STIX

Structured Threat Information eXpression

A Structured Language for Cyber Threat Intelligence Information

STIX Language — Version 1.2
[an error occurred while processing this directive] Samples

Samples

Sample content for STIX Version 1.1.1 is provided below. Both simple examples of very basic STIX documents, and examples of full threat reports that have been mapped from real-world sources into STIX, are included.

IMPORTANT: Although these examples are sourced from real-world reports, they should be considered illustrative examples only and should not be used in real-world operations.

ALL SAMPLES: ZIP

Simple Examples

This section includes very basic STIX documents intended to illustrate a particular concept or basic use case. For example, the confidence snippet exhibits how to use confidence, and the IP Watchlist exhibits a simple IP Watchlist.

Name Type Download
Domain Watchlist XML XML
Email w/ Attachment XML XML
Email w/ Full Attachment XML XML
Email w/ Link XML XML
Filehash Watchlist XML XML
Indicator Snort XML XML
IP Watchlist XML XML
Malware Sample XML XML
Phishing Indicator XML XML
Confidence Snippet XML Snippet XML
Controlled Vocabulary Snippet XML Snippet XML
Controlled Vocabulary Specification Snippet XML Snippet XML
Handling Snippet XML Snippet XML
Sightings Snippet XML Snippet XML
xsi:type Snippet XML Snippet XML
URL Watchlist XML XML

Full Report Examples

This section includes more complete examples of full threat reports that have been mapped from real-world sources into STIX. These examples help demonstrate how STIX can represent full-spectrum cyber threat intelligence from TTPs to Threat Actors to Indicators and Observables.

Name Type Download
Mandiant APT1 Report Mandiant APT1 Report README | ZIP
FireEye Poison Ivy Report FireEye Poison Ivy Report README | ZIP
Page Last Updated: May 08, 2014