AutoFocus API STIX Support
Expand all | Collapse all
AutoFocus API STIX Support
In addition to API support for JSON, AutoFocus also
provides responses in the form of STIX (Structured Threat Indicator
eXpression). STIX is an easily consumable and standardized data
model for cyber threat information expressed through structured
XML.
STIX support through AutoFocus currently conforms to
STIX 1.1.1. To effectively provide the
volume of data available through AutoFocus, responses contain embedded
MAEC (Malware Attribute Enumeration and Characterization) and CybOX
(Cyber Observable eXpression) content. MAEC is especially suited
for structured, detailed malware information, such as behaviors, static
analysis, and dynamic analysis of malware. CybOX content captures
observable events and properties of malware such as platforms where
the malware is found and actions taken by the malware.
For example, when you
Get
Sample Analysis reports using the STIX API, the response
shows a combination of STIX, MAEC, and CybOX content:
<!-- TRUNCATED RESPONSE -->
<stix>
<stix:STIX_Package xmlns:DNSQueryObj="http://cybox.mitre.org/objects#DNSQueryObject-2" xmlns:DNSRecordObj="http://cybox.mitre.org/objects#DNSRecordObject-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:autofocus="https://autofocus.paloaltonetworks.com" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stix-maec="http://stix.mitre.org/extensions/Malware#MAEC4.1-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="autofocus:Package-eb6a086e-6dc4-4436-98ad-91faa7914e15" version="1.1.1" timestamp="2016-03-07T22:52:45.311237+00:00">
<stix:TTPs>
<stix:TTP id="autofocus:ttp-9c427415-4493-4a78-8c1f-172fb46ef0db" timestamp="2016-03-07T22:52:45.312313+00:00" xsi:type="ttp:TTPType">
<ttp:Title>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Title>
<ttp:Description>dynamic analysis for 3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Description>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance xsi:type="stix-maec:MAEC4.1InstanceType">
<stix-maec:MAEC id="autofocus:package-9c280586-46a1-4b9e-bc31-cb2e4635fe3c" schema_version="2.1">
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="autofocus:malware_subject-fdd89da7-6202-45a7-9ccb-569e667088a7">
<maecPackage:Malware_Instance_Object_Attributes id="autofocus:Object-227c3900-4976-414f-8587-1a8dc95c7a8e">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
<!-- TRUNCATED RESPONSE -->
