Indicators are probably the most frequently used object in the STIX 2 data model. At the heart of STIX Indicators is the STIX Patterning Language. STIX Patterning is a powerful tool capable of describing a wide spectrum of malicious attacker behavior in a machine-parsable format suitable for security automation.

STIX Patterning is also a language and as such it is defined by a grammar. The official OASIS specification for STIX Patterning weighs in at a sizable 34 pages of dense prose. We wanted to make life easier for folks coming up to speed on STIX Patterning, so we created a handy, quick reference card. We hope that you’ll find it useful!

We intend to update this as the STIX Patterning Language evolves. Please send any suggestions or corrections to

Check out our STIX resource page, your one-stop shop for STIX and TAXII tools and info.