Exporting your analysis results to STIX

You can export the results of an incident investigation from QRadar® Advisor with Watson™ to STIX 2.0.

About this task

By exporting the results of your analysis, you can share your threat intelligence information with other organizations in a consistent and machine-readable format. Sharing threat intelligence information helps security communities to better understand and anticipate the computer-based cyber attacks that are most likely to occur.

The STIX file is a conversion of QRadar Advisor with Watson nodes and edges in their native JSON format into their equivalent STIX 2.0 JSON format that represent the nodes and edges of the knowledge graph.

After you submit an incident to Watson for investigation, you can export the results to STIX format. The STIX file contains all of the incident information that is included on the knowledge graph.
Note: The current graph view that is showing is the view that is exported when you export. For example, if the local graph is displayed and you export to STIX, then the local graph is exported.


  1. Export to STIX.
    • On the Relationship Graph page, click Export > Export to STIX.
    • On the Watson Investigation page, select one or more investigations and then click Export. On the Export Investigations page, click the STIX tab and then click Export.
  2. Download and save the file.
    An example format for the SITX file is offenseid_Time_Date.stix. Multiple selections are downloaded and saved as a ZIP file.

What to do next

For verification purposes, you can view a graphical representation of the saved STIX file in a viewer such as the open source STIX Visualizer.