This use case profile describes how one organization can share an IP watchlist (list of IPs that may be malicious) with another organization via a list of STIX indicators. It does not describe how to return sightings or provide feedback on the indicators.
Version: 0.1draft
ID: ipwatchlist
STIX Version: 2.0
TAXII Version: 2.0
TAXII Channel(s): indicators
Base Content Type: stix:Package
Name | Description | Type |
---|---|---|
indicators |
List of indicators | array<stix:IndicatorType> (restriction) |
-- @id |
ID for this indicator | uri |
-- @timestamp |
Timestamp this indicator was created | datetime |
-- pattern |
CybOX pattern representing IP address | cybox:Pattern (restriction) |
-- -- operator |
How to combine the objects | `string (AND |
-- -- objects |
List of objects to pattern against | array<cybox:ObjectPatternType> (restriction) |
-- -- -- @type |
Type of object, must be IPV4 Address | const("ipv4-addr") |
-- -- -- value |
Address value field | string |
-- -- -- -- @value |
Actual IP address | string |
-- -- -- -- condition |
Pattern match | const("equals") |
relationships |
List of relationships between indicators and TTPs in the document. | array<stix:RelationshipType> |
ttps |
List of TTPs referred to by indicators in the document. | array<stix:TTPType> (refinement) |
-- title |
Title of TTP (required for this refinement) | string |
{
"@id": "mitre.org:taxiimsg-1234",
"@type": "stix:ipwatchlist",
"content": {
"indicators": [
{
"@id": "mitre.org:indicator-1234",
"@timestamp": "2015-10-31T01:01:01Z",
"pattern": {
"operator": "AND",
"objects": [
{
"@type": "ipv4-addr",
"value": {
"@value": "1.23.45.67/32",
"condition": "equals"
}
}
}
]
}
],
"ttps": [
{
"@id": "mitre.org:ttp-1234",
"@timestamp": "2015-10-31T01:01:01Z",
"title": "TorrentLocker"
}
],
"relationships": [
{
"@id": "mitre.org:rel-2345",
"@timestamp": "2015-10-31T01:01:01Z",
"from": "indicator-1234",
"to": "ttp-1234",
"confidence": {
"@value": "Medium"
}
}
]
}
}