Threat Intelligence

STIX 2.1 Indicator Patterning and Detection Development

Apr 24, 2025 • 5 min read

Jason Maurath

Senior Customer Platform Architect

Cyber Threat Intelligence (CTI) plays a critical role in proactive cybersecurity. It allows organizations to identify, detect, and respond to emerging threats before significant damage occurs. One of the most powerful standards for representing and sharing threat intelligence is Structured Threat Information eXpression (STIX).

STIX 2.1 introduces a flexible Indicator framework, which uses pattern-based detection rules to describe malicious behavior. This blog post explains how to construct effective STIX patterns, map them to real-world detection scenarios, and use them in your cybersecurity workflow.

This blog post was inspired by this excellent post by David Greenwood, which provides a foundational overview of STIX Indicator patterns and their application in detection engineering. Building on that foundation, our goal here is to expand the conversation with additional context, practical examples, and integration guidance for operational environments.

What is a STIX Indicator?

In STIX 2.1, an Indicator is an object that defines patterns for detecting potential malicious activity. Each Indicator contains a pattern property, which holds the actual detection rule. This pattern can describe various malicious behaviors, such as file hashes, IP addresses, domain names, and registry keys.

The pattern_type property specifies the type of pattern being used. Common pattern_type values include:

stix: STIX pattern language (covered in detail below)
sigma: Sigma detection rules for SIEMs
snort: Snort rules for network intrusion detection
yara: YARA rules for file analysis

STIX Pattern Language Overview

The general structure of a STIX Pattern, recreation from David Greenwood’s article on Dogesec

The STIX pattern language provides a structured way to describe observables, such as IP addresses, domain names, and file hashes. A basic STIX pattern follows the format:

[object-path:property='value']

Comparison Expressions

A Comparison Expression evaluates whether a specific property of a cyber observable object matches a given value. Examples include:
1. Detecting a specific IP address:

[ipv4-addr:value = '68.183.68.83']

2. Detecting a file with a known SHA-256 hash:

[file:hashes.'SHA-256' = '52c329f593760c616c906c34cd122f7ecd48128a139e547b976349904b209863']

Operator in STIX Pattern, recreation from David Greenwood’s article on Dogesec

Operators in STIX Patterns

You can combine multiple comparison expressions using logical operators such as:

AND: Both conditions must be true.
OR: At least one condition must be true.
FOLLOWEDBY: One event must occur after another.
REPEATS: An event must occur a specific number of times.
WITHIN: Events must occur within a specified time window.

Example combining multiple expressions:

[ipv4-addr:value = '68.183.68.83'] AND [file:hashes.'SHA-256' = '52c329f593760c616c906c34cd122f7ecd48128a139e547b976349904b209863']

Precedence and Parenthesis

Operator Precedence is an important consideration to keep in mind when writing Patterns.
Consider the following Pattern:

[ipv4-addr:value='68.183.68.83/32'] FOLLOWEDBY ([ipv4-addr:value='176.113.115.149/32'] REPEATS 5 TIMES)

Here, the first Observation Expression requires a match on an ipv4-addr:value equal to 68.183.68.83/32 that precedes 5 occurrences of the Observation Expression where ipv4-addr:value equal to 176.113.115.149/32.
Now consider the following Pattern (almost identical to before, but notice the parentheses):

([ipv4-addr:value='68.183.68.83/32'] FOLLOWEDBY [ipv4-addr:value='176.113.115.149/32']) REPEATS 5 TIMES

The first Observation Expression requires a match on an ipv4-addr:value equal to 68.183.68.83/32 followed by a match on the second Observation Expression for an ipv4-addr:value equal to 176.113.115.149/32, this pattern must be seen 5 times for a match.

Creating STIX Patterns for Real-World Scenarios

Assume you want to detect repeated failed SSH login attempts from a specific IP address. Here’s a sample log:

2024-01-14 09:07:25:647 type=USER_LOGIN msg=audit user pid=2314 uid=0 username=admin addr=176.113.115.149 res=failed

A corresponding STIX pattern to detect this might look like:

[ipv4-addr:value = '176.113.115.149'] FOLLOWEDBY [user-account:account_login = 'admin'] WITHIN 1 MINUTE

Scenario 2: Malware Detection by File Hash

To detect malware using a known SHA-256 hash, use a simple pattern like:

While this simply identifies a single hash, in reality there are multiple hash types that could represent a single File/threat.

[file:hashes.'SHA-256' = '52c329f593760c616c906c34cd122f7ecd48128a139e547b976349904b209863' AND file:hashes.MD5 = 'c10327ebe3830b4ec35fbecc2eb3af52']

Tools for STIX Pattern Development

Several tools can help you write, validate, and use STIX patterns effectively:

1. STIX 2 Pattern Validator

Use this tool to ensure your patterns are syntactically correct according to the STIX 2.1 specification.

pip install stix2-patterns
validate-patterns
Enter a pattern to validate: [file:hashes.md5 = 'c10327ebe3830b4ec35fbecc2eb3af52']
PASS: [file:hashes.md5 = 'c10327ebe3830b4ec35fbecc2eb3af52']

2. STIX Shifter

STIX Shifter is a powerful tool that converts STIX patterns into queries compatible with SIEMs and EDRs (e.g., Splunk, Elastic, QRadar).
Example of translating a STIX pattern to a Splunk query:

stix-shifter translate splunk query "{}" "[url:value = '<http://malicious.com>']"

The output might look like:

{
    "queries": [
        "search url='<http://malicious.com>'"
    ]
}

Representing Detections in STIX Format

Once you detect malicious activity using a STIX pattern, you can represent the detection result as an Observed Data SDO and a Sighting SRO in STIX format. Here’s an example:

{
    "type": "observed-data",
    "id": "observed-data--699546f4-6d73-4a35-a961-181a34fa3b14",
    "created": "2025-01-14T12:00:00Z",
    "first_observed": "2025-01-14T09:00:00Z",
    "last_observed": "2025-01-14T09:01:00Z",
    "number_observed": 2,
    "object_refs": [
        "ipv4-addr--dc63603e-e634-5357-b239-d4b562bc5445",
        "user-account--dd686e37-6889-53bd-8ae1-b1a503452613"
    ]
}

Best Practices for STIX Patterning

Best Practice	Description
Use normalized log fields	Ensure your log fields are consistent across different data sources for accurate pattern matching
Validate patterns frequently	Use tools like the STIX 2 Pattern Validator to catch errors early in development
Handle edge cases	Design patterns that account for variations in log formats and time zones

Why STIX Indicator Patterns Matter

While the technical details of STIX may seem abstract at first, adopting STIX Indicator patterns has a direct and significant impact on your organization’s cybersecurity effectiveness. By standardizing the way threats are described and shared, STIX provides real-world benefits that go well beyond simple pattern matching:

Benefit	Description
Enhanced Collaboration	A common language for threat intelligence enables teams and partner organizations to quickly exchange detection rules and observables without misinterpretation
Streamlined Detection and Response	STIX provides a single source of truth instead of multiple proprietary rule sets, simplifying workflow and reducing error risks
Operational Efficiency	Standardized detection rules reduce format translation overhead, ensuring consistent and reliable threat detection across the security ecosystem
Future-Proofing	Backed by an active community and evolving standards, STIX adapts to emerging threats and technologies, maintaining robust defenses

The Pitfalls of Not Adopting a Standard Framework

Failing to implement a standardized approach for building cyber threat intelligence can leave organizations exposed to several risks:

Challenge	Impact
Fragmented Intelligence	Different teams interpret threat data inconsistently, hampering communication and coordinated defense efforts
Increased Complexity	Multiple disparate rule sets increase overhead, delaying detection and creating security gaps
Higher Risk of Misinterpretation	Varying formats increase risk of misinterpreting threats, leading to delayed responses or false positives
Inefficient Resource Use	Extra time and effort spent on translating threat data diverts resources from proactive security

Conclusion

STIX 2.1 Indicator patterns are a powerful way to represent and share threat intelligence. With tools like STIX Shifter and STIX 2 Pattern Validator, organizations can automate detection development and enhance their cybersecurity posture.

Try creating your own STIX patterns for detection, and explore tools like txt2stix and cve2stix for more complex use cases. Happy patterning!

Explore related topics and insights