-
Notifications
You must be signed in to change notification settings - Fork 1
/
STIX_URL_Watchlist.xml
55 lines (50 loc) · 3.26 KB
/
STIX_URL_Watchlist.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<!--
STIX IP Watchlist Example
Copyright (c) 2014, The MITRE Corporation. All rights reserved.
The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html.
This example demonstrates a simple usage of STIX to represent a list of URL indicators (watchlist of URLs). Cyber operations and malware analysis centers often share a list of suspected malicious URLs with information about what those URLs might indicate. This STIX package represents a list of three URLs addresses with a short dummy description of what they represent.
It demonstrates the use of:
* STIX Indicators
* CybOX within STIX
* The CybOX URI Object (URL)
* CybOX Patterns (apply_condition="ANY")
* Controlled vocabularies
Created by Mark Davidson
-->
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:URIObject="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd
http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd
http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#URIObject-2 http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd"
id="example:package-4cc56b6b-748f-440b-9f01-03bcf3ce7c68"
timestamp="2014-05-08T09:00:00.000000Z"
version="1.1.1"
>
<stix:STIX_Header>
<stix:Title>Example watchlist that contains URL information.</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>
</stix:STIX_Header>
<stix:Indicators>
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-db4a6ffe-61f0-488d-85a1-20bd5e360f37" timestamp="2014-05-08T09:00:00.000000Z">
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1" >URL Watchlist</indicator:Type>
<indicator:Description>Sample URL Indicator for this watchlist</indicator:Description>
<indicator:Observable id="example:Observable-Pattern-cc5c00ce-98a6-4cbe-8474-59eaecdb018f">
<cybox:Object>
<cybox:Properties xsi:type="URIObject:URIObjectType">
<URIObject:Value condition="Equals" apply_condition="ANY">http://example.com/foo/malicious1.html##comma##http://example.com/foo/malicious2.html##comma##http://example.com/foo/malicious3.html</URIObject:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>