STIX¶
About¶
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.
Product Details¶
Vendor URL: STIX
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: STIX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| attack-pattern | additional_attack_pattern |
| audience-industry | security_result.about.asset.category |
| audience-region | security_result.about.asset.location.country_or_region |
| confidence | security_result.severity_details |
| created_by_ref | additional_created_ref |
| id | additional_id |
| identity_class | additional_identity_class |
| indicator_types.0 | metadata.description |
| malware | security_result.threat_name |
| name | security_result.summary |
| name | metadata.product_log_id |
| name | additional_definition |
| object_marking_refs.0 | additional_object_ref |
| pattern_type | metadata.product_name |
| pattern_version | metadata.product_version |
| pattern.addr | principal.ip |
| pattern.email-addr | output.target.user.email_addresses |
| pattern.hashes | target.process.file.md5 |
| pattern.hashes | target.file.sha1 |
| pattern.hashes | target.file.sha256 |
| pattern.url | output.target.url |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| General | GENERIC_EVENT |
| Indicator | INDICATOR |
Log Sample¶
{"confidence":15,"created":"2023-07-24T14:27:53.883358Z","created_by_ref":"identity--#","id":"indicator--#","indicator_types":["url watchlist"],"labels":["attack-pattern:malspam","audience-industry:Insurance","malware:SocGholish","audience-region:Americas"],"lang":"en","modified":"2023-07-24T14:27:53.883358Z","name":"Member Submission: malspam activity potentially associated with SocGholish. Reported on 24 July 2023. (Alert ID: 28f0478f)","object_marking_refs":["marking-definition--#"],"pattern":"[url:value = 'https://url']","pattern_type":"stix","pattern_version":"2.1","spec_version":"2.1","type":"indicator","valid_from":"2023-07-24T14:27:51.110223Z"}
Sample Parsing¶
additional.fields["Created By Ref:"] = "identity--#
additional.fields["Indicator ID:"] = "indicator--#"
additional.fields["Object Marking Ref:"] = "marking-definition--#"
additional.fields["Attack Pattern:"] = "attack:pattern:malspam"
metadata.description = "url watchlist"
metadata.log_type = "STIX"
metadata.product_event_type = "indicator"
metadata.product_log_id = "28f0478f"
metadata.product_name = "stix"
metadata.product_version = "2.1"
security_result.severity_details = "15"
security_result.summary = "Member Submission: malspam activity potentially associated with SocGholish. Reported on 24 July 2023."
security_result.about.asset.location.country_or_region = "audience-region:Americas"
security_result.about.asset.category = "audience-industry:Insurance"
security_result.threat_name = "SocGholish"
target.namespace = "fsisac"
target.url = "https://url"
Rules¶
Coming Soon