STIX2 (Structured Threat Information eXpression version 2) is a standardized language for representing cyber threat intelligence (CTI) that enables the sharing of threat intelligence across organizations and security tools. It is important to Threat Intel because it allows security professionals to more easily and effectively analyze and respond to cyber threats, improving their overall threat intelligence capabilities.
At OneFirewall, our mission is to deliver a trustworthy and effective cybersecurity platform that safeguards against cyber attacks. To accomplish this goal, we leverage STIX2 structured information to proactively identify and block malicious actors. We also empower our users with access to this critical threat intelligence data, enabling them to enhance their own cybersecurity defenses.
You can call the API /api/v1/stix2/<stix2id>
in order to receive an array of STIX2 (Stix v2) in relation to the threat actor, at the moment the only valid :stix2id are in format IPv4.
GET /api/v1/stix2/199.59.243.223 HTTP/1.1
Host: app.onefirewall.com
Authorization: Bearer PLACE_YOUR_OWN_TOKEN_HERE
Variable | Possible Values | Notes |
---|---|---|
stix2id | IPv4 (String) | Threat Actor ID (IPv4, URL, Domain, File), at the moment we only provide information based on IPv4 |
The possible HTTP Code responses are:
200 OK
: The request was received and processed successfully400 Bad Request
: The request was malformed (body contains further explanations)401 Unauthorized
: The request not authorized (body contains further explanations)402 Payment Required
: Not enogh OneFirewall Coins to perform the request5XX Internal Server Error
: The service is momentarily unavailableIn case of an 200 response the body will be presented as the below example:
[
{
"pattern": "[ipv4-addr:value = '199.59.243.223']",
"labels": [
"malicious-activity"
],
"x_cta_patn_obs_exprs": [
{
"comparison_expressions": [
{
"op": "=",
"value": "199.59.243.223",
"path": "ipv4-addr:value"
}
],
"observation_expression_hash": "dfa677b968dd43bb308de732137e7973f7bdddb810b3c116d6803aa9b74c7cee",
"observation_expression": "[ipv4-addr:value='199.59.243.223']"
}
],
"x_cta_hash_context": "d838fe9b5908a18e8d0fb9c8b2c328aea694e46c4ddf5d5b80c39495f1b83738",
"x_cta_hash_identity": "f6caf8b263b11119e432a289100f6a1770663f0952f208cd620a558d14fef2fc",
"x_cta_submission_id": "24f2692b-e071-4cdc-a5a9-3f4497570521",
"created_by_ref": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"created": "2023-03-10T23:00:00.000Z",
"modified": "2023-03-10T23:00:00.000Z",
"description": "",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"id": "indicator--23cce1d4-0629-4ede-a202-66e5162e511e",
"type": "indicator",
"x_cta_received": "2023-03-11T10:49:53.000Z",
"x_cta_hash_pattern": "6035acee037f43bf907daedc4215672cd21401b51ed23867d234380a8d71dc7a",
"x_cta_hash_pattern_obs_exprs": [
"dfa677b968dd43bb308de732137e7973f7bdddb810b3c116d6803aa9b74c7cee"
],
"x_cta_submitted_by": "identity--7b501448-4025-4783-bbf8-950e05e5c376",
"spec_version": "2.0"
},
{
"id": "indicator--a724705c-1cd3-4857-9ced-0d4c13f05d29",
"pattern": "[file:hashes.'SHA-256' = '534a9b6f6c789893e9e964163dbe29dd92edbd01d24e68c4ddae0697cf1fab8a'] OR [ipv4-addr:value ='142.250.74.142'] OR [ipv4-addr:value ='172.67.157.221'] OR [ipv4-addr:value ='172.67.193.84'] OR [ipv4-addr:value ='199.59.243.223'] OR [ipv4-addr:value ='64.91.240.248'] OR [domain-name:value='ww7.cutit.org'] OR [domain-name:value='cutit.org'] OR [domain-name:value='oaxyteek.net']",
"x_cta_submission_id": "67601336-2a18-4d47-83a9-fe150c5a674c",
"modified": "2023-03-11T22:49:47.551Z",
"x_cta_hash_context": "ad150f2c2ccf225de0f8c738a3d103ce1713a2691492ca11ea2a3fe1e70af070",
"created": "2023-03-11T22:49:47.551Z",
"type": "indicator",
"x_cta_submitted_by": "identity--4d755f87-141e-4b71-9a1e-8e1ec9bba882",
"spec_version": "2.0",
"created_by_ref": "identity--4d755f87-141e-4b71-9a1e-8e1ec9bba882",
"labels": [
"malicious-activity"
],
"x_cta_hash_pattern_obs_exprs": [
"fa299c8c69ec5ffb7a86e0dc45af515f0abb1dca742c75e2e0fa6ebc066755e5",
"3759f8fea02b580a4e3ecafd4981e8a0d770ee92b9dbd4a61ae8d3b404b6ddc7",
"905ab434b16cb4e4282a05467975bda995c4c435ae56bbc55c1c539dd51fb7f3",
"361e13138967833f372b892f0a4d4b859033ebad0352b311ef99b0069e3dd693",
"dfa677b968dd43bb308de732137e7973f7bdddb810b3c116d6803aa9b74c7cee",
"74b7ed44001c6007e653c87672448c6e28f048941070b00ef144a7b6d2cd05d8",
"712db8e7b88ba3edf6c5ea94fafc03b743b3f8ae2f189c24dd530cdf714a32af",
"1f3530eb597b57e6c770ab3efbd769f7af21f78506a6fa0367db513b5225b7b6",
"e65492a64b8b0eb38cb1e5a562950186c471fb5bd4558e7d7ee9dbe64d966ffa"
],
"x_cta_hash_identity": "9c0095151f0f6d992b858ff1e12d2bcf66f5729096648cc7849bcad5c9a67433",
"x_cta_hash_pattern": "a59980a36ecaaa0e6def5d817b3e7725caa70ce6ff7c9410a3524fed57d0561a",
"x_cta_patn_obs_exprs": [
{
"observation_expression_hash": "fa299c8c69ec5ffb7a86e0dc45af515f0abb1dca742c75e2e0fa6ebc066755e5",
"observation_expression": "[file:hashes.'SHA-256'='534a9b6f6c789893e9e964163dbe29dd92edbd01d24e68c4ddae0697cf1fab8a']",
"comparison_expressions": [
{
"value": "534a9b6f6c789893e9e964163dbe29dd92edbd01d24e68c4ddae0697cf1fab8a",
"path": "file:hashes.'SHA-256'",
"op": "="
}
]
},
{
"observation_expression_hash": "3759f8fea02b580a4e3ecafd4981e8a0d770ee92b9dbd4a61ae8d3b404b6ddc7",
"observation_expression": "[ipv4-addr:value='142.250.74.142']",
"comparison_expressions": [
{
"value": "142.250.74.142",
"path": "ipv4-addr:value",
"op": "="
}
]
},
{
"observation_expression_hash": "905ab434b16cb4e4282a05467975bda995c4c435ae56bbc55c1c539dd51fb7f3",
"observation_expression": "[ipv4-addr:value='172.67.157.221']",
"comparison_expressions": [
{
"value": "172.67.157.221",
"path": "ipv4-addr:value",
"op": "="
}
]
},
{
"observation_expression_hash": "361e13138967833f372b892f0a4d4b859033ebad0352b311ef99b0069e3dd693",
"observation_expression": "[ipv4-addr:value='172.67.193.84']",
"comparison_expressions": [
{
"value": "172.67.193.84",
"path": "ipv4-addr:value",
"op": "="
}
]
},
{
"observation_expression_hash": "dfa677b968dd43bb308de732137e7973f7bdddb810b3c116d6803aa9b74c7cee",
"observation_expression": "[ipv4-addr:value='199.59.243.223']",
"comparison_expressions": [
{
"value": "199.59.243.223",
"path": "ipv4-addr:value",
"op": "="
}
]
},
{
"observation_expression_hash": "74b7ed44001c6007e653c87672448c6e28f048941070b00ef144a7b6d2cd05d8",
"observation_expression": "[ipv4-addr:value='64.91.240.248']",
"comparison_expressions": [
{
"value": "64.91.240.248",
"path": "ipv4-addr:value",
"op": "="
}
]
},
{
"observation_expression_hash": "712db8e7b88ba3edf6c5ea94fafc03b743b3f8ae2f189c24dd530cdf714a32af",
"observation_expression": "[domain-name:value='ww7.cutit.org']",
"comparison_expressions": [
{
"value": "ww7.cutit.org",
"path": "domain-name:value",
"op": "="
}
]
},
{
"observation_expression_hash": "1f3530eb597b57e6c770ab3efbd769f7af21f78506a6fa0367db513b5225b7b6",
"observation_expression": "[domain-name:value='cutit.org']",
"comparison_expressions": [
{
"value": "cutit.org",
"path": "domain-name:value",
"op": "="
}
]
},
{
"observation_expression_hash": "e65492a64b8b0eb38cb1e5a562950186c471fb5bd4558e7d7ee9dbe64d966ffa",
"observation_expression": "[domain-name:value='oaxyteek.net']",
"comparison_expressions": [
{
"value": "oaxyteek.net",
"path": "domain-name:value",
"op": "="
}
]
}
],
"x_cta_received": "2023-03-11T22:49:49.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "installation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "installation"
}
],
"valid_from": "2023-03-11T22:49:47.551998Z"
}
]
The response body contains an array of STIX2 objects, for simplicy we not going to explain in details the content format, however we are using Standard STIX2 bundles, and more information can be found here: STIX™ Version 2.0