If an uploaded STIX file contains conditions that use operators to combine indicators, Apex Central extracts the STIX indicators as suspicious objects and automatically configures scan actions based on the operator used in the STIX indicator condition.
Operator |
Scan Action |
---|---|
OR |
Extracted objects apply the user-defined scan action |
AND |
Extracted objects always apply the "Log" scan action |
Apex Central supports the following STIX indicator conditions:
Equals
The following table outlines the corresponding Apex Central suspicious object type for each supported STIX indicator (watchlist) and Cybox indicator (observable) extracted.
Object Type |
STIX Indicator |
Cybox Indicator |
---|---|---|
File SHA-1 |
File Hash Watchlist |
|
URL |
URL Watchlist |
|
Domain |
Domain Watchlist |
|
IP Address |
IP Watchlist |
|