About STIX

Current ThreatQ Version Filter

About STIX

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Perform Bulk Manual Import, Create, Edit, Delete Objects, Create, Edit, Delete Attributes,Create, Edit, Delete Relationships. See the Interdependent Permissions topic.

Note: If a user has View Only permission for Sources, system object parsers default to the user’s login as the object source.

ThreatQ supports STIX 1.1.1, STIX 1.2, STIX 2.0, and STIX 2.1.

ThreatQ supports STIX 1.1.1, STIX 1.2 and STIX 2.0.

Although the ThreatQ STIX parser does not support version 2.1, it will parse 2.1 files in the same manner as 2.0 files. As such, it does not parse out any object types introduced in STIX 2.1, except for Notes objects.

ThreatQ allows you to ingest and manage STIX files. You can ingest STIX data in two ways:

You can set up a STIX/TAXII Feed.
You can upload a STIX file or insert STIX data to parse for indicators.

ThreatQ STIX Object Types

STIX integration provides ThreatQ with the following additional object types.

Campaigns
Courses of Actions
Exploit Targets
Incidents
TTPs objects
Identity (STIX 2.0)
Reports (STIX 2.0)
Vulnerabilities (STIX 2.0)
Notes (STIX 2.1)

These objects enable better understanding and communication of STIX data. STIX data will be mapped to these objects and existing objects in the system.

Attribute Updates

When you import a STIX 2.0 or 2.1 object attribute update from the same TAXII feed, the updated attribute is added as a new attribute in ThreatQ.

When you import a STIX 2.0 or 2.1 object attribute update for the following attributes and from the same TAXII feed, the attribute value is updated in ThreatQ:

administrative_area
city
county
country
identity_class
last_seen
latitude

longitude
number_observed
postal_code
precision
primary_motivation
region

resource_level
sophistication
street_address
tool_version
valid_from
valid_until

For example, the CAR54 object has a valid_until attribute of 04/02/2025 with a source of YellowCab. When you import an updated valid_until attribute of 05/02/2025 from the YellowCab feed, ThreatQ updates the valid_until attribute to 05/02/25.

Same-source updates to attributes types not listed above as well as attribute updates from a different source are stored as new attributes in ThreatQ.

Parsing a STIX File for Indicators

ThreatQ allows you to upload a STIX file or insert STIX data to parse for indicators.

Click the Create button, located at the top of the dashboard and select STIX Parser under the Import heading.
The Parse for Intelligence window is displayed.
Do one of the following:
- Drag your file(s) into the left pane.
- Click on Click to Browse, and locate the file you wish to upload.
- Copy/paste the content in the right pane.
The Normalize URL Indicators check box defaults to checked. You can click the check box to unselect it or leave it checked. See Indicator URL Normalization for more information.
Click the Next Step button.
If at any point, you wish to abandon the import, click Abandon this import.

Populate the following fields:

Field	Required	Description
Name	Y	Enter the name of your import file.
Source	Y	Select a Source from the dropdown menu provided. You can also click the Add a New Source option if the desired source is not listed in the dropdown list . If administrators have enabled TLP view settings, you can select a TLP label for the new source in the dropdown list provided. See the Traffic Light Protocol (TLP) topic for more information on TLP schema.
Select a status	Y	Select a Status to be applied to the imported objects. You can select a status for any object for which an Admin or Maintenance user has configured object statuses. See the Object Statuses topic for more information.
Add attributes	N	Select Attributes to be assigned to the imported objects.
Add comment	N	Add a comment to the imported objects.
Add relationships	N	Add Relationships for the imported objects. If you enter an object name that is not found, you can click the Create link to add the new object. If you limit your search to a specific object type, you are linked to the corresponding form. For example, if you limit your search to Adversaries, the Create link opens the Add An Adversary form. If you leave the Limit search to field set to All Objects, you can select the object type you want to create from a drop-down list.
Tags	N	Enter any Tags that should be applied to the imported objects.

Click the Submit button.

New objects will become available in the Threat Library.