AutoFocus API STIX Support

In addition to API support for JSON, AutoFocus also provides responses in the form of STIX (Structured Threat Indicator eXpression). STIX is an easily consumable and standardized data model for cyber threat information expressed through structured XML.
STIX support through AutoFocus currently conforms to STIX 1.1.1 . To effectively provide the volume of data available through AutoFocus, responses contain embedded MAEC (Malware Attribute Enumeration and Characterization) and CybOX (Cyber Observable eXpression) content. MAEC is especially suited for structured, detailed malware information, such as behaviors, static analysis, and dynamic analysis of malware. CybOX content captures observable events and properties of malware such as platforms where the malware is found and actions taken by the malware.
For example, when you Get Sample Analysis reports using the STIX API, the response shows a combination of STIX, MAEC, and CybOX content:
<!-- TRUNCATED RESPONSE --> 
<stix> 
  <stix:STIX_Package xmlns:DNSQueryObj="http://cybox.mitre.org/objects#DNSQueryObject-2" xmlns:DNSRecordObj="http://cybox.mitre.org/objects#DNSRecordObject-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2" xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2" xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:autofocus="https://autofocus.paloaltonetworks.com" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stix-maec="http://stix.mitre.org/extensions/Malware#MAEC4.1-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="autofocus:Package-eb6a086e-6dc4-4436-98ad-91faa7914e15" version="1.1.1" timestamp="2016-03-07T22:52:45.311237+00:00"> 
    <stix:TTPs> 
    <stix:TTP id="autofocus:ttp-9c427415-4493-4a78-8c1f-172fb46ef0db" timestamp="2016-03-07T22:52:45.312313+00:00" xsi:type="ttp:TTPType"> 
      <ttp:Title>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Title> 
      <ttp:Description>dynamic analysis for 3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</ttp:Description> 
      <ttp:Behavior> 
      <ttp:Malware> 
        <ttp:Malware_Instance xsi:type="stix-maec:MAEC4.1InstanceType"> 
        <stix-maec:MAEC id="autofocus:package-9c280586-46a1-4b9e-bc31-cb2e4635fe3c" schema_version="2.1"> 
          <maecPackage:Malware_Subjects> 
          <maecPackage:Malware_Subject id="autofocus:malware_subject-fdd89da7-6202-45a7-9ccb-569e667088a7"> 
            <maecPackage:Malware_Instance_Object_Attributes id="autofocus:Object-227c3900-4976-414f-8587-1a8dc95c7a8e"> 
            <cybox:Properties xsi:type="FileObj:FileObjectType"> 
              <FileObj:Hashes> 
              <cyboxCommon:Hash> 
                <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type> 
<cyboxCommon:Simple_Hash_Value>3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f</cyboxCommon:Simple_Hash_Value> 
              </cyboxCommon:Hash> 
              </FileObj:Hashes> 
            </cybox:Properties> 
<!-- TRUNCATED RESPONSE --> 
Code copied to clipboard
Unable to copy due to lack of browser support.

Related Documentation