STIX Extraction Rules

Indicators with Operators

If an uploaded STIX file contains conditions that use operators to combine indicators, Apex Central extracts the STIX indicators as suspicious objects and automatically configures scan actions based on the operator used in the STIX indicator condition.

Operator

Scan Action

OR

Extracted objects apply the user-defined scan action

AND

Extracted objects always apply the "Log" scan action

Apex Central supports the following STIX indicator conditions:

  • Equals

Suspicious Object Mapping

The following table outlines the corresponding Apex Central suspicious object type for each supported STIX indicator (watchlist) and Cybox indicator (observable) extracted.

Object Type

STIX Indicator

Cybox Indicator

File SHA-1

File Hash Watchlist

  • cyboxCommon:Simple_Hash_Value

    (with sibling element cyboxCommon:Type="SHA1")

URL

URL Watchlist

  • URIObject:Value

    (with parent element attribute @type="URL")

Domain

Domain Watchlist

  • DomainNameObj:Value

    (with parent element attribute @type="FQDN")

  • URIObject:Value

    (with parent element attribute @type="Domain Name")

  • HostnameObject:Hostname_Value

IP Address

IP Watchlist

  • AddressObject:Address_Value

    (with parent element attribute @category="ipv4-addr")
Parent topic: Threat Investigation Extraction Rules