Building STIX queries
Although STIX 2 is gaining recognition as an industry standard, it is not yet widely known to all security professionals. The query builder helps you to create a search query for IBM Prerequisite Scanner, URLs, MD5 hashes, and more.
About this task
To learn more about STIX 2, see Introduction to STIX 2.
To learn more about the STIX 2 language that the query builder supports, see STIX 2 Patterning specifications.
- If you receive the message “The cluster is busy processing other requests and does not respond to your queries,” wait a few minutes and try again.
- When you use the Visual Builder, you must press Enter after you type the value. You can also press Enter and Shift to add multiple values.
- Go to Data Explorer and then select the Advanced Builder tab.
- Click the STIX tab.
- In the query text field, enter your query in the following format:
OBSERVABLE_TYPE PROPERTY OPERATOR VALUEThe query builder displays a context helper that provides the following parameters.
Parameter Description Observable type Observables in STIX 2 are the stateful properties or measurable events that relate to the operation of computers and networks. For more information about the different types, see Cyber Observable Objects. Property Each observable type has required properties. For more information about the different properties for each type, see Cyber Observable Objects. Operator The operator in a query parameter is set to
equalby default. Choose the operator that is appropriate for your query parameter. Make sure to add an operator between all query parameters to avoid syntax errors.
Value The observable value depends on the specified observable type and property.
- Group search parameters by using square brackets.
- Set one or more timeframes to query. Tip: In the STIX language, the time range is shown in Coordinated Universal Time (UTC).
- Add a custom
STOPdate and time.
- Click to select from the quick ranges supplied with
- Click to use current date and time with
- Add a custom
- Select one or more data sources to query. All data sources are selected by default. Click the data sources menu to update the selection.
- Click Run query to retrieve your target data across your selected data sources. The query results vary depending on your connected data sources.
When a query is run, an 'active-query' card is added. Each query expires 14 days after it is created.
Search for IPv4
If a timeframe is not specified, a default timeframe is applied according to the data source setting.
[ipv4-addr:value = '127.0.0.1']
Search for URL with timeframe
Note that the START and STOP times are outside of the query string brackets
[url:value = 'www.ibm.com'] START t'2019-03-23T13:53:12.229Z' STOP t'2019-03-26T13:53:27.170Z'
Search for Destination Ports other than port 443
!=) values to narrow your results.
[network-traffic:dst_port != 443]
Search for the Powershell process that includes
Mimikatz in the command
Use operators such as
represent "wild" strings.
[process:name = 'powershell.exe' AND process:command_line LIKE '%Mimikatz%']
Search for the process that matches
TSTheme.exe and parent process that
Group strings with parentheses
([process:name MATCHES 'TSTheme.exe' AND process:parent_ref.name LIKE '%svchost.exe'] AND [file:hashes.'MD5' = 'C9A51BDEC4B4E0B6EF51B64637677D14'])
For more information, see STIX Patterning, Examples.