Describes a CTIM Casebook which works like a structured gist
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | CasebookTypeIdentifier String | ✓ | |
bundle | Bundle Object | ||
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
language | ShortString String | The human language this object is specified in. | |
observables | Observable Object List | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
texts | Text Object List | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
Describes a Bundle of any set of CTIM entities
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
source | MedString String | ✓ | |
type | BundleTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | ✓ | |
actor_refs | #{ String} | ||
actors | #{Actor Object} | a list of Actor | |
attack_pattern_refs | #{ String} | ||
attack_patterns | #{AttackPattern Object} | a list of AttackPattern | |
campaign_refs | #{ String} | ||
campaigns | #{Campaign Object} | a list of Campaign | |
coa_refs | #{ String} | ||
coas | #{COA Object} | a list of COA | |
data_table_refs | #{ String} | ||
data_tables | #{DataTable Object} | a list of DataTable | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
feedback_refs | #{ String} | ||
feedbacks | #{Feedback Object} | a list of Feedback | |
incident_refs | #{ String} | ||
incidents | #{Incident Object} | a list of Incident | |
indicator_refs | #{ String} | ||
indicators | #{Indicator Object} | a list of Indicator | |
judgement_refs | #{ String} | ||
judgements | #{Judgement Object} | a list of Judgement | |
language | ShortString String | The human language this object is specified in. | |
malware_refs | #{ String} | ||
malwares | #{Malware Object} | a list of Malware | |
relationship_refs | #{ String} | ||
relationships | #{Relationship Object} | a list of Relationship | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
sighting_refs | #{ String} | ||
sightings | #{Sighting Object} | a list of Sighting | |
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
tool_refs | #{ String} | ||
tools | #{Tool Object} | a list of Tool | |
verdict_refs | #{ String} | ||
verdicts | #{Verdict Object} | a list of Verdict | |
weakness_refs | #{ String} | ||
weaknesses | #{Weakness Object} | a list of Weakness |
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Actor
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of AttackPattern
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Campaign
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of COA
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of DataTable
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Feedback
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Incident
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Indicator
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Judgement
The human language this object is specified in.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Malware
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Relationship
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Sighting
This entry is required
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Tool
This entry is required
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Verdict
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Weakness
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
a mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.
Property | Type | Description | Required? |
---|---|---|---|
description | Markdown String | should be short and limited to the key points that define this weakness | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | WeaknessTypeIdentifier String | The fixed value weakness | ✓ |
abstraction_level | WeaknessAbstractionLevel String | defines the abstraction level for this weakness | |
affected_resources | SystemResource String List | identify system resources that can be affected by an exploit of this weakness | |
alternate_terms | AlternateTerm Object List | indicates one or more other names used to describe this weakness | |
architectures | Architecture Object List | Applicable architectures | |
background_details | Markdown String | information that is relevant but not related to the nature of the weakness itself | |
common_consequences | Consequence Object List | specify individual consequences associated with a weakness | |
detection_methods | DetectionMethod Object List | identify methods that may be employed to detect this weakness, including their strengths and limitations | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
functional_areas | FunctionalArea String List | identifies the functional area of the software in which the weakness is most likely to occur | |
language | ShortString String | The human language this object is specified in. | |
languages | Language Object List | Applicable Languages | |
likelihood | HighMedLow String | Likelihood of exploit | |
modes_of_introduction | ModeOfIntroduction Object List | information about how and when a given weakness may be introduced | |
notes | Note Object List | provide any additional comments about the weakness | |
operating_systems | OperatingSystem Object List | Applicable operating systems | |
paradigms | Paradigm Object List | Applicable paradigms | |
potential_mitigations | Mitigation Object List | describe potential mitigations associated with a weakness | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
structure | WeaknessStructure String | defines the structural nature of the weakness | |
technologies | Technology Object List | Applicable technologies | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
defines the abstraction level for this weakness
This entry is optional
Class
is the most abstract type of weakness, typically described independent of any specific language or technology. A Base
is a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A Variant
is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A Compound
weakness is a meaningful aggregation of several weaknesses, currently known as either a Chain or Composite.identify system resources that can be affected by an exploit of this weakness
This entry is optional
This entry's type is sequential (allows zero or more values)
indicates one or more other names used to describe this weakness
Applicable architectures
information that is relevant but not related to the nature of the weakness itself
This entry is optional
specify individual consequences associated with a weakness
should be short and limited to the key points that define this weakness
This entry is required
identify methods that may be employed to detect this weakness, including their strengths and limitations
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
identifies the functional area of the software in which the weakness is most likely to occur
This entry is optional
This entry's type is sequential (allows zero or more values)
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
Applicable Languages
Likelihood of exploit
This entry is optional
information about how and when a given weakness may be introduced
provide any additional comments about the weakness
Applicable operating systems
Applicable paradigms
describe potential mitigations associated with a weakness
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
defines the structural nature of the weakness
This entry is optional
Applicable technologies
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
The fixed value weakness
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
note | Markdown String | ✓ | |
type | NoteType String | ✓ |
This entry is required
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
description | MedString String | a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness | ✓ |
effectiveness | Effectiveness String | summarizes how effective the mitigation may be in preventing the weakness | |
effectiveness_notes | MedString String | ||
phases | SoftwarePhase String List | indicates the development life cycle phase during which this particular mitigation may be applied | |
strategy | MitigationStrategy String | a general strategy for protecting a system to which this mitigation contributes |
a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness
This entry is required
summarizes how effective the mitigation may be in preventing the weakness
This entry is optional
This entry is optional
indicates the development life cycle phase during which this particular mitigation may be applied
This entry is optional
This entry's type is sequential (allows zero or more values)
a general strategy for protecting a system to which this mitigation contributes
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
description | MedString String | provide some context of how this method can be applied to a specific weakness | ✓ |
method | DetectionMethod String | identifies the particular detection method being described | ✓ |
effectiveness | DetectionEffectiveness String | how effective the detection method may be in detecting the associated weakness | |
effectiveness_notes | MedString String | provides additional discussion of the strengths and shortcomings of this detection method |
provide some context of how this method can be applied to a specific weakness
This entry is required
how effective the detection method may be in detecting the associated weakness
This entry is optional
provides additional discussion of the strengths and shortcomings of this detection method
This entry is optional
identifies the particular detection method being described
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
scopes | ConsequenceScope String List | identifies the security property that is violated | ✓ |
impacts | TechnicalImpact String List | describes the technical impact that arises if an adversary succeeds in exploiting this weakness | |
likelihood | HighMedLow String | how likely the specific consequence is expected to be seen relative to the other consequences | |
note | MedString String | additional commentary about a consequence |
describes the technical impact that arises if an adversary succeeds in exploiting this weakness
This entry is optional
This entry's type is sequential (allows zero or more values)
how likely the specific consequence is expected to be seen relative to the other consequences
This entry is optional
additional commentary about a consequence
This entry is optional
identifies the security property that is violated
This entry is required
This entry's type is sequential (allows zero or more values)
Property | Type | Description | Required? |
---|---|---|---|
note | MedString String | provides a typical scenario related to introduction during the given phase | ✓ |
phase | SoftwarePhase String | identifies the point in the software life cycle at which the weakness may be introduced | ✓ |
provides a typical scenario related to introduction during the given phase
This entry is required
identifies the point in the software life cycle at which the weakness may be introduced
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
term | ShortString String | the actual alternate term | ✓ |
description | MedString String | provides context for the alternate term by which this weakness may be known. |
provides context for the alternate term by which this weakness may be known.
This entry is optional
the actual alternate term
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | Prevalence String | defines the different regularities that guide the applicability of platforms | ✓ |
name | ShortString String | technology name (Web Server, Web Client) |
technology name (Web Server, Web Client)
This entry is optional
defines the different regularities that guide the applicability of platforms
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | Prevalence String | defines the different regularities that guide the applicability of platforms | ✓ |
name | ShortString String | paradigm name (Client Server, Mainframe) |
paradigm name (Client Server, Mainframe)
This entry is optional
defines the different regularities that guide the applicability of platforms
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | Prevalence String | defines the different regularities that guide the applicability of platforms | ✓ |
class | ArchitectureClass String | class of architecture | |
name | ShortString String | architecture name (ARM, x86, ...) |
class of architecture
This entry is optional
architecture name (ARM, x86, ...)
This entry is optional
defines the different regularities that guide the applicability of platforms
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | Prevalence String | defines the different regularities that guide the applicability of platforms | ✓ |
class | OperatingSystemClass String | ||
cpe_id | ShortString String | ||
name | ShortString String | ||
version | ShortString String |
This entry is optional
This entry is optional
This entry is optional
defines the different regularities that guide the applicability of platforms
This entry is required
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
prevalence | Prevalence String | defines the different regularities that guide the applicability of platforms | ✓ |
class | LanguageClass String | class of language | |
name | ShortString String | Language name (Clojure, Java, ...) |
class of language
This entry is optional
Language name (Clojure, Java, ...)
This entry is optional
defines the different regularities that guide the applicability of platforms
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
A generic table of data, consisting of types and documented columns, and 1 or more rows of data.
Property | Type | Description | Required? |
---|---|---|---|
columns | ColumnDefinition Object List | an ordered list of column definitions | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
rows | Anything List | an ordered list of rows | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | DataTableTypeIdentifier String | ✓ | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
row_count | Integer | The number of rows in the data table. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
valid_time | ValidTime Object |
an ordered list of column definitions
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
The number of rows in the data table.
an ordered list of rows
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
name | String | ✓ | |
type | ColumnType String | ✓ | |
description | Markdown String | ||
required | Boolean | If true, the row entries for this column cannot contain nulls. Defaults to true | |
short_description | String |
This entry is optional
If true, the row entries for this column cannot contain nulls. Defaults to true
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.
The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"
Property | Type | Description | Required? |
---|---|---|---|
disposition | DispositionNumberInteger | ✓ | |
observable | Observable Object | ✓ | |
type | VerdictTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | ✓ | |
disposition_name | DispositionName String | The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"} | |
judgement_id | String |
This entry is required
The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
This entry is optional
This entry is optional
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
labels | ToolLabel String List | The kind(s) of tool(s) being described. | ✓ |
name | ShortString String | The name used to identify the Tool. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | ToolTypeIdentifier String | ✓ | |
description | Markdown String | A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
kill_chain_phases | KillChainPhase Object List | The list of kill chain phases for which this Tool can be used. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
tool_version | ShortString String | The version identifier associated with the Tool. | |
x_mitre_aliases | ShortString String List | ATT&CK Software.aliases |
A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of kill chain phases for which this Tool can be used.
The kind(s) of tool(s) being described.
This entry is required
This entry's type is sequential (allows zero or more values)
The human language this object is specified in.
This entry is optional
The name used to identify the Tool.
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
The version identifier associated with the Tool.
This entry is optional
This entry is required
ATT&CK Software.aliases
This entry is optional
This entry's type is sequential (allows zero or more values)
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
A single sighting of an indicator
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLow String | ✓ | |
count | Integer | The number of times the sighting was seen | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
observed_time | ObservedTime Object | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
type | SightingTypeIdentifier String | ✓ | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
internal | Boolean | Is it internal to our network | |
language | ShortString String | The human language this object is specified in. | |
observables | Observable Object List | The object(s) of interest | |
relations | ObservedRelation Object List | Provide any context we can about where the observable came from | |
resolution | Resolution String | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
sensor | Sensor String | The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall) | |
severity | HighMedLow String | ||
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
targets | SightingTarget Object List | The target device. Where the sighting came from. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
This entry is required
The number of times the sighting was seen
This entry is required
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Is it internal to our network
The human language this object is specified in.
This entry is optional
The object(s) of interest
Provide any context we can about where the observable came from
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
This entry is optional
This entry is optional
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
The target device. Where the sighting came from.
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
A relation inside a Sighting.
Property | Type | Description | Required? |
---|---|---|---|
origin | String | ✓ | |
related | Observable Object | ✓ | |
relation | ObservableRelationType String | ✓ | |
source | Observable Object | ✓ | |
origin_uri | String | ||
relation_info | Object |
This entry is optional
This entry is required
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
Keyword | Anything | ✓ |
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
Describes a target device where a sighting came from.
Property | Type | Description | Required? |
---|---|---|---|
observables | Observable Object List | ✓ | |
observed_time | ObservedTime Object | ✓ | |
type | Sensor String | ✓ | |
os | String | ||
properties_data_tables | String |
This entry is optional
This entry is required
Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period |
If the observation was made over a period of time, than this field indicates the end of that period
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
This entry is required
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period |
If the observation was made over a period of time, than this field indicates the end of that period
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Represents a relationship between two entities
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
relationship_type | RelationshipType String | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
source_ref | String | ✓ | |
target_ref | String | ✓ | |
type | RelationshipTypeIdentifier String | ✓ | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is required
This entry is optional
This entry is required
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
labels | MalwareLabel String List | The type of malware being described. | ✓ |
name | ShortString String | A name used to identify the Malware sample. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | MalwareTypeIdentifier String | ✓ | |
abstraction_level | MalwareAbstractions String | Malware abstraction level | |
description | Markdown String | A description that provides more details and context about the Malware, potentially including its purpose and its key characteristics. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
kill_chain_phases | KillChainPhase Object List | The list of Kill Chain Phases for which this Malware can be used. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
x_mitre_aliases | ShortString String List | ATT&CK Software.aliases |
Malware abstraction level
This entry is optional
A description that provides more details and context about the Malware, potentially including its purpose and its key characteristics.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of Kill Chain Phases for which this Malware can be used.
The type of malware being described.
This entry is required
This entry's type is sequential (allows zero or more values)
The human language this object is specified in.
This entry is optional
A name used to identify the Malware sample.
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
ATT&CK Software.aliases
This entry is optional
This entry's type is sequential (allows zero or more values)
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.
Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLow String | ✓ | |
disposition | DispositionNumberInteger | Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"} | ✓ |
disposition_name | DispositionName String | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
observable | Observable Object | ✓ | |
priority | Integer | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
severity | HighMedLow String | ✓ | |
source | MedString String | ✓ | |
type | JudgementTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | ✓ | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
language | ShortString String | The human language this object is specified in. | |
reason | ShortString String | ||
reason_uri | String | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
This entry is required
Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
This entry is required
This entry is required
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
This entry is required
This entry is optional
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is required
This entry is required
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.
We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.
Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
producer | ShortString String | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
type | IndicatorTypeIdentifier String | The fixed value indicator | ✓ |
valid_time | ValidTime Object | The time range during which this Indicator is considered valid. | ✓ |
composite_indicator_expression | CompositeIndicatorExpression Object | ||
confidence | HighMedLow String | level of confidence held in the accuracy of this Indicator | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
indicator_type | IndicatorType String List | Specifies the type or types for this Indicator | |
kill_chain_phases | KillChainPhase Object List | relevant kill chain phases indicated by this Indicator | |
language | ShortString String | The human language this object is specified in. | |
likely_impact | LongString String | likely potential impact within the relevant context if this Indicator were to occur | |
negate | Boolean | specifies the absence of the pattern | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
severity | HighMedLow String | ||
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
specification | JudgementSpecification Object | ||
tags | ShortString String List | Descriptors for this indicator | |
test_mechanisms | MedString String List | Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
level of confidence held in the accuracy of this Indicator
This entry is optional
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Specifies the type or types for this Indicator
This entry is optional
This entry's type is sequential (allows zero or more values)
relevant kill chain phases indicated by this Indicator
The human language this object is specified in.
This entry is optional
likely potential impact within the relevant context if this Indicator were to occur
This entry is optional
specifies the absence of the pattern
This entry is required
Dev Notes: TODO - Document what is supposed to be in this field!
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
This entry is optional
Descriptors for this indicator
This entry is optional
This entry's type is sequential (allows zero or more values)
Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator
This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: simplified
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
The fixed value indicator
This entry is required
The time range during which this Indicator is considered valid.
An indicator which contains an XML blob of an openIOC indicator..
Property | Type | Description | Required? |
---|---|---|---|
open_IOC | String | ✓ | |
type | OpenIOCSpecificationType String | ✓ |
This entry is required
An indicator which runs in snort...
Property | Type | Description | Required? |
---|---|---|---|
SIOC | String | ✓ | |
type | SIOCSpecificationType String | ✓ |
This entry is required
An indicator which runs in snort...
Property | Type | Description | Required? |
---|---|---|---|
snort_sig | String | ✓ | |
type | SnortSpecificationType String | ✓ |
This entry is required
An indicator which runs in threatbrain...
Property | Type | Description | Required? |
---|---|---|---|
type | ThreatBrainSpecificationType String | ✓ | |
variables | String List | ✓ | |
query | String |
This entry is required
An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.
Property | Type | Description | Required? |
---|---|---|---|
judgements | String List | ✓ | |
required_judgements | RelatedJudgement Object List | ✓ | |
type | JudgementSpecificationType String | ✓ |
This entry is required
This entry's type is sequential (allows zero or more values)
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
judgement_id | String | ✓ | |
confidence | HighMedLow String | ||
relationship | String | ||
source | String |
This entry is optional
This entry is required
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
indicator_ids | String List | ✓ | |
operator | BooleanOperator String | ✓ |
This entry is required
This entry's type is sequential (allows zero or more values)
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Discrete instance of indicators affecting an organization as well as information associated with incident response
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLow String | level of confidence held in the characterization of this Incident | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
incident_time | IncidentTime Object | relevant time values associated with this Incident | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
status | Status String | current status of the incident | ✓ |
type | IncidentTypeIdentifier String | ✓ | |
categories | IncidentCategory String List | a set of categories for this incident | |
description | Markdown String | A description of object, which may be detailed. | |
discovery_method | DiscoveryMethod String | identifies how the incident was discovered | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
intended_effect | IntendedEffect String | specifies the suspected intended effect of this incident | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
a set of categories for this incident
This entry is optional
This entry's type is sequential (allows zero or more values)
level of confidence held in the characterization of this Incident
This entry is required
A description of object, which may be detailed.
This entry is optional
identifies how the incident was discovered
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.relevant time values associated with this Incident
specifies the suspected intended effect of this incident
This entry is optional
The human language this object is specified in.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
current status of the incident
This entry is required
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
opened | Inst (Date) | ✓ | |
closed | Inst (Date) | ||
discovered | Inst (Date) | ||
rejected | Inst (Date) | ||
remediated | Inst (Date) | ||
reported | Inst (Date) |
This entry is optional
This entry is optional
This entry is required
This entry is optional
This entry is optional
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?
Property | Type | Description | Required? |
---|---|---|---|
entity_id | String | ✓ | |
feedback | Integer | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
reason | String | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
type | FeedbackTypeIdentifier String | ✓ | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
This entry is required
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
This entry is required
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Course of Action. A corrective or preventative action to be taken in response to a threat
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | COATypeIdentifier String | ✓ | |
valid_time | ValidTime Object | ✓ | |
coa_type | COAType String | The type of this COA | |
cost | HighMedLow String | Characterizes the estimated cost for applying this course of action | |
description | Markdown String | A description of object, which may be detailed. | |
efficacy | HighMedLow String | Effectiveness of this course of action in achieving its targeted objective | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
impact | ShortString String | Characterizes the estimated impact of applying this course of action | |
language | ShortString String | The human language this object is specified in. | |
objective | ShortString String List | Characterizes the objective of this course of action | |
open_c2_coa | OpenC2COA Object | ||
related_COAs | RelatedCOA Object List | Identifies or characterizes relationships to one or more related courses of action | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
stage | COAStage String | Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to | |
structured_coa_type | OpenC2StructuredCOAType String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
The type of this COA
This entry is optional
Characterizes the estimated cost for applying this course of action
This entry is optional
A description of object, which may be detailed.
This entry is optional
Effectiveness of this course of action in achieving its targeted objective
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Characterizes the estimated impact of applying this course of action
This entry is optional
The human language this object is specified in.
This entry is optional
Characterizes the objective of this course of action
This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: Squashed / simplified
Identifies or characterizes relationships to one or more related courses of action
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
action | ActionType Object | ✓ | |
id | ShortString String | ✓ | |
type | StructuredCOAType String | ✓ | |
actuator | ActuatorType Object | ||
modifiers | ModifierType Object | ||
target | TargetType Object |
This entry is required
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
additional_properties | AdditionalProperties Object | ||
delay | Inst (Date) | ||
destination | String | ||
duration | Inst (Date) | ||
frequency | ShortString String | ||
id | ShortString String | ||
location | String | ||
method | String List | ||
option | ShortString String | ||
response | String | ||
search | String | ||
source | ShortString String | ||
time | ValidTime Object |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry's type is sequential (allows zero or more values)
This entry is optional
This entry is optional
This entry is optional
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
context | ShortString String | ✓ |
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
type | ActuatorType String | ✓ | |
specifiers | ShortString String List | list of additional properties describing the actuator |
list of additional properties describing the actuator
This entry is optional
This entry's type is sequential (allows zero or more values)
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
type | ShortString String | ✓ | |
specifiers | ShortString String | Cybox object representing the target |
Cybox object representing the target
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
type | COAType String | ✓ |
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
COA_id | String | ✓ | |
confidence | HighMedLow String | ||
relationship | String | ||
source | String |
This entry is required
This entry is optional
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Represents a campaign by an actor pursing an intent
Property | Type | Description | Required? |
---|---|---|---|
campaign_type | ShortString String | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | CampaignTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | Timestamp for the definition of a specific version of a campaign | ✓ |
activity | Activity Object List | Actions taken in regards to this Campaign | |
confidence | HighMedLow String | Level of confidence held in the characterization of this Campaign | |
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
intended_effect | IntendedEffect String List | Characterizes the intended effect of this cyber threat campaign | |
language | ShortString String | The human language this object is specified in. | |
names | ShortString String List | Names used to identify this campaign | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
status | CampaignStatus String | Status of this Campaign | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
Actions taken in regards to this Campaign
This entry is required
Dev Notes: Should we define a vocabulary for this?
Level of confidence held in the characterization of this Campaign
This entry is optional
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Characterizes the intended effect of this cyber threat campaign
This entry is optional
This entry's type is sequential (allows zero or more values)
The human language this object is specified in.
This entry is optional
Names used to identify this campaign
This entry is optional
This entry's type is sequential (allows zero or more values)
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
Status of this Campaign
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Timestamp for the definition of a specific version of a campaign
What happend, when?
Property | Type | Description | Required? |
---|---|---|---|
date_time | Inst (Date) | Specifies the date and time at which the activity occured | ✓ |
description | Markdown String | A description of the activity | ✓ |
Specifies the date and time at which the activity occured
This entry is required
A description of the activity
This entry is required
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
Property | Type | Description | Required? |
---|---|---|---|
description | Markdown String | A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
name | ShortString String | A name used to identify the Attack Pattern. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | AttackPatternTypeIdentifier String | ✓ | |
abstraction_level | AttackPatternAbstractions String | The CAPEC abstraction level for patterns describing techniques to attack a system. | |
external_ids | String List | ||
external_references | ExternalReference Object List | A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id]. | |
kill_chain_phases | KillChainPhase Object List | The list of Kill Chain Phases for which this Attack Pattern is used. | |
language | ShortString String | The human language this object is specified in. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. | |
x_mitre_contributors | ShortString String List | ATT&CK Technique.Contributors | |
x_mitre_data_sources | ShortString String List | ATT&CK Technique.Data Sources | |
x_mitre_platforms | ShortString String List | ATT&CK Technique.Platforms |
The CAPEC abstraction level for patterns describing techniques to attack a system.
This entry is optional
A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.
This entry is required
A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of Kill Chain Phases for which this Attack Pattern is used.
The human language this object is specified in.
This entry is optional
A name used to identify the Attack Pattern.
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
ATT&CK Technique.Contributors
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Data Sources
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Platforms
This entry is optional
This entry's type is sequential (allows zero or more values)
The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Describes malicious actors (or adversaries) related to a cyber attack
Property | Type | Description | Required? |
---|---|---|---|
actor_type | ThreatActorType String | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
source | MedString String | ✓ | |
type | ActorTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | ✓ | |
confidence | HighMedLow String | ||
description | Markdown String | A description of object, which may be detailed. | |
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
identity | Identity Object | ||
intended_effect | IntendedEffect String | ||
language | ShortString String | The human language this object is specified in. | |
motivation | Motivation String | ||
planning_and_operational_support | LongString String | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
sophistication | Sophistication String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
This entry is required
This entry is optional
A description of object, which may be detailed.
This entry is optional
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.This entry is optional
The human language this object is specified in.
This entry is optional
This entry is optional
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is required
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
This entry is required
Describes a person or an organization
Property | Type | Description | Required? |
---|---|---|---|
description | Markdown String | ✓ | |
related_identities | RelatedIdentity Object List | Identifies other entity Identities related to this Identity | ✓ |
This entry is required
Identifies other entity Identities related to this Identity
Describes a related Identity
Property | Type | Description | Required? |
---|---|---|---|
identity | String | The reference (URI) of the related Identity object | ✓ |
confidence | HighMedLow String | Specifies the level of confidence in the assertion of the relationship between the two objects | |
information_source | String | Specifies the source of the information about the relationship between the two components | |
relationship | String |
Specifies the level of confidence in the assertion of the relationship between the two objects
This entry is optional
The reference (URI) of the related Identity object
This entry is required
Specifies the source of the information about the relationship between the two components
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
text | String | ✓ | |
type | String | ✓ |
Can you improve this documentation?Edit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close