Before sweeping different data sources, TrendAI Vision One™ identifies and captures STIX indicator patterns used for sweeping.
The following table provides information about the common STIX indicator
patterns applied under different scenarios.
 |
NoteSTIX-Shifter allows TrendAI Vision One™
to connect to third-party data sources by using STIX Patterning and return sweeping
results as STIX Observations. The following table does not cover all the STIX patterns
supported by STIX-Shifter, and TrendAI™
can only guarantee support on tested STIX patterns.
|
|
Object Type
|
STIX Pattern
|
For Endpoint Activity Data
|
For Email Activity Data
|
For Network Activity Data
|
For STIX-Shifter Data Source (QRadar on Cloud)
|
|
File
|
[file:hashes.'SHA-256' = '<SHA256 value>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
[file:hashes.'SHA-1' = '<SHA1 value>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
[file:hashes.MD5 = '<md5 value>']
|
Yes
|
Yes
|
No
|
Yes
|
|
|
[file:name = '<file name string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
Domain
|
[domain-name:value = '<domain name string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
URL
|
[url:value = '<url string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
IP address
|
[ipv4-addr:value = '<ip address>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
[ipv4-addr:value = '<ip cidr>']
|
No
|
No
|
No
|
Yes
|
|
|
[ipv6-addr:value = '<ip address>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
Network traffic
|
[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:src_ref.type = 'ipv6-addr' AND network-traffic:src_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value =
'<domain name string>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
Process
|
[process:command_line='<command line string>']
|
Yes
|
No
|
No
|
Yes
|
|
[process:parent_ref.command_line='<command line string>']
|
Yes
|
No
|
No
|
Yes
|
|
|
User account
|
[user-account:account_login = '<account name>']
|
Yes
|
No
|
Yes
|
Yes
|
|
Registry
|
[windows-registry-key:key = '<registry key path>']
|
Yes
|
No
|
No
|
No
|
|
[windows-registry-value-type:name = 'registry key name']
|
Yes
|
No
|
No
|
No
|
|
|
[windows-registry-value-type:data = 'registry key data']
|
Yes
|
No
|
No
|
No
|
|
Note
|