For those of you that are watching the development of the STIX 2.x ecosystem you realize that many of the companies involved in building new products and services have begun to release tools and resources for the community. Today I’m writing to give you all a link to a Reference Guide developed by the MITRE Corporation in support of the CTI TC.
The Patterning Language is covered in Part 9 of the Technical Specification and it lays out an approach that producers and consumers of STIX data can use to characterize complex patterns in what they are observing on their networks.
As the STIX 2.x FAQ notes:
Indicator patterns in STIX 1 were an area where the “many ways of expressing semantically-equivalent content” problem was particularly manifested. As a result, for a consumer of STIX 1 content, rigorously parsing all but the simplest patterns was unnecessarily difficult. STIX 2 takes a radically different approach by defining a human-readable, SQL-like Indicator Patterning Language. As a result, patterns written in the STIX Patterning Language are more compact and far easier to read.
The STIX 2 Pattern Validator is a software tool for checking the syntax of the Cyber Threat Intelligence (CTI) STIX Pattern expressions, which are used within STIX to express conditions (prepresented with the Cyber Observable data model) that indicate particular cyber threat activity.
This guide summarizes the key points of the STIX Patterning Language.
