| STIX Operator | Data Source Operator |
|---|---|
| AND | OR |
| OR | OR |
| = | = |
| != | != |
| LIKE | contains |
| MATCHES | matches |
| > | is greater than |
| >= | is greater than or equal to |
| < | is less than |
| <= | is less than or equal to |
| IN | = |
| STIX Object | STIX Property | Data Source Field |
|---|---|---|
| directory | path | file_path |
| file | name | file_name |
| file | parent_directory_ref | file_path |
| file | hashes.SHA-256 | sha256hash |
| file | hashes.SHA-1 | sha1hash |
| file | hashes.MD5 | md5hash |
| file | size | file_size |
| ipv4-addr | value | local_address |
| ipv4-addr | value | remote_address |
| ipv6-addr | value | local_address |
| ipv6-addr | value | remote_address |
| mac-addr | value | mac |
| network-traffic | src_ref | local_address |
| network-traffic | dst_ref | remote_address |
| network-traffic | src_port | local_port |
| network-traffic | dst_port | remote_port |
| network-traffic | protocols | protocol |
| process | binary_ref | file_path |
| process | name | process_name |
| process | pid | process_id |
| process | pid | process_ppid |
| process | parent_ref | process_ppid |
| process | creator_user_ref | process_user |
| user-account | user_id | process_user |
| x-bigfix-relevance | computer_identity | computer_identity |