Before sweeping different data sources, Trend Vision One identifies and captures STIX indicator patterns used for sweeping.
The following table provides information about the common STIX indicator
patterns applied under different scenarios.
 |
NoteSTIX-Shifter allows Trend Vision One
to connect to third-party data sources by using STIX Patterning and return sweeping
results as STIX Observations. The following table does not cover all the STIX patterns
supported by STIX-Shifter, and Trend Micro
can only guarantee support on tested STIX patterns.
|
|
Object Type
|
STIX Pattern
|
For Endpoint Activity Data
|
For Email Activity Data
|
For Network Activity Data
|
For STIX-Shifter Data Source (QRadar on Cloud)
|
|
File
|
[file:hashes.'SHA-256' = '<SHA256 value>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
[file:hashes.'SHA-1' = '<SHA1 value>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
[file:hashes.MD5 = '<md5 value>']
|
Yes
|
Yes
|
No
|
Yes
|
|
|
[file:name = '<file name string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
Domain
|
[domain-name:value = '<domain name string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
URL
|
[url:value = '<url string>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
IP address
|
[ipv4-addr:value = '<ip address>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
[ipv4-addr:value = '<ip cidr>']
|
No
|
No
|
No
|
Yes
|
|
|
[ipv6-addr:value = '<ip address>']
|
Yes
|
Yes
|
Yes
|
Yes
|
|
|
Network traffic
|
[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:src_ref.type = 'ipv6-addr' AND network-traffic:src_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:dst_ref.type = 'ipv6-addr' AND network-traffic:dst_ref.value =
'<ip address>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value =
'<domain name string>']
|
Yes
|
Yes
|
Yes
|
No
|
|
|
Process
|
[process:command_line='<command line string>']
|
Yes
|
No
|
No
|
Yes
|
|
[process:parent_ref.command_line='<command line string>']
|
Yes
|
No
|
No
|
Yes
|
|
|
User account
|
[user-account:account_login = '<account name>']
|
Yes
|
No
|
Yes
|
Yes
|
|
Registry
|
[windows-registry-key:key = '<registry key path>']
|
Yes
|
No
|
No
|
No
|
|
[windows-registry-value-type:name = 'registry key name']
|
Yes
|
No
|
No
|
No
|
|
|
[windows-registry-value-type:data = 'registry key data']
|
Yes
|
No
|
No
|
No
|
|
Note
|