Views:

Indicators with Operators

If an uploaded STIX file contains conditions that use operators to combine indicators, Trend Micro Apex Central extracts the STIX indicators as suspicious objects and automatically configures scan actions based on the operator used in the STIX indicator condition.
Operator
Scan Action
OR
Extracted objects apply the user-defined scan action
AND
Extracted objects always apply the Log scan action
Trend Micro Apex Central supports the following STIX indicator conditions:
  • Equals

Suspicious Object Mapping

The following table outlines the corresponding Trend Micro Apex Central suspicious object type for each supported STIX indicator (watchlist) and Cybox indicator (observable) extracted.
Object Type
STIX Indicator
Cybox Indicator
File SHA-1
File Hash Watchlist
  • cyboxCommon:Simple_Hash_Value
    (with sibling element cyboxCommon:Type="SHA1")
URL
URL Watchlist
  • URIObject:Value
    (with parent element attribute @type="URL")
Domain
Domain Watchlist
  • DomainNameObj:Value
    (with parent element attribute @type="FQDN")
  • URIObject:Value
    (with parent element attribute @type="Domain Name")
  • HostnameObject:Hostname_Value
IP Address
IP Watchlist
  • AddressObject:Address_Value
    (with parent element attribute @category="ipv4-addr")