Bundle Object

Describes a Bundle of any set of CTIM entities

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedString String		✓
type	BundleTypeIdentifier String		✓
valid_time	ValidTime Object		✓
actor_refs	#{ String}
actors	#{Actor Object}	a list of Actor
attack_pattern_refs	#{ String}
attack_patterns	#{AttackPattern Object}	a list of AttackPattern
campaign_refs	#{ String}
campaigns	#{Campaign Object}	a list of Campaign
coa_refs	#{ String}
coas	#{COA Object}	a list of COA
data_table_refs	#{ String}
data_tables	#{DataTable Object}	a list of DataTable
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
feedback_refs	#{ String}
feedbacks	#{Feedback Object}	a list of Feedback
incident_refs	#{ String}
incidents	#{Incident Object}	a list of Incident
indicator_refs	#{ String}
indicators	#{Indicator Object}	a list of Indicator
judgement_refs	#{ String}
judgements	#{Judgement Object}	a list of Judgement
language	ShortString String	The human language this object is specified in.
malware_refs	#{ String}
malwares	#{Malware Object}	a list of Malware
relationship_refs	#{ String}
relationships	#{Relationship Object}	a list of Relationship
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
sighting_refs	#{ String}
sightings	#{Sighting Object}	a list of Sighting
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.
tool_refs	#{ String}
tools	#{Tool Object}	a list of Tool
verdict_refs	#{ String}
verdicts	#{Verdict Object}	a list of Verdict
weakness_refs	#{ String}
weaknesses	#{Weakness Object}	a list of Weakness

• Reference: #

Property actor_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property actors ∷ #{Actor Object}

a list of Actor

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Actor Object Value
  • Details: Actor Object

Property attack_pattern_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property attack_patterns ∷ #{AttackPattern Object}

a list of AttackPattern

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• AttackPattern Object Value
  • Details: AttackPattern Object

Property campaign_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property campaigns ∷ #{Campaign Object}

a list of Campaign

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Campaign Object Value
  • Details: Campaign Object

Property coa_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property coas ∷ #{COA Object}

a list of COA

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• COA Object Value
  • Details: COA Object

Property data_table_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property data_tables ∷ #{DataTable Object}

a list of DataTable

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• DataTable Object Value
  • Details: DataTable Object

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property feedback_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property feedbacks ∷ #{Feedback Object}

a list of Feedback

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Feedback Object Value
  • Details: Feedback Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property incidents ∷ #{Incident Object}

a list of Incident

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Incident Object Value
  • Details: Incident Object

Property indicator_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property indicators ∷ #{Indicator Object}

a list of Indicator

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Indicator Object Value
  • Details: Indicator Object

Property judgement_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property judgements ∷ #{Judgement Object}

a list of Judgement

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Judgement Object Value
  • Details: Judgement Object

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property malware_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property malwares ∷ #{Malware Object}

a list of Malware

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Malware Object Value
  • Details: Malware Object

Property relationship_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property relationships ∷ #{Relationship Object}

a list of Relationship

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Relationship Object Value
  • Details: Relationship Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property sighting_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property sightings ∷ #{Sighting Object}

a list of Sighting

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Sighting Object Value
  • Details: Sighting Object

Property source ∷ MedString String

• This entry is required

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property tool_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property tools ∷ #{Tool Object}

a list of Tool

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Tool Object Value
  • Details: Tool Object

Property type ∷ BundleTypeIdentifier String

• This entry is required

  • Must equal: "bundle"

Property valid_time ∷ ValidTime Object

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

Property verdict_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property verdicts ∷ #{Verdict Object}

a list of Verdict

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Verdict Object Value
  • Details: Verdict Object

Property weakness_refs ∷ #{ String}

• This entry is optional

• This entry's type is a set (allows zero or more distinct values)

  • A URI leading to an entity

Property weaknesses ∷ #{Weakness Object}

a list of Weakness

• This entry is optional
• This entry's type is a set (allows zero or more distinct values)

• Weakness Object Value
  • Details: Weakness Object

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Actor Object

Describes malicious actors (or adversaries) related to a cyber attack

Property	Type	Description	Required?
actor_type	ThreatActorType String		✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedString String		✓
type	ActorTypeIdentifier String		✓
valid_time	ValidTime Object		✓
confidence	HighMedLow String
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
identity	Identity Object
intended_effect	IntendedEffect String
language	ShortString String	The human language this object is specified in.
motivation	Motivation String
planning_and_operational_support	LongString String
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
sophistication	Sophistication String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: ThreatActorType

Property actor_type ∷ ThreatActorType String

• This entry is required

  • Allowed Values:
    • Cyber Espionage Operations
    • Disgruntled Customer / User
    • Hacker
    • Hacker - Black hat
    • Hacker - Gray hat
    • Hacker - White hat
    • Hacktivist
    • Insider Threat
    • State Actor / Agency
    • eCrime Actor - Credential Theft Botnet Operator
    • eCrime Actor - Credential Theft Botnet Service
    • eCrime Actor - Malware Developer
    • eCrime Actor - Money Laundering Network
    • eCrime Actor - Organized Crime Actor
    • eCrime Actor - Spam Service
    • eCrime Actor - Traffic Service
    • eCrime Actor - Underground Call Service

Property confidence ∷ HighMedLow String

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ Identity Object

• This entry is optional

• Identity Object Value
  • Details: Identity Object

Property intended_effect ∷ IntendedEffect String

• This entry is optional

  • Allowed Values:
    • Account Takeover
    • Advantage
    • Advantage - Economic
    • Advantage - Military
    • Advantage - Political
    • Brand Damage
    • Competitive Advantage
    • Degradation of Service
    • Denial and Deception
    • Destruction
    • Disruption
    • Embarrassment
    • Exposure
    • Extortion
    • Fraud
    • Harassment
    • ICS Control
    • Theft
    • Theft - Credential Theft
    • Theft - Identity Theft
    • Theft - Intellectual Property
    • Theft - Theft of Proprietary Information
    • Traffic Diversion
    • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property motivation ∷ Motivation String

• This entry is optional

  • Allowed Values:
    • Ego
    • Financial or Economic
    • Ideological
    • Ideological - Anti-Corruption
    • Ideological - Anti-Establishment
    • Ideological - Environmental
    • Ideological - Ethnic / Nationalist
    • Ideological - Human Rights
    • Ideological - Information Freedom
    • Ideological - Religious
    • Ideological - Security Awareness
    • Military
    • Opportunistic
    • Political

Property planning_and_operational_support ∷ LongString String

• This entry is optional

  • String with at most 5000 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property sophistication ∷ Sophistication String

• This entry is optional

  • Allowed Values:
    • Aspirant
    • Expert
    • Innovator
    • Novice
    • Practitioner

Property source ∷ MedString String

• This entry is required

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ ActorTypeIdentifier String

• This entry is required

  • Must equal: "actor"

Property valid_time ∷ ValidTime Object

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

Identity Object

Describes a person or an organization

Property	Type	Description	Required?
description	Markdown String		✓
related_identities	RelatedIdentity Object List	Identifies other entity Identities related to this Identity	✓

• Reference: IdentityType

Property description ∷ Markdown String

• This entry is required

  • Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

• This entry is required
• This entry's type is sequential (allows zero or more values)

• RelatedIdentity Object Value
  • Details: RelatedIdentity Object

RelatedIdentity Object

Describes a related Identity

Property	Type	Description	Required?
identity	String	The reference (URI) of the related Identity object	✓
confidence	HighMedLow String	Specifies the level of confidence in the assertion of the relationship between the two objects
information_source	String	Specifies the source of the information about the relationship between the two components
relationship	String

• Reference: RelatedIdentityType

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property identity ∷ String

The reference (URI) of the related Identity object

• This entry is required

  • A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

• This entry is optional

Property relationship ∷ String

• This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

AttackPattern Object

Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.

Property	Type	Description	Required?
description	Markdown String	A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.	✓
id	String	Globally unique URI identifying this object.	✓
name	ShortString String	A name used to identify the Attack Pattern.	✓
schema_version	String	CTIM schema version for this entity	✓
type	AttackPatternTypeIdentifier String		✓
abstraction_level	AttackPatternAbstractions String	The CAPEC abstraction level for patterns describing techniques to attack a system.
external_ids	String List
external_references	ExternalReference Object List	A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
kill_chain_phases	KillChainPhase Object List	The list of Kill Chain Phases for which this Attack Pattern is used.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLP String	Specification for how, and to whom, this object can be shared.
x_mitre_contributors	ShortString String List	ATT&CK Technique.Contributors
x_mitre_data_sources	ShortString String List	ATT&CK Technique.Data Sources
x_mitre_platforms	ShortString String List	ATT&CK Technique.Platforms

• Reference: Attack Pattern

Property abstraction_level ∷ AttackPatternAbstractions String

The CAPEC abstraction level for patterns describing techniques to attack a system.

• This entry is optional

  • Abstraction levels corresponding to CAPEC data describing attack-pattern objects.
  • Allowed Values:
    • aggregate
    • category
    • detailed
    • meta
    • standard
  • Reference: Common Attack Pattern Enumeration and Classification

Property description ∷ Markdown String

A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.

• This entry is required

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Attack Pattern is used.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• KillChainPhase Object Value
  • Details: KillChainPhase Object

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property name ∷ ShortString String

A name used to identify the Attack Pattern.

• This entry is required

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ AttackPatternTypeIdentifier String

• This entry is required

  • Must equal: "attack-pattern"

Property x_mitre_contributors ∷ ShortString String List

ATT&CK Technique.Contributors

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

Property x_mitre_data_sources ∷ ShortString String List

ATT&CK Technique.Data Sources

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

Property x_mitre_platforms ∷ ShortString String List

ATT&CK Technique.Platforms

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

• Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Must equal: "lockheed-martin-cyber-kill-chain"
  • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Allowed Values:
    • actions-on-objective
    • command-and-control
    • delivery
    • exploitation
    • installation
    • reconnaissance
    • weaponization
  • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Campaign Object

Represents a campaign by an actor pursing an intent

Property	Type	Description	Required?
campaign_type	ShortString String		✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	CampaignTypeIdentifier String		✓
valid_time	ValidTime Object	Timestamp for the definition of a specific version of a campaign	✓
activity	Activity Object List	Actions taken in regards to this Campaign
confidence	HighMedLow String	Level of confidence held in the characterization of this Campaign
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effect	IntendedEffect String List	Characterizes the intended effect of this cyber threat campaign
language	ShortString String	The human language this object is specified in.
names	ShortString String List	Names used to identify this campaign
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
status	CampaignStatus String	Status of this Campaign
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: CampaignType

Property activity ∷ Activity Object List

Actions taken in regards to this Campaign

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Activity Object Value
  • Details: Activity Object

Property campaign_type ∷ ShortString String

• This entry is required

• Dev Notes: Should we define a vocabulary for this?

  • String with at most 1024 characters

Property confidence ∷ HighMedLow String

Level of confidence held in the characterization of this Campaign

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffect String List

Characterizes the intended effect of this cyber threat campaign

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Allowed Values:
    • Account Takeover
    • Advantage
    • Advantage - Economic
    • Advantage - Military
    • Advantage - Political
    • Brand Damage
    • Competitive Advantage
    • Degradation of Service
    • Denial and Deception
    • Destruction
    • Disruption
    • Embarrassment
    • Exposure
    • Extortion
    • Fraud
    • Harassment
    • ICS Control
    • Theft
    • Theft - Credential Theft
    • Theft - Identity Theft
    • Theft - Intellectual Property
    • Theft - Theft of Proprietary Information
    • Traffic Diversion
    • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property names ∷ ShortString String List

Names used to identify this campaign

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property status ∷ CampaignStatus String

Status of this Campaign

• This entry is optional

  • Allowed Values:
    • Future
    • Historic
    • Ongoing

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ CampaignTypeIdentifier String

• This entry is required

  • Must equal: "campaign"

Property valid_time ∷ ValidTime Object

Timestamp for the definition of a specific version of a campaign

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

Activity Object

What happend, when?

Property	Type	Description	Required?
date_time	Inst (Date)	Specifies the date and time at which the activity occured	✓
description	Markdown String	A description of the activity	✓

• Reference: ActivityType

Property date_time ∷ Inst (Date)

Specifies the date and time at which the activity occured

• This entry is required

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property description ∷ Markdown String

A description of the activity

• This entry is required

  • Markdown string with at most 5000 characters

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

COA Object

Course of Action. A corrective or preventative action to be taken in response to a threat

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	COATypeIdentifier String		✓
valid_time	ValidTime Object		✓
coa_type	COAType String	The type of this COA
cost	HighMedLow String	Characterizes the estimated cost for applying this course of action
description	Markdown String	A description of object, which may be detailed.
efficacy	HighMedLow String	Effectiveness of this course of action in achieving its targeted objective
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
impact	ShortString String	Characterizes the estimated impact of applying this course of action
language	ShortString String	The human language this object is specified in.
objective	ShortString String List	Characterizes the objective of this course of action
open_c2_coa	OpenC2COA Object
related_COAs	RelatedCOA Object List	Identifies or characterizes relationships to one or more related courses of action
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
stage	COAStage String	Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to
structured_coa_type	OpenC2StructuredCOAType String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: CourseOfActionType

Property coa_type ∷ COAType String

The type of this COA

• This entry is optional

  • Allowed Values:
    • Diplomatic Actions
    • Eradication
    • Hardening
    • Internal Blocking
    • Logical Access Restrictions
    • Monitoring
    • Other
    • Patching
    • Perimeter Blocking
    • Physical Access Restrictions
    • Policy Actions
    • Public Disclosure
    • Rebuilding
    • Redirection
    • Redirection (Honey Pot)
    • Training
  • Reference: CourseOfActionTypeVocab

Property cost ∷ HighMedLow String

Characterizes the estimated cost for applying this course of action

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property efficacy ∷ HighMedLow String

Effectiveness of this course of action in achieving its targeted objective

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ ShortString String

Characterizes the estimated impact of applying this course of action

• This entry is optional

  • String with at most 1024 characters

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property objective ∷ ShortString String List

Characterizes the objective of this course of action

• This entry is optional

• This entry's type is sequential (allows zero or more values)

• Dev Notes: Squashed / simplified

  • String with at most 1024 characters

Property open_c2_coa ∷ OpenC2COA Object

• This entry is optional

• OpenC2COA Object Value
  • Details: OpenC2COA Object

Property related_COAs ∷ RelatedCOA Object List

Identifies or characterizes relationships to one or more related courses of action

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• RelatedCOA Object Value
  • Details: RelatedCOA Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property stage ∷ COAStage String

Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to

• This entry is optional

  • Allowed Values:
    • Remedy
    • Response
  • Reference: COAStageVocab

Property structured_coa_type ∷ OpenC2StructuredCOAType String

• This entry is optional

  • Must equal: "openc2"

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ COATypeIdentifier String

• This entry is required

  • Must equal: "coa"

Property valid_time ∷ ValidTime Object

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

OpenC2COA Object

Property	Type	Description	Required?
action	ActionType Object		✓
id	ShortString String		✓
type	StructuredCOAType String		✓
actuator	ActuatorType Object
modifiers	ModifierType Object
target	TargetType Object

Property action ∷ ActionType Object

• This entry is required

• ActionType Object Value
  • Details: ActionType Object

Property actuator ∷ ActuatorType Object

• This entry is optional

• ActuatorType Object Value
  • Details: ActuatorType Object

Property id ∷ ShortString String

• This entry is required

  • String with at most 1024 characters

Property modifiers ∷ ModifierType Object

• This entry is optional

• ModifierType Object Value
  • Details: ModifierType Object

Property target ∷ TargetType Object

• This entry is optional

• TargetType Object Value
  • Details: TargetType Object

Property type ∷ StructuredCOAType String

• This entry is required

  • Must equal: "structured_coa"

ModifierType Object

Property	Type	Description	Required?
additional_properties	AdditionalProperties Object
delay	Inst (Date)
destination	String
duration	Inst (Date)
frequency	ShortString String
id	ShortString String
location	String
method	String List
option	ShortString String
response	String
search	String
source	ShortString String
time	ValidTime Object

Property additional_properties ∷ AdditionalProperties Object

• This entry is optional

• AdditionalProperties Object Value
  • Details: AdditionalProperties Object

Property delay ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property destination ∷ String

• This entry is optional

  • Allowed Values:
    • copy-to
    • modify-to
    • move-to
    • report-to
    • restore-point
    • save-to
    • set-to

Property duration ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property frequency ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property id ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property location ∷ String

• This entry is optional

  • Allowed Values:
    • internal
    • perimeter

Property method ∷ String List

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Allowed Values:
    • acl
    • authenticated
    • blackhole
    • blacklist
    • graceful
    • hibernate
    • honeypot
    • immediate
    • segmentation
    • spawn
    • suspend
    • unauthenticated
    • whitelist

Property option ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property response ∷ String

• This entry is optional

  • Allowed Values:
    • acknowledge
    • command-ref
    • query
    • status

Property search ∷ String

• This entry is optional

  • Allowed Values:
    • cve
    • patch
    • signature
    • vendor_bulletin

Property source ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property time ∷ ValidTime Object

• This entry is optional

• ValidTime Object Value
  • Details: ValidTime Object

AdditionalProperties Object

Property	Type	Description	Required?
context	ShortString String		✓

Property context ∷ ShortString String

• This entry is required

  • String with at most 1024 characters

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ActuatorType Object

Property	Type	Description	Required?
type	ActuatorType String		✓
specifiers	ShortString String List	list of additional properties describing the actuator

Property specifiers ∷ ShortString String List

list of additional properties describing the actuator

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

Property type ∷ ActuatorType String

• This entry is required

  • Allowed Values:
    • endpoint
    • endpoint.digital-telephone-handset
    • endpoint.laptop
    • endpoint.pos-terminal
    • endpoint.printer
    • endpoint.sensor
    • endpoint.server
    • endpoint.smart-meter
    • endpoint.smart-phone
    • endpoint.tablet
    • endpoint.workstation
    • network
    • network.bridge
    • network.firewall
    • network.gateway
    • network.guard
    • network.hips
    • network.hub
    • network.ids
    • network.ips
    • network.modem
    • network.nic
    • network.proxy
    • network.router
    • network.security_manager
    • network.sense_making
    • network.sensor
    • network.switch
    • network.vpn
    • network.wap
    • other
    • process
    • process.aaa-server
    • process.anti-virus-scanner
    • process.connection-scanner
    • process.directory-service
    • process.dns-server
    • process.email-service
    • process.file-scanner
    • process.location-service
    • process.network-scanner
    • process.remediation-service
    • process.reputation-service
    • process.sandbox
    • process.virtualization-service
    • process.vulnerability-scanner

TargetType Object

Property	Type	Description	Required?
type	ShortString String		✓
specifiers	ShortString String	Cybox object representing the target

Property specifiers ∷ ShortString String

Cybox object representing the target

• This entry is optional

  • String with at most 1024 characters

Property type ∷ ShortString String

• This entry is required

  • String with at most 1024 characters

ActionType Object

Property	Type	Description	Required?
type	COAType String		✓

Property type ∷ COAType String

• This entry is required

  • Allowed Values:
    • alert
    • allow
    • augment
    • contain
    • delete
    • deny
    • detonate
    • distill
    • get
    • investigate
    • locate
    • mitigate
    • modify
    • move
    • notify
    • other
    • pause
    • query
    • redirect
    • remediate
    • report
    • response
    • restart
    • restore
    • resume
    • save
    • scan
    • set
    • snapshot
    • start
    • stop
    • substitute
    • sync
    • throttle
    • update
  • Reference: OpenC2/STIX COA XML schema

RelatedCOA Object

Property	Type	Description	Required?
COA_id	String		✓
confidence	HighMedLow String
relationship	String
source	String

Property COA_id ∷ String

• This entry is required

  • A URI leading to a COA

Property confidence ∷ HighMedLow String

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property relationship ∷ String

• This entry is optional

Property source ∷ String

• This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Feedback Object

Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?

Property	Type	Description	Required?
entity_id	String		✓
feedback	Integer		✓
id	String	Globally unique URI identifying this object.	✓
reason	String		✓
schema_version	String	CTIM schema version for this entity	✓
type	FeedbackTypeIdentifier String		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLP String	Specification for how, and to whom, this object can be shared.

Property entity_id ∷ String

• This entry is required

  • A URI leading to an entity

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property feedback ∷ Integer

• This entry is required

  • Allowed Values:
    • -1
    • 0
    • 1

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property reason ∷ String

• This entry is required

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ FeedbackTypeIdentifier String

• This entry is required

  • Must equal: "feedback"

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Incident Object

Discrete instance of indicators affecting an organization as well as information associated with incident response

Property	Type	Description	Required?
confidence	HighMedLow String	level of confidence held in the characterization of this Incident	✓
id	String	Globally unique URI identifying this object.	✓
incident_time	IncidentTime Object	relevant time values associated with this Incident	✓
schema_version	String	CTIM schema version for this entity	✓
status	Status String	current status of the incident	✓
type	IncidentTypeIdentifier String		✓
categories	IncidentCategory String List	a set of categories for this incident
description	Markdown String	A description of object, which may be detailed.
discovery_method	DiscoveryMethod String	identifies how the incident was discovered
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effect	IntendedEffect String	specifies the suspected intended effect of this incident
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

Property categories ∷ IncidentCategory String List

a set of categories for this incident

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Allowed Values:
    • Denial of Service
    • Exercise/Network Defense Testing
    • Improper Usage
    • Investigation
    • Malicious Code
    • Scans/Probes/Attempted Access
    • Unauthorized Access

Property confidence ∷ HighMedLow String

level of confidence held in the characterization of this Incident

• This entry is required

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property discovery_method ∷ DiscoveryMethod String

identifies how the incident was discovered

• This entry is optional

  • Allowed Values:
    • Agent Disclosure
    • Antivirus
    • Audit
    • Customer
    • External - Fraud Detection
    • Financial Audit
    • HIPS
    • IT Audit
    • Incident Response
    • Internal - Fraud Detection
    • Law Enforcement
    • Log Review
    • Monitoring Service
    • NIDS
    • Security Alarm
    • Unknown
    • Unrelated Party
    • User

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_time ∷ IncidentTime Object

relevant time values associated with this Incident

• This entry is required
• Dev Notes: Was 'time'; renamed for clarity

• IncidentTime Object Value
  • Details: IncidentTime Object

Property intended_effect ∷ IntendedEffect String

specifies the suspected intended effect of this incident

• This entry is optional

  • Allowed Values:
    • Account Takeover
    • Advantage
    • Advantage - Economic
    • Advantage - Military
    • Advantage - Political
    • Brand Damage
    • Competitive Advantage
    • Degradation of Service
    • Denial and Deception
    • Destruction
    • Disruption
    • Embarrassment
    • Exposure
    • Extortion
    • Fraud
    • Harassment
    • ICS Control
    • Theft
    • Theft - Credential Theft
    • Theft - Identity Theft
    • Theft - Intellectual Property
    • Theft - Theft of Proprietary Information
    • Traffic Diversion
    • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property status ∷ Status String

current status of the incident

• This entry is required

  • Allowed Values:
    • Closed
    • Containment Achieved
    • Incident Reported
    • New
    • Open
    • Rejected
    • Restoration Achieved
    • Stalled

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ IncidentTypeIdentifier String

• This entry is required

  • Must equal: "incident"

IncidentTime Object

Property	Type	Description	Required?
opened	Inst (Date)		✓
closed	Inst (Date)
discovered	Inst (Date)
rejected	Inst (Date)
remediated	Inst (Date)
reported	Inst (Date)

Property closed ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property discovered ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property opened ∷ Inst (Date)

• This entry is required

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property rejected ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property remediated ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property reported ∷ Inst (Date)

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Indicator Object

An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.

We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.

Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
producer	ShortString String		✓
schema_version	String	CTIM schema version for this entity	✓
type	IndicatorTypeIdentifier String	The fixed value indicator	✓
valid_time	ValidTime Object	The time range during which this Indicator is considered valid.	✓
composite_indicator_expression	CompositeIndicatorExpression Object
confidence	HighMedLow String	level of confidence held in the accuracy of this Indicator
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
indicator_type	IndicatorType String List	Specifies the type or types for this Indicator
kill_chain_phases	KillChainPhase Object List	relevant kill chain phases indicated by this Indicator
language	ShortString String	The human language this object is specified in.
likely_impact	LongString String	likely potential impact within the relevant context if this Indicator were to occur
negate	Boolean	specifies the absence of the pattern
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
severity	HighMedLow String
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
specification	JudgementSpecification Object
tags	ShortString String List	Descriptors for this indicator
test_mechanisms	MedString String List	Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: IndicatorType

Property composite_indicator_expression ∷ CompositeIndicatorExpression Object

• This entry is optional

• CompositeIndicatorExpression Object Value
  • Details: CompositeIndicatorExpression Object

Property confidence ∷ HighMedLow String

level of confidence held in the accuracy of this Indicator

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property indicator_type ∷ IndicatorType String List

Specifies the type or types for this Indicator

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Allowed Values:
    • Anonymization
    • C2
    • Compromised PKI Certificate
    • Domain Watchlist
    • Exfiltration
    • File Hash Watchlist
    • Host Characteristics
    • IMEI Watchlist
    • IMSI Watchlist
    • IP Watchlist
    • Login Name
    • Malicious E-mail
    • Malware Artifacts
    • URL Watchlist
  • Reference: IndicatorTypeVocab

Property kill_chain_phases ∷ KillChainPhase Object List

relevant kill chain phases indicated by this Indicator

• This entry is optional
• This entry's type is sequential (allows zero or more values)
• Dev Notes: simplified

• KillChainPhase Object Value
  • Details: KillChainPhase Object

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property likely_impact ∷ LongString String

likely potential impact within the relevant context if this Indicator were to occur

• This entry is optional

  • String with at most 5000 characters

Property negate ∷ Boolean

specifies the absence of the pattern

• This entry is optional

Property producer ∷ ShortString String

• This entry is required

• Dev Notes: TODO - Document what is supposed to be in this field!

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ HighMedLow String

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property specification ∷ Either

• This entry is optional

  • Only one of the following schemas will match

• JudgementSpecification Object Value
  • Details: JudgementSpecification Object

• ThreatBrainSpecification Object Value
  • Details: ThreatBrainSpecification Object

• SnortSpecification Object Value
  • Details: SnortSpecification Object

• SIOCSpecification Object Value
  • Details: SIOCSpecification Object

• OpenIOCSpecification Object Value
  • Details: OpenIOCSpecification Object

Property tags ∷ ShortString String List

Descriptors for this indicator

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

Property test_mechanisms ∷ MedString String List

Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator

• This entry is optional

• This entry's type is sequential (allows zero or more values)

• Dev Notes: simplified

  • String with at most 2048 characters

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ IndicatorTypeIdentifier String

The fixed value indicator

• This entry is required

  • The fixed value "indicator"
  • Must equal: "indicator"

Property valid_time ∷ ValidTime Object

The time range during which this Indicator is considered valid.

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

OpenIOCSpecification Object

An indicator which contains an XML blob of an openIOC indicator..

Property	Type	Description	Required?
open_IOC	String		✓
type	OpenIOCSpecificationType String		✓

Property open_IOC ∷ String

• This entry is required

Property type ∷ OpenIOCSpecificationType String

• This entry is required

  • Must equal: "OpenIOC"

SIOCSpecification Object

An indicator which runs in snort...

Property	Type	Description	Required?
SIOC	String		✓
type	SIOCSpecificationType String		✓

Property SIOC ∷ String

• This entry is required

Property type ∷ SIOCSpecificationType String

• This entry is required

  • Must equal: "SIOC"

SnortSpecification Object

An indicator which runs in snort...

Property	Type	Description	Required?
snort_sig	String		✓
type	SnortSpecificationType String		✓

Property snort_sig ∷ String

• This entry is required

Property type ∷ SnortSpecificationType String

• This entry is required

  • Must equal: "Snort"

ThreatBrainSpecification Object

An indicator which runs in threatbrain...

Property	Type	Description	Required?
type	ThreatBrainSpecificationType String		✓
variables	String List		✓
query	String

Property query ∷ String

• This entry is optional

Property type ∷ ThreatBrainSpecificationType String

• This entry is required

  • Must equal: "ThreatBrain"

Property variables ∷ String List

• This entry is required
• This entry's type is sequential (allows zero or more values)

JudgementSpecification Object

An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.

Property	Type	Description	Required?
judgements	String List		✓
required_judgements	RelatedJudgement Object List		✓
type	JudgementSpecificationType String		✓

Property judgements ∷ String List

• This entry is required

• This entry's type is sequential (allows zero or more values)

  • A URI leading to a judgement

Property required_judgements ∷ RelatedJudgement Object List

• This entry is required
• This entry's type is sequential (allows zero or more values)

• RelatedJudgement Object Value
  • Details: RelatedJudgement Object

Property type ∷ JudgementSpecificationType String

• This entry is required

  • Must equal: "Judgement"

RelatedJudgement Object

Property	Type	Description	Required?
judgement_id	String		✓
confidence	HighMedLow String
relationship	String
source	String

Property confidence ∷ HighMedLow String

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property judgement_id ∷ String

• This entry is required

  • A URI leading to a judgement

Property relationship ∷ String

• This entry is optional

Property source ∷ String

• This entry is optional

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

• Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Must equal: "lockheed-martin-cyber-kill-chain"
  • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Allowed Values:
    • actions-on-objective
    • command-and-control
    • delivery
    • exploitation
    • installation
    • reconnaissance
    • weaponization
  • Reference: Open Vocabulary

CompositeIndicatorExpression Object

Property	Type	Description	Required?
indicator_ids	String List		✓
operator	BooleanOperator String		✓

• Reference: CompositeIndicatorExpressionType

Property indicator_ids ∷ String List

• This entry is required

• This entry's type is sequential (allows zero or more values)

  • A URI leading to an indicator

Property operator ∷ BooleanOperator String

• This entry is required

  • Allowed Values:
    • and
    • not
    • or

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Judgement Object

A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.

Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.

Property	Type	Description	Required?
confidence	HighMedLow String		✓
disposition	DispositionNumberInteger	Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}	✓
disposition_name	DispositionName String		✓
id	String	Globally unique URI identifying this object.	✓
observable	Observable Object		✓
priority	Integer		✓
schema_version	String	CTIM schema version for this entity	✓
severity	HighMedLow String		✓
source	MedString String		✓
type	JudgementTypeIdentifier String		✓
valid_time	ValidTime Object		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortString String	The human language this object is specified in.
reason	ShortString String
reason_uri	String
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLP String	Specification for how, and to whom, this object can be shared.

Property confidence ∷ HighMedLow String

• This entry is required

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property disposition ∷ DispositionNumberInteger

Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

• This entry is required

  • Numeric verdict identifiers
  • Allowed Values:
    • 1
    • 2
    • 3
    • 4
    • 5

Property disposition_name ∷ DispositionName String

• This entry is required

  • String verdict identifiers
  • Allowed Values:
    • Clean
    • Common
    • Malicious
    • Suspicious
    • Unknown

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property observable ∷ Observable Object

• This entry is required

• Observable Object Value
  • Details: Observable Object

Property priority ∷ Integer

• This entry is required

  • A value 0-100 that determine the priority of a judgement. Curated feeds of black/white lists, for example known good products within your organizations, should use a 95. All automated systems should use a priority of 90, or less. Human judgements should have a priority of 100, so that humans can always override machines.

Property reason ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property reason_uri ∷ String

• This entry is optional

  • A URI

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ HighMedLow String

• This entry is required

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property source ∷ MedString String

• This entry is required

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ JudgementTypeIdentifier String

• This entry is required

  • Must equal: "judgement"

Property valid_time ∷ ValidTime Object

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Malware Object

Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
labels	MalwareLabel String List	The type of malware being described.	✓
name	ShortString String	A name used to identify the Malware sample.	✓
schema_version	String	CTIM schema version for this entity	✓
type	MalwareTypeIdentifier String		✓
abstraction_level	MalwareAbstractions String	Malware abstraction level
description	Markdown String	A description that provides more details and context about the Malware, potentially including its purpose and its key characteristics.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phases	KillChainPhase Object List	The list of Kill Chain Phases for which this Malware can be used.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLP String	Specification for how, and to whom, this object can be shared.
x_mitre_aliases	ShortString String List	ATT&CK Software.aliases

• Reference: Malware

Property abstraction_level ∷ MalwareAbstractions String

Malware abstraction level

• This entry is optional

  • Malware Abstraction level
  • Allowed Values:
    • family
    • variant
    • version

Property description ∷ Markdown String

A description that provides more details and context about the Malware, potentially including its purpose and its key characteristics.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Malware can be used.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• KillChainPhase Object Value
  • Details: KillChainPhase Object

Property labels ∷ MalwareLabel String List

The type of malware being described.

• This entry is required

• This entry's type is sequential (allows zero or more values)

  • Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool.
  • Allowed Values:
    • adware
    • backdoor
    • bot
    • ddos
    • dropper
    • exploit-kit
    • keylogger
    • ransomware
    • remote-access-trojan
    • resource-exploitation
    • rogue-security-software
    • rootkit
    • screen-capture
    • spyware
    • trojan
    • virus
    • worm
  • Reference: Malware Label

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property name ∷ ShortString String

A name used to identify the Malware sample.

• This entry is required

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ MalwareTypeIdentifier String

• This entry is required

  • Must equal: "malware"

Property x_mitre_aliases ∷ ShortString String List

ATT&CK Software.aliases

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

• Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Must equal: "lockheed-martin-cyber-kill-chain"
  • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Allowed Values:
    • actions-on-objective
    • command-and-control
    • delivery
    • exploitation
    • installation
    • reconnaissance
    • weaponization
  • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Relationship Object

Represents a relationship between two entities

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
relationship_type	RelationshipType String		✓
schema_version	String	CTIM schema version for this entity	✓
source_ref	String		✓
target_ref	String		✓
type	RelationshipTypeIdentifier String		✓
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property relationship_type ∷ RelationshipType String

• This entry is required

  • Allowed Values:
    • attributed-to
    • based-on
    • derived-from
    • detects
    • duplicate-of
    • element-of
    • exploits
    • indicates
    • member-of
    • mitigates
    • related-to
    • targets
    • uses
    • variant-of

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_ref ∷ String

• This entry is required

  • A URI leading to an entity

Property source_uri ∷ String

• This entry is optional

  • A URI

Property target_ref ∷ String

• This entry is required

  • A URI leading to an entity

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ RelationshipTypeIdentifier String

• This entry is required

  • Must equal: "relationship"

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Sighting Object

A single sighting of an indicator

Property	Type	Description	Required?
confidence	HighMedLow String		✓
count	Integer	The number of times the sighting was seen	✓
id	String	Globally unique URI identifying this object.	✓
observed_time	ObservedTime Object		✓
schema_version	String	CTIM schema version for this entity	✓
type	SightingTypeIdentifier String		✓
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
internal	Boolean	Is it internal to our network
language	ShortString String	The human language this object is specified in.
observables	Observable Object List	The object(s) of interest
relations	ObservedRelation Object List	Provide any context we can about where the observable came from
resolution	Resolution String
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
sensor	Sensor String	The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
severity	HighMedLow String
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
targets	SightingTarget Object List	The target device. Where the sighting came from.
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: SightingType

Property confidence ∷ HighMedLow String

• This entry is required

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property count ∷ Integer

The number of times the sighting was seen

• This entry is required

  • Zero, or a positive integer

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

Is it internal to our network

• This entry is optional

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property observables ∷ Observable Object List

The object(s) of interest

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Observable Object Value
  • Details: Observable Object

Property observed_time ∷ ObservedTime Object

• This entry is required

• ObservedTime Object Value
  • Details: ObservedTime Object

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ObservedRelation Object Value
  • Details: ObservedRelation Object

Property resolution ∷ Resolution String

• This entry is optional

  • indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP
  • Default: detected
  • Allowed Values:
    • allowed
    • blocked
    • contained
    • detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ Sensor String

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

• This entry is optional

  • The openC2 Actuator name that best fits a device See also the Open C2 Language Description, Actuator Vocabulary, page 24.
  • Allowed Values:
    • endpoint
    • endpoint.digital-telephone-handset
    • endpoint.laptop
    • endpoint.pos-terminal
    • endpoint.printer
    • endpoint.sensor
    • endpoint.server
    • endpoint.smart-meter
    • endpoint.smart-phone
    • endpoint.tablet
    • endpoint.workstation
    • network
    • network.bridge
    • network.firewall
    • network.gateway
    • network.guard
    • network.hips
    • network.hub
    • network.ids
    • network.ips
    • network.modem
    • network.nic
    • network.proxy
    • network.router
    • network.security_manager
    • network.sense_making
    • network.sensor
    • network.switch
    • network.vpn
    • network.wap
    • process
    • process.aaa-server
    • process.anti-virus-scanner
    • process.connection-scanner
    • process.directory-service
    • process.dns-server
    • process.email-service
    • process.file-scanner
    • process.location-service
    • process.network-scanner
    • process.remediation-service
    • process.reputation-service
    • process.sandbox
    • process.virtualization-service
    • process.vulnerability-scanner
  • Reference: OpenC2 Language Description

Property severity ∷ HighMedLow String

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property targets ∷ SightingTarget Object List

The target device. Where the sighting came from.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• SightingTarget Object Value
  • Details: SightingTarget Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ SightingTypeIdentifier String

• This entry is required

  • Must equal: "sighting"

ObservedRelation Object

A relation inside a Sighting.

Property	Type	Description	Required?
origin	String		✓
related	Observable Object		✓
relation	ObservableRelationType String		✓
source	Observable Object		✓
origin_uri	String
relation_info	Object

Property origin ∷ String

• This entry is required

Property origin_uri ∷ String

• This entry is optional

  • A URI

Property related ∷ Observable Object

• This entry is required

• Observable Object Value
  • Details: Observable Object

Property relation ∷ ObservableRelationType String

• This entry is required

  • Allowed Values:
    • Allocated
    • Allocated_By
    • Bound
    • Bound_By
    • Characterized_By
    • Characterizes
    • Child_Of
    • Closed
    • Closed_By
    • Compressed
    • Compressed_By
    • Compressed_From
    • Compressed_Into
    • Connected_From
    • Connected_To
    • Contained_Within
    • Contains
    • Copied
    • Copied_By
    • Copied_From
    • Copied_To
    • Created
    • Created_By
    • Decoded
    • Decoded_By
    • Decompressed
    • Decompressed_By
    • Decrypted
    • Decrypted_By
    • Deleted
    • Deleted_By
    • Deleted_From
    • Downloaded
    • Downloaded_By
    • Downloaded_From
    • Downloaded_To
    • Dropped
    • Dropped_By
    • Encoded
    • Encoded_By
    • Encrypted
    • Encrypted_By
    • Encrypted_From
    • Encrypted_To
    • Extracted_From
    • FQDN_Of
    • Freed
    • Freed_By
    • Hooked
    • Hooked_By
    • Initialized_By
    • Initialized_To
    • Injected
    • Injected_As
    • Injected_By
    • Injected_Into
    • Installed
    • Installed_By
    • Joined
    • Joined_By
    • Killed
    • Killed_By
    • Listened_On
    • Listened_On_By
    • Loaded_From
    • Loaded_Into
    • Locked
    • Locked_By
    • Mapped_By
    • Mapped_Into
    • Merged
    • Merged_By
    • Modified_Properties_Of
    • Monitored
    • Monitored_By
    • Moved
    • Moved_By
    • Moved_From
    • Moved_To
    • Opened
    • Opened_By
    • Packed
    • Packed_By
    • Packed_From
    • Packed_Into
    • Parent_Of
    • Paused
    • Paused_By
    • Previously_Contained
    • Properties_Modified_By
    • Properties_Queried
    • Properties_Queried_By
    • Read_From
    • Read_From_By
    • Received
    • Received_By
    • Received_From
    • Received_Via_Upload
    • Redirects_To
    • Related_To
    • Renamed
    • Renamed_By
    • Renamed_From
    • Renamed_To
    • Resolved_To
    • Resumed
    • Resumed_By
    • Root_Domain_Of
    • Searched_For
    • Searched_For_By
    • Sent
    • Sent_By
    • Sent_To
    • Sent_Via_Upload
    • Set_From
    • Set_To
    • Sub-domain_Of
    • Supra-domain_Of
    • Suspended
    • Suspended_By
    • Unhooked
    • Unhooked_By
    • Unlocked
    • Unlocked_By
    • Unpacked
    • Unpacked_By
    • Uploaded
    • Uploaded_By
    • Uploaded_From
    • Uploaded_To
    • Used
    • Used_By
    • Values_Enumerated
    • Values_Enumerated_By
    • Written_To_By
    • Wrote_To

Property relation_info ∷ Object

• This entry is optional

• Object Value
  • Details: Object

Property source ∷ Observable Object

• This entry is required

• Observable Object Value
  • Details: Observable Object

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

Object

Property	Type	Description	Required?
Keyword	Anything		✓

Property Keyword ∷ Anything

• This entry is required

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

SightingTarget Object

Describes a target device where a sighting came from.

Property	Type	Description	Required?
observables	Observable Object List		✓
observed_time	ObservedTime Object		✓
type	Sensor String		✓
os	String
properties_data_tables	String

Property observables ∷ Observable Object List

• This entry is required
• This entry's type is sequential (allows zero or more values)

• Observable Object Value
  • Details: Observable Object

Property observed_time ∷ ObservedTime Object

• This entry is required

• ObservedTime Object Value
  • Details: ObservedTime Object

Property os ∷ String

• This entry is optional

Property properties_data_tables ∷ String

• This entry is optional

  • A URI leading to a data table

Property type ∷ Sensor String

• This entry is required

  • The openC2 Actuator name that best fits a device See also the Open C2 Language Description, Actuator Vocabulary, page 24.
  • Allowed Values:
    • endpoint
    • endpoint.digital-telephone-handset
    • endpoint.laptop
    • endpoint.pos-terminal
    • endpoint.printer
    • endpoint.sensor
    • endpoint.server
    • endpoint.smart-meter
    • endpoint.smart-phone
    • endpoint.tablet
    • endpoint.workstation
    • network
    • network.bridge
    • network.firewall
    • network.gateway
    • network.guard
    • network.hips
    • network.hub
    • network.ids
    • network.ips
    • network.modem
    • network.nic
    • network.proxy
    • network.router
    • network.security_manager
    • network.sense_making
    • network.sensor
    • network.switch
    • network.vpn
    • network.wap
    • process
    • process.aaa-server
    • process.anti-virus-scanner
    • process.connection-scanner
    • process.directory-service
    • process.dns-server
    • process.email-service
    • process.file-scanner
    • process.location-service
    • process.network-scanner
    • process.remediation-service
    • process.reputation-service
    • process.sandbox
    • process.virtualization-service
    • process.vulnerability-scanner
  • Reference: OpenC2 Language Description

ObservedTime Object

Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

• This entry is required

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

ObservedTime Object

Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

• This entry is required

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Tool Object

Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
labels	ToolLabel String List	The kind(s) of tool(s) being described.	✓
name	ShortString String	The name used to identify the Tool.	✓
schema_version	String	CTIM schema version for this entity	✓
type	ToolTypeIdentifier String		✓
description	Markdown String	A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phases	KillChainPhase Object List	The list of kill chain phases for which this Tool can be used.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLP String	Specification for how, and to whom, this object can be shared.
tool_version	ShortString String	The version identifier associated with the Tool.
x_mitre_aliases	ShortString String List	ATT&CK Software.aliases

• Reference: Tool

Property description ∷ Markdown String

A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of kill chain phases for which this Tool can be used.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• KillChainPhase Object Value
  • Details: KillChainPhase Object

Property labels ∷ ToolLabel String List

The kind(s) of tool(s) being described.

• This entry is required

• This entry's type is sequential (allows zero or more values)

  • Tool labels describe the categories of tools that can be used to perform attacks.
  • Allowed Values:
    • credential-exploitation
    • denial-of-service
    • exploitation
    • information-gathering
    • network-capture
    • remote-access
    • vulnerability-scanning
  • Reference: Tool Label

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property name ∷ ShortString String

The name used to identify the Tool.

• This entry is required

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property tool_version ∷ ShortString String

The version identifier associated with the Tool.

• This entry is optional

  • String with at most 1024 characters

Property type ∷ ToolTypeIdentifier String

• This entry is required

  • Must equal: "tool"

Property x_mitre_aliases ∷ ShortString String List

ATT&CK Software.aliases

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

• Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Must equal: "lockheed-martin-cyber-kill-chain"
  • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

• This entry is required

  • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
  • Allowed Values:
    • actions-on-objective
    • command-and-control
    • delivery
    • exploitation
    • installation
    • reconnaissance
    • weaponization
  • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Verdict Object

A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.

The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"

Property	Type	Description	Required?
disposition	DispositionNumberInteger		✓
observable	Observable Object		✓
type	VerdictTypeIdentifier String		✓
valid_time	ValidTime Object		✓
disposition_name	DispositionName String	The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
judgement_id	String

Property disposition ∷ DispositionNumberInteger

• This entry is required

  • Numeric verdict identifiers
  • Allowed Values:
    • 1
    • 2
    • 3
    • 4
    • 5

Property disposition_name ∷ DispositionName String

The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

• This entry is optional

  • String verdict identifiers
  • Allowed Values:
    • Clean
    • Common
    • Malicious
    • Suspicious
    • Unknown

Property judgement_id ∷ String

• This entry is optional

  • A URI leading to a judgement

Property observable ∷ Observable Object

• This entry is required

• Observable Object Value
  • Details: Observable Object

Property type ∷ VerdictTypeIdentifier String

• This entry is required

  • Must equal: "verdict"

Property valid_time ∷ ValidTime Object

• This entry is required

• ValidTime Object Value
  • Details: ValidTime Object

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifier String		✓
value	String		✓

Property type ∷ ObservableTypeIdentifier String

• This entry is required

  • Observable type names
  • Allowed Values:
    • amp_computer_guid
    • device
    • domain
    • email
    • file_name
    • file_path
    • hostname
    • imei
    • imsi
    • ip
    • ipv6
    • mac_address
    • md5
    • pki_serial
    • sha1
    • sha256
    • url
    • user

Property value ∷ String

• This entry is required

DataTable Object

A generic table of data, consisting of types and documented columns, and 1 or more rows of data.

Property	Type	Description	Required?
columns	ColumnDefinition Object List	an ordered list of column definitions	✓
id	String	Globally unique URI identifying this object.	✓
rows	Anything List	an ordered list of rows	✓
schema_version	String	CTIM schema version for this entity	✓
type	DataTableTypeIdentifier String		✓
description	Markdown String	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortString String	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
row_count	Integer	The number of rows in the data table.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.
valid_time	ValidTime Object

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

• This entry is required
• This entry's type is sequential (allows zero or more values)

• ColumnDefinition Object Value
  • Details: ColumnDefinition Object

Property description ∷ Markdown String

A description of object, which may be detailed.

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property row_count ∷ Integer

The number of rows in the data table.

• This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

• This entry is required
• This entry's type is sequential (allows zero or more values)

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ DataTableTypeIdentifier String

• This entry is required

  • Must equal: "data-table"

Property valid_time ∷ ValidTime Object

• This entry is optional

• ValidTime Object Value
  • Details: ValidTime Object

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ColumnDefinition Object

Property	Type	Description	Required?
name	String		✓
type	ColumnType String		✓
description	Markdown String
required	Boolean	If true, the row entries for this column cannot contain nulls. Defaults to true
short_description	String

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property name ∷ String

• This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true

• This entry is optional

Property short_description ∷ String

• This entry is optional

Property type ∷ ColumnType String

• This entry is required

  • Allowed Values:
    • integer
    • markdown
    • number
    • observable
    • string
    • url

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

Weakness Object

a mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.

Property	Type	Description	Required?
description	Markdown String	should be short and limited to the key points that define this weakness	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	WeaknessTypeIdentifier String	The fixed value weakness	✓
abstraction_level	WeaknessAbstractionLevel String	defines the abstraction level for this weakness
affected_resources	SystemResource String List	identify system resources that can be affected by an exploit of this weakness
alternate_terms	AlternateTerm Object List	indicates one or more other names used to describe this weakness
architectures	Architecture Object List	Applicable architectures
background_details	Markdown String	information that is relevant but not related to the nature of the weakness itself
common_consequences	Consequence Object List	specify individual consequences associated with a weakness
detection_methods	DetectionMethod Object List	identify methods that may be employed to detect this weakness, including their strengths and limitations
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
functional_areas	FunctionalArea String List	identifies the functional area of the software in which the weakness is most likely to occur
language	ShortString String	The human language this object is specified in.
languages	Language Object List	Applicable Languages
likelihood	HighMedLow String	Likelihood of exploit
modes_of_introduction	ModeOfIntroduction Object List	information about how and when a given weakness may be introduced
notes	Note Object List	provide any additional comments about the weakness
operating_systems	OperatingSystem Object List	Applicable operating systems
paradigms	Paradigm Object List	Applicable paradigms
potential_mitigations	Mitigation Object List	describe potential mitigations associated with a weakness
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedString String	A single line, short summary of the object.
source	MedString String
source_uri	String
structure	WeaknessStructure String	defines the structural nature of the weakness
technologies	Technology Object List	Applicable technologies
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortString String	A short title for this object, used as primary display and reference value
tlp	TLP String	Specification for how, and to whom, this object can be shared.

• Reference: WeaknessType

Property abstraction_level ∷ WeaknessAbstractionLevel String

defines the abstraction level for this weakness

• This entry is optional

  • defines the different abstraction levels that apply to a weakness. A Class is the most abstract type of weakness, typically described independent of any specific language or technology. A Base is a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A Variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A Compound weakness is a meaningful aggregation of several weaknesses, currently known as either a Chain or Composite.
  • Allowed Values:
    • Base
    • Class
    • Compound
    • Variant
  • Reference: AbstractionEnumeration

Property affected_resources ∷ SystemResource String List

identify system resources that can be affected by an exploit of this weakness

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • defines a resource of a system
  • Allowed Values:
    • CPU
    • File or Directory
    • Memory
    • System Process
  • Reference: ResourceEnumeration

Property alternate_terms ∷ AlternateTerm Object List

indicates one or more other names used to describe this weakness

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• AlternateTerm Object Value
  • Details: AlternateTerm Object

Property architectures ∷ Architecture Object List

Applicable architectures

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Architecture Object Value
  • Details: Architecture Object

Property background_details ∷ Markdown String

information that is relevant but not related to the nature of the weakness itself

• This entry is optional

  • Markdown string with at most 5000 characters

Property common_consequences ∷ Consequence Object List

specify individual consequences associated with a weakness

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Consequence Object Value
  • Details: Consequence Object

Property description ∷ Markdown String

should be short and limited to the key points that define this weakness

• This entry is required

  • Markdown string with at most 5000 characters

Property detection_methods ∷ DetectionMethod Object List

identify methods that may be employed to detect this weakness, including their strengths and limitations

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• DetectionMethod Object Value
  • Details: DetectionMethod Object

Property external_ids ∷ String List

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ExternalReference Object Value
  • Details: ExternalReference Object

Property functional_areas ∷ FunctionalArea String List

identifies the functional area of the software in which the weakness is most likely to occur

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Defines the different functional areas of software in which the weakness may appear
  • Allowed Values:
    • Authentication
    • Authorization
    • Code Libraries
    • Counters
    • Cryptography
    • Error Handling
    • File Processing
    • Functional-Area-Independent
    • Interprocess Communication
    • Logging
    • Memory Management
    • Networking
    • Number Processing
    • Program Invocation
    • Protection Mechanism
    • Session Management
    • Signals
    • String Processing
  • Reference: FunctionalAreaEnumeration

Property id ∷ String

Globally unique URI identifying this object.

• This entry is required

  • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

• This entry is optional

  • String with at most 1024 characters

Property languages ∷ Language Object List

Applicable Languages

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Language Object Value
  • Details: Language Object

Property likelihood ∷ HighMedLow String

Likelihood of exploit

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property modes_of_introduction ∷ ModeOfIntroduction Object List

information about how and when a given weakness may be introduced

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• ModeOfIntroduction Object Value
  • Details: ModeOfIntroduction Object

Property notes ∷ Note Object List

provide any additional comments about the weakness

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Note Object Value
  • Details: Note Object

Property operating_systems ∷ OperatingSystem Object List

Applicable operating systems

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• OperatingSystem Object Value
  • Details: OperatingSystem Object

Property paradigms ∷ Paradigm Object List

Applicable paradigms

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Paradigm Object Value
  • Details: Paradigm Object

Property potential_mitigations ∷ Mitigation Object List

describe potential mitigations associated with a weakness

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Mitigation Object Value
  • Details: Mitigation Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

• This entry is optional

  • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

• This entry is required

  • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

• This entry is optional

  • String with at most 2048 characters

Property source ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property source_uri ∷ String

• This entry is optional

  • A URI

Property structure ∷ WeaknessStructure String

defines the structural nature of the weakness

• This entry is optional

  • structural natures of a weakness. A Simple structure represents a single weakness whose exploitation is not dependent on the presence of another weakness. A Composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability, while a Chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability.
  • Allowed Values:
    • Chain
    • Composite
    • Simple
  • Reference: StructureEnumeration)

Property technologies ∷ Technology Object List

Applicable technologies

• This entry is optional
• This entry's type is sequential (allows zero or more values)

• Technology Object Value
  • Details: Technology Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

• This entry is optional

  • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

• This entry is optional

  • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
  • Default: green
  • Allowed Values:
    • amber
    • green
    • red
    • white

Property type ∷ WeaknessTypeIdentifier String

The fixed value weakness

• This entry is required

  • The fixed value "weakness"
  • Must equal: "weakness"

Note Object

Property	Type	Description	Required?
note	Markdown String		✓
type	NoteType String		✓

Property note ∷ Markdown String

• This entry is required

  • Markdown string with at most 5000 characters

Property type ∷ NoteType String

• This entry is required

  • defines the different types of notes that can be associated with a weakness
  • Allowed Values:
    • Applicable Platform
    • Maintenance
    • Relationship
    • Research Gap
    • Terminology
    • Theoretical
  • Reference: [NoteTypeEnumeration] (https://cwe.mitre.org/documents/schema/#NoteTypeEnumeration)

Mitigation Object

Property	Type	Description	Required?
description	MedString String	a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness	✓
effectiveness	Effectiveness String	summarizes how effective the mitigation may be in preventing the weakness
effectiveness_notes	MedString String
phases	SoftwarePhase String List	indicates the development life cycle phase during which this particular mitigation may be applied
strategy	MitigationStrategy String	a general strategy for protecting a system to which this mitigation contributes

• Reference: PotentialMitigationsType

Property description ∷ MedString String

a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness

• This entry is required

  • String with at most 2048 characters

Property effectiveness ∷ Effectiveness String

summarizes how effective the mitigation may be in preventing the weakness

• This entry is optional

  • related to how effective a mitigation may be in preventing the weakness
  • Allowed Values:
    • Defense in Depth
    • High
    • Incidental
    • Limited
    • Moderate
    • None
  • Reference: EffectivenessEnumeration

Property effectiveness_notes ∷ MedString String

• This entry is optional

  • String with at most 2048 characters

Property phases ∷ SoftwarePhase String List

indicates the development life cycle phase during which this particular mitigation may be applied

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Architecture and Design
    • Build and Compilation
    • Bundling
    • Distribution
    • Documentation
    • Implementation
    • Installation
    • Operation
    • Patching and Maintenance
    • Policy
    • Porting
    • Requirements
    • System Configuration
    • Testing
  • Reference: PhaseEnumeration

Property strategy ∷ MitigationStrategy String

a general strategy for protecting a system to which this mitigation contributes

• This entry is optional

  • strategy for protecting a system to which a mitigation contributes
  • Allowed Values:
    • Attack Surface Reduction
    • Compilation or Build Hardening
    • Enforcement by Conversion
    • Environment Hardening
    • Firewall
    • Input Validation
    • Language Selection
    • Libraries or Frameworks
    • Output Encoding
    • Parameterization
    • Refactoring
    • Resource Limitation
    • Sandbox or Jail
    • Separation of Privilege
  • Reference: MitigationStrategyEnumeration

DetectionMethod Object

Property	Type	Description	Required?
description	MedString String	provide some context of how this method can be applied to a specific weakness	✓
method	DetectionMethod String	identifies the particular detection method being described	✓
effectiveness	DetectionEffectiveness String	how effective the detection method may be in detecting the associated weakness
effectiveness_notes	MedString String	provides additional discussion of the strengths and shortcomings of this detection method

• Reference: DetectionMethodsType

Property description ∷ MedString String

provide some context of how this method can be applied to a specific weakness

• This entry is required

  • String with at most 2048 characters

Property effectiveness ∷ DetectionEffectiveness String

how effective the detection method may be in detecting the associated weakness

• This entry is optional

  • level of effectiveness that a detection method may have in detecting an associated weakness
  • Allowed Values:
    • High
    • Limited
    • Moderate
    • None
    • Opportunistic
    • SOAR Partial
  • Reference: DetectionEffectivenessEnumeration

Property effectiveness_notes ∷ MedString String

provides additional discussion of the strengths and shortcomings of this detection method

• This entry is optional

  • String with at most 2048 characters

Property method ∷ DetectionMethod String

identifies the particular detection method being described

• This entry is required

  • method used to detect a weakness
  • Allowed Values:
    • Architecture or Design Review
    • Automated Analysis
    • Automated Dynamic Analysis
    • Automated Static Analysis
    • Automated Static Analysis - Binary or Bytecode
    • Automated Static Analysis - Source Code
    • Black Box
    • Dynamic Analysis with Automated Results Interpretation
    • Dynamic Analysis with Manual Results Interpretation
    • Fuzzing
    • Manual Analysis
    • Manual Dynamic Analysis
    • Manual Static Analysis
    • Manual Static Analysis - Binary or Bytecode
    • Manual Static Analysis - Source Code
    • Other
    • White Box
  • Reference: DetectionMethodEnumeration

Consequence Object

Property	Type	Description	Required?
scopes	ConsequenceScope String List	identifies the security property that is violated	✓
impacts	TechnicalImpact String List	describes the technical impact that arises if an adversary succeeds in exploiting this weakness
likelihood	HighMedLow String	how likely the specific consequence is expected to be seen relative to the other consequences
note	MedString String	additional commentary about a consequence

• Reference: CommonConsequencesType

Property impacts ∷ TechnicalImpact String List

describes the technical impact that arises if an adversary succeeds in exploiting this weakness

• This entry is optional

• This entry's type is sequential (allows zero or more values)

  • Allowed Values:
    • Alter Execution Logic
    • Bypass Protection Mechanism
    • DoS: Amplification
    • DoS: Crash, Exit, or Restart
    • DoS: Instability
    • DoS: Resource Consumption (CPU)
    • DoS: Resource Consumption (Memory)
    • DoS: Resource Consumption (Other)
    • Execute Unauthorized Code or Commands
    • Gain Privileges or Assume Identity
    • Hide Activities
    • Modify Application Data
    • Modify Files or Directories
    • Modify Memory
    • Quality Degradation
    • Read Application Data
    • Read Files or Directories
    • Read Memory
    • Unexpected State
    • Varies by Context
  • Reference: TechnicalImpactEnumeration

Property likelihood ∷ HighMedLow String

how likely the specific consequence is expected to be seen relative to the other consequences

• This entry is optional

  • Allowed Values:
    • High
    • Info
    • Low
    • Medium
    • None
    • Unknown
  • Reference: HighMedLowVocab

Property note ∷ MedString String

additional commentary about a consequence

• This entry is optional

  • String with at most 2048 characters

Property scopes ∷ ConsequenceScope String List

identifies the security property that is violated

• This entry is required

• This entry's type is sequential (allows zero or more values)

  • defines the different areas of software security that can be affected by exploiting a weakness.
  • Allowed Values:
    • Access Control
    • Accountability
    • Authentication
    • Authorization
    • Availability
    • Confidentiality
    • Integrity
    • Non-Repudiation
  • Reference: ScopeEnumeration

ModeOfIntroduction Object

Property	Type	Description	Required?
note	MedString String	provides a typical scenario related to introduction during the given phase	✓
phase	SoftwarePhase String	identifies the point in the software life cycle at which the weakness may be introduced	✓

• Reference: ModesOfIntroductionType

Property note ∷ MedString String

provides a typical scenario related to introduction during the given phase

• This entry is required

  • String with at most 2048 characters

Property phase ∷ SoftwarePhase String

identifies the point in the software life cycle at which the weakness may be introduced

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Architecture and Design
    • Build and Compilation
    • Bundling
    • Distribution
    • Documentation
    • Implementation
    • Installation
    • Operation
    • Patching and Maintenance
    • Policy
    • Porting
    • Requirements
    • System Configuration
    • Testing
  • Reference: PhaseEnumeration

AlternateTerm Object

Property	Type	Description	Required?
term	ShortString String	the actual alternate term	✓
description	MedString String	provides context for the alternate term by which this weakness may be known.

Property description ∷ MedString String

provides context for the alternate term by which this weakness may be known.

• This entry is optional

  • String with at most 2048 characters

Property term ∷ ShortString String

the actual alternate term

• This entry is required

  • String with at most 1024 characters

Technology Object

Property	Type	Description	Required?
prevalence	Prevalence String	defines the different regularities that guide the applicability of platforms	✓
name	ShortString String	technology name (Web Server, Web Client)

Property name ∷ ShortString String

technology name (Web Server, Web Client)

• This entry is optional

  • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Often
    • Rarely
    • Sometimes
    • Undetermined
  • Reference: PrevalenceEnumeration

Paradigm Object

Property	Type	Description	Required?
prevalence	Prevalence String	defines the different regularities that guide the applicability of platforms	✓
name	ShortString String	paradigm name (Client Server, Mainframe)

Property name ∷ ShortString String

paradigm name (Client Server, Mainframe)

• This entry is optional

  • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Often
    • Rarely
    • Sometimes
    • Undetermined
  • Reference: PrevalenceEnumeration

Architecture Object

Property	Type	Description	Required?
prevalence	Prevalence String	defines the different regularities that guide the applicability of platforms	✓
class	ArchitectureClass String	class of architecture
name	ShortString String	architecture name (ARM, x86, ...)

Property class ∷ ArchitectureClass String

class of architecture

• This entry is optional

  • Allowed Values:
    • Embedded
    • Microcomputer
    • Workstation
  • Reference: ArchitectureClassEnumeration

Property name ∷ ShortString String

architecture name (ARM, x86, ...)

• This entry is optional

  • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Often
    • Rarely
    • Sometimes
    • Undetermined
  • Reference: PrevalenceEnumeration

OperatingSystem Object

Property	Type	Description	Required?
prevalence	Prevalence String	defines the different regularities that guide the applicability of platforms	✓
class	OperatingSystemClass String
cpe_id	ShortString String
name	ShortString String
version	ShortString String

Property class ∷ OperatingSystemClass String

• This entry is optional

  • class of operating systems
  • Allowed Values:
    • Android
    • Apple iOS
    • Cisco IOS
    • Linux
    • Unix
    • Windows
    • macOs
  • Reference: OperatingSystemClassEnumeration

Property cpe_id ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property name ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Often
    • Rarely
    • Sometimes
    • Undetermined
  • Reference: PrevalenceEnumeration

Property version ∷ ShortString String

• This entry is optional

  • String with at most 1024 characters

Language Object

Property	Type	Description	Required?
prevalence	Prevalence String	defines the different regularities that guide the applicability of platforms	✓
class	LanguageClass String	class of language
name	ShortString String	Language name (Clojure, Java, ...)

Property class ∷ LanguageClass String

class of language

• This entry is optional

  • class of source code language
  • Allowed Values:
    • Assembly
    • Compiled
    • Interpreted
  • Reference: LanguageClassEnumeration

Property name ∷ ShortString String

Language name (Clojure, Java, ...)

• This entry is optional

  • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

• This entry is required

  • defines the different regularities that guide the applicability of platforms
  • Allowed Values:
    • Often
    • Rarely
    • Sometimes
    • Undetermined
  • Reference: PrevalenceEnumeration

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedString String	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	Markdown String
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

• Reference: External Reference

Property description ∷ Markdown String

• This entry is optional

  • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

• This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

• This entry is optional
• This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

• This entry is required

  • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

• This entry is optional

  • A URI

ValidTime Object

Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

• Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

• This entry is optional

  • Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.