AutoFocus API STIX Support
In addition to API support for JSON, AutoFocus also provides responses in the form of STIX (Structured Threat Indicator eXpression). STIX is an easily consumable and standardized data model for cyber threat information expressed through structured XML.
STIX support through AutoFocus currently conforms to STIX 1.1.1. To effectively provide the volume of data available through AutoFocus, responses contain embedded MAEC (Malware Attribute Enumeration and Characterization) and CybOX (Cyber Observable eXpression) content. MAEC is especially suited for structured, detailed malware information, such as behaviors, static analysis, and dynamic analysis of malware. CybOX content captures observable events and properties of malware such as platforms where the malware is found and actions taken by the malware.
For example, when you Get Sample Analysis reports using the STIX API, the response shows a combination of STIX, MAEC, and CybOX content:
<!-- TRUNCATED RESPONSE -->
<stix>
<stix:STIX_Package xmlns:DNSQueryObj="http://cybox.mitre.org/objects#DNSQueryObject-2" xmlns:DNSRecordObj="http://cybox.mitre.org/objects#DNSRecordObject-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2">
<stix:TTPs>
<stix:TTP id="autofocus:ttp-9c427415-4493-4a78-8c1f-172fb46ef0db" timestamp="2016-03-07T22:52:45.312313+00:00" xsi:type="ttp:TTPType">
<ttp:Title>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Title>
<ttp:Description>dynamic analysis for 3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Description>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance xsi:type="stix-maec:MAEC4.1InstanceType">
<stix-maec:MAEC id="autofocus:package-9c280586-46a1-4b9e-bc31-cb2e4635fe3c" schema_version="2.1">
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="autofocus:malware_subject-fdd89da7-6202-45a7-9ccb-569e667088a7">
<maecPackage:Malware_Instance_Object_Attributes id="autofocus:Object-227c3900-4976-414f-8587-1a8dc95c7a8e">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
<!-- TRUNCATED RESPONSE -->
STIX Elements and Fields
The following table lists STIX-enabled resources along with the corresponding STIX, MAEC, and CybOX elements visible in the response:
Resource Element Fields
Get Samples ( Search Samples and Sessions) cybox:Observables Observables are events or stateful properties such as the value of a registry key, deletion of a file, or the receipt of an HTTP GET. cybox:Observable cybox:Description cybox:Object cybox:Properties
Get Sessions ( Search Samples and Sessions) stix:Incident Incidents are discrete instances of observable patterns affecting an organization; it includes information discovered during an incident response investigation. incident:Description
incident:Victim
incident:Related_Observables
Get Sample Analysis ttp:MalwareType TTPs (Tactics, Techniques, and Procedures) represent adversarial behavior, such as potentially targeted victims, attack patterns and malware, leveraged resources (infrastructure, tools, personas). ttp:Title
ttp:Description
ttp:Behavior ttp:Malware ttp:Malware_Instance maecPackage:MAEC_Package maecPackage:Malware_Subjects - maecPackage:Malware_Subject
Get Tags stix:Indicator Indicators convey specific observable patterns combined with contextual information. They represent artifacts and behaviors of interest. indicator:Title
indicator:Description
indicator:Short_Description
indicator:Sightings
indicator:Producer stixCommon:Description stixCommon:Identity stixCommon:Name
Get Tag Details stix:Indicator indicator:Title
indicator:Description
indicator:Short_Description
indicator:Composite_Indicator_Expression indicator:Indicator
indicator:Sightings
indicator:Producer

Related Documentation