Building STIX queries

Edit online

Although STIX 2 is gaining recognition as an industry standard, it is not yet widely known to all security professionals. The query builder helps you to create a search query for IBM Prerequisite Scanner, URLs, MD5 hashes, and more.

About this task

To learn more about STIX 2, see Introduction to STIX 2.

To learn more about the STIX 2 language that the query builder supports, see STIX 2 Patterning specifications.

Tip:
  • If you receive the message “The cluster is busy processing other requests and does not respond to your queries,” wait a few minutes and try again.
  • When you use the Visual Builder, you must press Enter after you type the value. You can also press Enter and Shift to add multiple values.

Procedure

  1. Go to Menu > Data Explorer > Search.
    Tip: You can also click Start searching in the home page.
  2. From the query type drop-down list, select Federated (STIX).
  3. Optional: Click Visual, click Start a query, and then build your query by following the onscreen instructions.
  4. In the query text field, enter your query in the following format: OBSERVABLE_TYPE PROPERTY OPERATOR VALUE
    The query builder displays a context helper that provides the following parameters.
    Parameter Description
    Observable type Observables in STIX 2 are the stateful properties or measurable events that relate to the operation of computers and networks. For more information about the different types, see Cyber Observable Objects.
    Property Each observable type has required properties. For more information about the different properties for each type, see Cyber Observable Objects.
    Operator The operator in a query parameter is set to equal by default. Choose the operator that is appropriate for your query parameter. Make sure to add an operator between all query parameters to avoid syntax errors.
    Value The observable value depends on the specified observable type and property.
  5. Group search parameters by using square brackets.
  6. Set one or more timeframes to query.
    Tip: In the STIX language, the time range is shown in Coordinated Universal Time (UTC).
    1. Add a custom START and STOP date and time.
    2. Click to select from the quick ranges supplied with START.
    3. Click to use current date and time with STOP.
  7. Select one or more data sources to query. All data sources are selected by default. Click the data sources menu to update the selection.
  8. Click Run query to retrieve your target data across your selected data sources. The query results vary depending on your connected data sources.

Results

If there is a syntax error in your query, Run query is disabled until you resolve the error. Each syntax error is highlighted with a red underline, a tooltip with syntax error details, and contextual helper with syntax fix suggestions.

When a query is run, an 'active-query' card is added. Each query expires 14 days after it is created.

Example

Search for IPv4

If a timeframe is not specified, a default timeframe is applied according to the data source setting.

[ipv4-addr:value = '127.0.0.1']

Search for URL with timeframe

Note that the START and STOP times are outside of the query string brackets ([]).

[url:value = 'www.ibm.com'] START t'2019-03-23T13:53:12.229Z' STOP
              t'2019-03-26T13:53:27.170Z'

Search for Destination Ports other than port 443

Exclude (!=) values to narrow your results.

[network-traffic:dst_port != 443]

Search for the Powershell process that includes Mimikatz in the command line

Use operators such as LIKE and IN. Use % to represent "wild" strings.

[process:name = 'powershell.exe' AND process:command_line LIKE
            '%Mimikatz%']

Search for the process that matches TSTheme.exe and parent process that includes svchost.exe and MD5 hash

Group strings with parentheses ().

([process:name MATCHES 'TSTheme.exe' AND process:parent_ref.name LIKE '%svchost.exe']
              AND [file:hashes.'MD5' = 'C9A51BDEC4B4E0B6EF51B64637677D14'])

For more information, see STIX Patterning, Examples.