Skip to content

Instantly share code, notes, and snippets.

@johnwunder

johnwunder/simple_report_1.1.1.xml Secret

Last active August 29, 2015 14:05
Show Gist options
  • Save johnwunder/4806f98e2c0d9d58220f to your computer and use it in GitHub Desktop.
Save johnwunder/4806f98e2c0d9d58220f to your computer and use it in GitHub Desktop.
Download ZIP
Simple Report, STIX 1.1.1
Raw
simple_report_1.1.1.xml
<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:example="http://example.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ciq="urn:oasis:names:tc:ciq:xpil:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:stixCIQIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xsi:schemaLocation="
http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://cybox.mitre.org/objects#EmailMessageObject-2 http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd
http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd
http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd
http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd
http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd"
id="example:Package-5cc31c10-b8fc-11e3-9a15-0800271e87d2"
timestamp="2014-05-08T09:00:00.000000Z"
version="1.1.1"
>
<stix:STIX_Header>
<stix:Title>Electricity Sector Phishing Alert</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Phishing</stix:Package_Intent>
<stix:Description>
The included indicators represent patterns for phishing attacks that have been reported by
several organizations in the electricity sector.
</stix:Description>
<stix:Information_Source>
<stixCommon:Identity>
<stixCommon:Name>ACME Threat Intelligence, Inc.</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:Time>
<cyboxCommon:Produced_Time precision="day">2014-01-16T00:00:00Z</cyboxCommon:Produced_Time>
</stixCommon:Time>
</stix:Information_Source>
</stix:STIX_Header>
<stix:Indicators>
<stix:Indicator id="example:indicator-5cc558cc-b8fc-11e3-9a15-0800271e87d2" timestamp="2014-05-08T09:00:00.000000Z" xsi:type='indicator:IndicatorType'>
<indicator:Title>Malicious E-mail</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-1037c602-9e1c-43fd-8d07-c8e1d01466d1">
<cybox:Object id="example:EmailMessage-977c4bb1-0a5d-4c36-9bd7-99b5c2082fdd">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Subject condition="StartsWith">[IMPORTANT] Please Review Before</EmailMessageObj:Subject>
</EmailMessageObj:Header>
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="example:EmailMessage-6c5185d4-dfca-46b5-8c15-adcfb464bf99"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-5cc396ea-b8fc-11e3-9a15-0800271e87d2" />
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-05-08T09:00:00.000000Z">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
<stix:Indicator id="example:indicator-5cc41142-b8fc-11e3-9a15-0800271e87d2" timestamp="2014-05-08T09:00:00.000000Z" xsi:type='indicator:IndicatorType'>
<indicator:Title>Malicious E-mail Subject Line</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-6964f5ca-3705-4ebf-9cd5-79ac6244df57">
<cybox:Object id="example:EmailMessage-f154f5a8-d302-430a-acd5-48f87c6a2119">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Subject condition="StartsWith">[IMPORTANT] Please Review Before</EmailMessageObj:Subject>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-5cc396ea-b8fc-11e3-9a15-0800271e87d2" />
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-05-08T09:00:00.000000Z">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
<stix:Indicator id="example:indicator-5cc4cd76-b8fc-11e3-9a15-0800271e87d2" timestamp="2014-05-08T09:00:00.000000Z" xsi:type='indicator:IndicatorType'>
<indicator:Title>Malicious E-mail Attachment</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">Malicious E-mail</indicator:Type>
<indicator:Observable id="example:Observable-484190c0-efdc-49a6-aa19-aa2cb784aacf">
<cybox:Object id="example:EmailMessage-6c5185d4-dfca-46b5-8c15-adcfb464bf99">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="example:EmailMessage-6c5185d4-dfca-46b5-8c15-adcfb464bf99"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
<cybox:Related_Objects>
<cybox:Related_Object id="example:File-4e98a690-408a-4ed8-a7ba-3564a2dfb3fd">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="StartsWith">Final Report</FileObj:File_Name>
<FileObj:File_Extension condition="Equals">doc.exe</FileObj:File_Extension>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.0">Contains</cybox:Relationship>
</cybox:Related_Object>
</cybox:Related_Objects>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-5cc396ea-b8fc-11e3-9a15-0800271e87d2" />
</indicator:Indicated_TTP>
<indicator:Confidence timestamp="2014-05-08T09:00:00.000000Z">
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
</indicator:Confidence>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP id="example:ttp-5cc396ea-b8fc-11e3-9a15-0800271e87d2" timestamp="2014-05-08T09:00:00.000000Z" xsi:type='ttp:TTPType' version="1.1.1">
<ttp:Title>Phishing against Electricity Sector</ttp:Title>
<ttp:Victim_Targeting>
<ttp:Identity id="example:ciqidentity3.0instance-f8cd0af8-6534-496e-bf53-f6a9aa11e5ce" xsi:type="stixCIQIdentity:CIQIdentity3.0InstanceType">
<stixCIQIdentity:Specification>
<xpil:OrganisationInfo xpil:IndustryType="Electricity Sector, Industrial Control System Sector"/>
</stixCIQIdentity:Specification>
</ttp:Identity>
</ttp:Victim_Targeting>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment