["Attack Pattern:"] = "attack:pattern:malspam"
metadata.description = "url watchlist"
metadata.log_type = "STIX"
metadata.product_event_type = "indicator"
metadata.product_log_id = "28f0478f"
metadata.product_name = "stix"
metadata.product_version = "2.1"
security_result.severity_details = "15"
security_result.summary = "Member Submission: malspam activity potentially associated with SocGholish. Reported on 24 July 2023."
security_result.about.asset.location.country_or_region = "audience-region:Americas"
security_result.about.asset.category = "audience-industry:Insurance"
security_result.threat_name = "SocGholish"
target.namespace = "fsisac"
target.url = "https://url"