STIX Indicator Patterns for Sweeping
Before sweeping different data sources, Trend Vision One identifies and captures STIX indicator patterns used for sweeping.
The following table provides information about the common STIX indicator patterns applied under different scenarios.
STIX-Shifter allows Trend Vision One to connect to third-party data sources by using STIX Patterning and return sweeping results as STIX Observations. The following table does not cover all the STIX patterns supported by STIX-Shifter, and Trend Micro can only guarantee support on tested STIX patterns.
|
Object Type |
STIX Pattern |
For Endpoint Activity Data |
For STIX-Shifter Data Source (QRadar on Cloud) |
|---|---|---|---|
|
File |
[file:hashes.'SHA-256' = '<SHA256 value>'] |
Yes |
Yes |
|
[file:hashes.'SHA-1' = '<SHA1 value>'] |
Yes |
Yes |
|
|
[file:hashes.MD5 = '<md5 value>'] |
Yes |
Yes |
|
|
[file:name = '<file name string>'] |
Yes |
Yes |
|
|
Domain |
[domain-name:value = '<domain name string>'] |
Yes |
Yes |
|
URL |
[url:value = '<url string>'] |
Yes |
Yes |
|
IP address |
[ipv4-addr:value = '<ip address>'] |
Yes |
Yes |
|
[ipv4-addr:value = '<ip cidr>'] |
No |
Yes |
|
|
[ipv6-addr:value = '<ip address>'] |
Yes |
Yes |
|
|
Network traffic |
[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '<ip address>'] |
Yes |
No |
|
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '<ip address>'] |
Yes |
No |
|
|
[network-traffic:src_ref.type = 'ipv6-addr' AND network-traffic:src_ref.value = '<ip address>'] |
Yes |
No |
|
|
[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value = '<ip address>'] |
Yes |
No |
|
|
[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '<domain name string>'] |
Yes |
No |
|
|
Process |
[process:command_line='<command line string>'] |
Yes |
Yes |
|
[process:parent_ref.command_line='<command line string>'] |
Yes |
Yes |
|
|
User account |
[user-account:account_login = '<account name>'] |
Yes |
Yes |
|
Registry |
[windows-registry-key:key = '<registry key path>'] |
Yes |
No |
|
[windows-registry-value-type:name = 'registry key name'] |
Yes |
No |
|
|
[windows-registry-value-type:data = 'registry key data'] |
Yes |
No |
-
STIX 2.0 and 2.1 are supported.
-
Only simple indicators whose pattern contains a single object are supported.
