What is STIX?
Structured Threat Information eXpression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free, allowing those interested to contribute and ask questions freely.
New Context and STIX
Development of an industry-wide standards framework for cyber threat intelligence is crucial for the information security industry to be able to define and share threats. New Context is a proud sponsor of OASIS and believes strongly in open and transparent standards frameworks development. We are actively collaborating on the next standards for STIX and TAXII.
New Context is heavily involved in the maturation of the STIX and TAXII cyber threat intelligence standards as a leading contributor on the OASIS Cyber Threat Intelligence (CTI) Technical Committee. Our integration services use these standards to create efficient systems for security teams that enable automation and orchestration for analysts and operations teams.
Why use STIX?
STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
STIX Version 2.0 has been significantly redesigned and, as a result, omits some of the objects and properties defined in STIX 1.2.1. The objects chosen for inclusion in STIX V2.0 represent a minimally viable product (MVP) that fulfills basic consumer and producer requirements for CTI sharing. Objects and properties not included in STIX 2.0, but deemed necessary by the community, will be included in future releases.
What is TAXII?
TAXII – Trusted Automated eXchange of Indicator Information – is an application layer protocol used to exchange cyber threat intelligence (CTI) over HTTPS. It enables organizations to share CTI by defining an API that aligns with common sharing models.
TAXII is specifically designed to support the exchange of CTI represented in STIX. As such, the examples and some features in the specification are intended to align with STIX. This does not mean TAXII cannot be used to share data in other formats; it is designed for STIX, but is not limited to STIX.
STIX Patterning quick reference card
STIX and TAXII Open Source Tools
OASIS Open Repository: TAXII 2 Server Library Written in Python
OASIS Open Repository: TAXII 2 Client Library Written in Python
OASIS Open Repository: Python APIs for STIX 2
OASIS Open Repository: Match STIX content against STIX patterns
OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON
Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch
Malware Information Sharing Platform & Threat Sharing
A cyber threat intelligence server based on TAXII 2 and written in Golang
APIs for generating STIX 2.x messages with Go (Golang)
The CaRT file format is used to store/transfer malware and its associated metadata
Convert STIX2 to GraphML or GEXF (Gephi format)
Convert STIX2 and load into Neo4j graph database
Browser-based STIX2 editor, with ability to publish to a TAXII2 server
STIX2 Scala library
TAXII2 Scala library
TAXII2 JS library