For those of you that are watching the development of the STIX 2.x ecosystem you realize that many of the companies involved in building new products and services have begun to release tools and resources for the community. Today I’m writing to give you all a link to a newly released Quick Reference Guide developed by one of the Co-Chairs of the Technical Committee, Trey Darley. Mr. Darley is also Director of Standards Development for New Context and serves as the liaison for the OASIS CTI TC and the Forum for Incident Response and Security Teams (FIRST).
The Patterning Language is covered in Part 5 of the Technical Specification and it lays out an approach that producers and consumers of STIX data can use to characterize complex patterns in what they are observing on their networks.
As the STIX 2.x FAQ notes:
Indicator patterns in STIX 1 were an area where the “many ways of expressing semantically-equivalent content” problem was particularly manifested. As a result, for a consumer of STIX 1 content, rigorously parsing all but the simplest patterns was unnecessarily difficult. STIX 2 takes a radically different approach by defining a human-readable, SQL-like Indicator Patterning Language. As a result, patterns written in the STIX Patterning Language are more compact and far easier to read.
This guide summarizes the key points of the STIX Patterning Language.
[pdfjs-viewer url=”http%3A%2F%2Fctin.us%2Fsite%2Fwp-content%2Fuploads%2F2017%2F09%2FSTIX-Patterning-Quick-Reference-Card.pdf” viewer_width=100% viewer_height=1360px fullscreen=true download=true print=true]