Structured Threat Information eXpression

A Structured Language for Cyber Threat Intelligence Information

STIX Language — Version 1.2
[an error occurred while processing this directive] Samples


Sample content for STIX Version 1.0.1 is provided below. Both simple examples of very basic STIX documents, and examples of full threat reports that have been mapped from real-world sources into STIX, are included.

IMPORTANT: Although these examples are sourced from real-world reports, they should be considered illustrative examples only and should not be used in real-world operations.

Simple Examples

This section includes very basic STIX documents intended to illustrate a particular concept or basic use case. For example, the confidence snippet exhibits how to use confidence, and the IP Watchlist exhibits a simple IP Watchlist.

Name Type Download
Domain Watchlist XML XML | HTML
Email w/Attachment XML XML | HTML
Email w/Full Attachment XML XML | HTML
Email w/Link XML XML | HTML
FileHash Watchlist XML XML | HTML
IP Watchlist XML XML | HTML
Indicator Snort XML XML | HTML
Malware Sample XML XML | HTML
Phishing Indicator XML XML | HTML
Confidence Snippet XML Snippet XML
Controlled Vocabulary Snippet XML Snippet XML
Controlled Vocabulary Specification Snippet XML Snippet XML
Handling Snippet XML Snippet XML
Sightings Snippet XML Snippet XML
XML Snippet XML Snippet XML
URL Watchlist XML XML | HTML

Full Report Examples

This section includes more complete examples of full threat reports that have been mapped from real-world sources into STIX. These examples help demonstrate how STIX can represent full-spectrum cyber threat intelligence from TTPs to Threat Actors to Indicators and Observables.

Name Type Download
Mandiant APT1 Report Mandiant APT1 Report README | ZIP
FireEye Poison Ivy Report FireEye Poison Ivy Report README | ZIP
Page Last Updated: December 09, 2013