STIX

Exemple :

{
  "type": "bundle",
  "id": "bundle--3c4f8b42-47f2-4976-bf3a-2bd57e67b63c",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "threat-actor",
      "id": "threat-actor--8e6a4f12-132b-4c6f-b3a3-621bdc7f94b5",
      "created": "2025-03-10T10:00:00.000Z",
      "modified": "2025-03-10T10:00:00.000Z",
      "name": "APT-42",
      "description": "Un groupe APT connu pour des attaques ciblées sur des infrastructures critiques.",
      "threat_actor_types": ["nation-state"],
      "aliases": ["Groupe Fantôme"],
      "roles": ["sponsor"],
      "primary_motivation": "espionage"
    },
    {
      "type": "malware",
      "id": "malware--3d3b4a44-d8f3-4c67-8051-9b1f3235f46a",
      "created": "2025-03-10T10:00:00.000Z",
      "modified": "2025-03-10T10:00:00.000Z",
      "name": "ShadowSpy",
      "description": "Un malware utilisé par APT-42 pour la collecte de données.",
      "malware_types": ["remote-access-trojan"],
      "is_family": false
    },
    {
      "type": "indicator",
      "id": "indicator--d7e4d6f7-52df-4b89-9b71-d54352f42d56",
      "created": "2025-03-10T10:00:00.000Z",
      "modified": "2025-03-10T10:00:00.000Z",
      "name": "IP suspecte de ShadowSpy",
      "description": "Cette adresse IP est associée aux activités du malware ShadowSpy.",
      "indicator_types": ["malicious-activity"],
      "pattern": "[ipv4-addr:value = '203.0.113.45']",
      "pattern_type": "stix",
      "valid_from": "2025-03-10T10:00:00.000Z"
    },
    {
      "type": "attack-pattern",
      "id": "attack-pattern--6f2d63ab-60cd-4984-8c3c-e40f7df60e2f",
      "created": "2025-03-10T10:00:00.000Z",
      "modified": "2025-03-10T10:00:00.000Z",
      "name": "Phishing via pièce jointe malveillante",
      "description": "Utilisation d'un document Word piégé pour exécuter un malware.",
      "external_references": [
        {
          "source_name": "MITRE ATT&CK",
          "url": "https://attack.mitre.org/techniques/T1566/001/",
          "external_id": "T1566.001"
        }
      ]
    },
    {
      "type": "observed-data",
      "id": "observed-data--c9b9c9d4-b792-4d1c-bf7a-3e5ff2b172e8",
      "created": "2025-03-10T10:00:00.000Z",
      "modified": "2025-03-10T10:00:00.000Z",
      "first_observed": "2025-03-09T22:15:00.000Z",
      "last_observed": "2025-03-09T22:30:00.000Z",
      "number_observed": 3,
      "object_refs": ["ipv4-addr--a67dbd13-9c6e-4f76-91f8-3cfb67a7b0b7"]
    },
    {
      "type": "ipv4-addr",
      "id": "ipv4-addr--a67dbd13-9c6e-4f76-91f8-3cfb67a7b0b7",
      "value": "203.0.113.45"
    },
    {
      "type": "relationship",
      "id": "relationship--e6b3498c-7c2c-4a8f-b02b-1e0b5f1d5c44",
      "relationship_type": "uses",
      "source_ref": "threat-actor--8e6a4f12-132b-4c6f-b3a3-621bdc7f94b5",
      "target_ref": "malware--3d3b4a44-d8f3-4c67-8051-9b1f3235f46a",
      "description": "APT-42 utilise ShadowSpy pour espionner ses cibles."
    },
    {
      "type": "relationship",
      "id": "relationship--f3a9c1d6-2d4e-48ad-9a5b-3f23f76e2a16",
      "relationship_type": "indicates",
      "source_ref": "indicator--d7e4d6f7-52df-4b89-9b71-d54352f42d56",
      "target_ref": "malware--3d3b4a44-d8f3-4c67-8051-9b1f3235f46a",
      "description": "L'indicateur IP est lié au malware ShadowSpy."
    },
    {
      "type": "relationship",
      "id": "relationship--d2e16b59-f798-4c43-9a5d-4b8c516b63ab",
      "relationship_type": "uses",
      "source_ref": "malware--3d3b4a44-d8f3-4c67-8051-9b1f3235f46a",
      "target_ref": "attack-pattern--6f2d63ab-60cd-4984-8c3c-e40f7df60e2f",
      "description": "Le malware ShadowSpy est propagé via un phishing avec document piégé."
    }
  ]
}