STIX Indicator Patterns for Sweeping

Before sweeping different data sources, Trend Micro Vision One identifies and captures STIX indicator patterns used for sweeping.

The following table provides information about the common STIX indicator patterns applied under different scenarios.

Note:

STIX-Shifter allows Trend Micro Vision One to connect to third-party data sources by using STIX Patterning and return sweeping results as STIX Observations. The following table does not cover all the STIX patterns supported by STIX-Shifter, and Trend Micro can only guarantee support on tested STIX patterns.

Object Type

STIX Pattern

For Endpoint Activity Data

For STIX-Shifter Data Source (QRadar on Cloud)

File

[file:hashes.'SHA-256' = '<SHA256 value>']

Yes

Yes

[file:hashes.'SHA-1' = '<SHA1 value>']

Yes

Yes

[file:hashes.MD5 = '<md5 value>']

Yes

Yes

[file:name = '<file name string>']

Yes

Yes

Domain

[domain-name:value = '<domain name string>']

Yes

Yes

URL

[url:value = '<url string>']

Yes

Yes

IP address

[ipv4-addr:value = '<ip address>']

Yes

Yes

[ipv4-addr:value = '<ip cidr>']

No

Yes

[ipv6-addr:value = '<ip address>']

Yes

Yes

Network traffic

[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '<ip address>']

Yes

No

[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '<ip address>']

Yes

No

[network-traffic:src_ref.type = 'ipv6-addr' AND network-traffic:src_ref.value = '<ip address>']

Yes

No

[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value = '<ip address>']

Yes

No

[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '<domain name string>']

Yes

No

Process

[process:command_line='<command line string>']

Yes

Yes

[process:parent_ref.command_line='<command line string>']

Yes

Yes

User account

[user-account:account_login = '<account name>']

Yes

Yes

Registry

[windows-registry-key:key = '<registry key path>']

Yes

No

[windows-registry-value-type:name = 'registry key name']

Yes

No

[windows-registry-value-type:data = 'registry key data']

Yes

No

Note:
  • STIX 2.0 and 2.1 are supported.

  • Only simple indicators whose pattern contains a single object are supported.