Current ThreatQ Version Filter
 

STIX Exports

You can export ThreatQ-supported STIX objects to STIX files from the object details and object preview pages as well as Threat Library search results. Exports from the object details and object preview pages include object relationships. However, exports from the Threat Library do not.

Each STIX export can contain up to 50,000 system objects. If you attempt to exceed this maximum, a tooltip is displayed indicating that the export option is available for searches under 50,000 objects.

ThreatQ supports STIX exports for the following seeded objects:

  • Adversaries
  • Attack Pattern
  • Campaign
  • Course of Action
  • Identity
  • Incident
  • Indicators
  • Infrastructure
  • Intrusion Set
  • Malware
  • Note*
  • Report*
  • Tool
  • Vulnerability

Note and Report objects can only be exported to STIX from the object details and object preview pages or TQX, not from Threat Library search results.

For indicators, you can create STIX export bundles for the following indicator types:

  • ASN
  • Binary String
  • CIDR Block
  • CVE
  • Email Address
  • Email Attachment
  • Email Subject
  • File Path
  • Filename
  • FQDN
  • IP Address
  • IPv6 Address
  • MAC Address
  • MD5
  • Mutex
  • Password
  • SHA-1
  • SHA-256
  • SHA-512
  • x509 Serial
  • x509 Subject
  • URL
  • User-agent
  • Username
  • X-Mailer

Tips and Tricks

  • STIX exports:
    • Include an object's confidence value as an attribute as long as the confidence value falls within the range from zero to one hundred. 
    • Include an object's primary description only.  If an object has multiple descriptions, only the primary description is included.
    • Include indicator expiration timestamps in the valid_until field.
    • From the object details and object preview pages include object relationships. However, exports from the Threat Library do not.
  • When you export system objects with the following location keys as attributes to a STIX file, the export process converts these attributes to STIX location objects: latitude, region, city, longitude, country, street address, precision, administrative area, postal code. STIX imports of location objects convert these objects to attributes.
  • When you export an infrastructure object that includes Kill Chain: attributes to a STIX file, these attributes are exported as Kill Chain Phase information.

Each STIX export can contain up to 50,000 system objects. If you attempt to exceed this maximum, a tooltip is displayed indicating that the export option is available for searches under 50,000 objects.

ThreatQ supports STIX exports for the following seeded objects:

  • Adversaries
  • Attack Pattern
  • Campaign
  • Course of Action
  • Identity
  • Indicators
  • Intrusion Set
  • Malware
  • Tool
  • Vulnerability

For indicators, you can create STIX export bundles for the following indicator types:

  • ASN
  • Binary String
  • CIDR Block
  • CVE
  • Email Address
  • Email Attachment
  • Email Subject
  • File Path
  • Filename
  • FQDN
  • IP Address
  • IPv6 Address
  • MAC Address
  • MD5
  • Mutex
  • Password
  • SHA-1
  • SHA-256
  • SHA-512
  • x509 Serial
  • x509 Subject
  • URL
  • User-agent
  • Username
  • X-Mailer

Tips and Tricks

  • STIX exports:
    • Do not include related objects.
    • Include an object's confidence value as an attribute as long as the confidence value falls within the range from zero to one hundred. 
    • Include an object's primary description only.  If an object has multiple descriptions, only the primary description is included.

Exporting Threat Library Search Results to STIX

STIX exports generated from Threat Library search results do not include object relationships.

To export search results to a STIX file:

  1. Navigate to the Threat Library.
  2. Perform your search or load the appropriate data collection.
  3. You can further customize your export by checking the checkbox next to each object you want to include.
  4. Click the Export button Export Button and select the option to export all objects or the option to select only checked objects.
    Export Menu
    The STIX file downloads to your desktop.

Exporting Object Details to STIX

You can export ThreatQ supported STIX objects to STIX files from the object details and object preview pages as well as Threat Library search results. Exports from the object details and object preview pages include up to 1,000 relationships per object. Exports from the Threat Library do not include related objects.

Objects with more than 1,000 relationships return them in an indeterminate order. As a result, there is no sort method available to determine which of the relationships are included in the STIX export.

  1. Access the system object's details or preview page.
  2. Click the Actions button.
  3. Click the Export to STIX option.