Adding STIX Objects to the User-Defined Suspicious Object List

After obtaining a properly formatted Structured Threat Information Expression (STIX) file (*.xml) from a trusted external source (a security forum or other Deep Discovery Virtual Analyzer product), import the file to Apex Central to extract the suspicious file SHA-1, IP address, URL, and domain objects to the User-Defined Suspicious Object list. When uploading a file, you can also specify the scan action that supported Trend Micro products perform after detecting the suspicious objects.

For more information about manually adding suspicious objects to the User-Defined Suspicious Object list, see Adding Objects to the User-Defined Suspicious Object List.

Important:

Apex Central only supports uploading properly formatted STIX files that have *.xml file extensions and conform to the following STIX and Cybox releases:

  • STIX 1.1

  • STIX 1.1.1

  • STIX 1.2

  • Cybox 2.1

Note:

Apex Central automatically extracts suspicious objects to the User-Defined Suspicious Object list when the STIX file is imported.

  1. Go to Threat Intel > Custom Intelligence.

    The Custom Intelligence screen appears.

  2. Click the STIX tab.

    The STIX file list appears.

  3. (Optional) To filter the files that display in the file list, use the search box to specify a full or partial string contained in the File Name, Short Description, or Source Added By columns.
  4. Click Add.

    The Add STIX Files screen appears.

  5. Select STIX files (*.xml) to upload.
    1. Click Select Files....
    2. Select one or more files to upload.
      Note:

      • The maximum file size for each file is 10 MB.

      • The total number of files uploaded at the same time cannot exceed 200 files.

    3. Click Open.
  6. (Optional) Click Advanced settings to specify scan actions that supported products perform after detecting the object.
    Note:

    You can also configure scan actions for suspicious objects on the User-Defined Suspicious Object list.

    For more information, see Suspicious Object Scan Actions.

  7. Click Add.

    Apex Central uploads the selected STIX files and extracts suspicious objects to the User-Defined Suspicious Object list.

    • To download a copy of a specific file, click the link in the File Name column.

    • To track the file extraction status, use the Command Tracking screen.

      For more information, see Command Tracking.

    • To view the extracted suspicious objects on a filtered view of the User-Defined Suspicious Object list, click the count in the Extracted Objects column.

    • To delete files, select the check box next to the File Name of at least one file and click Delete.

      Note:

      • Deleting a file does not remove the extracted suspicious objects from the User-Defined Suspicious Object list.

      • You cannot delete a file until Apex Central has finished extracting suspicious objects from the file.

Parent topic: Preemptive Protection Against Suspicious Objects