Liking cljdoc? Tell your friends :D

Bundle Object

Describes a Bundle of any set of CTIM entities

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
sourceMedString String
typeBundleTypeIdentifier String
valid_timeValidTime Object
actor_refs#{ String}
actors#{Actor Object}a list of Actor
attack_pattern_refs#{ String}
attack_patterns#{AttackPattern Object}a list of AttackPattern
campaign_refs#{ String}
campaigns#{Campaign Object}a list of Campaign
coa_refs#{ String}
coas#{COA Object}a list of COA
data_table_refs#{ String}
data_tables#{DataTable Object}a list of DataTable
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
feedback_refs#{ String}
feedbacks#{Feedback Object}a list of Feedback
incident_refs#{ String}
incidents#{Incident Object}a list of Incident
indicator_refs#{ String}
indicators#{Indicator Object}a list of Indicator
judgement_refs#{ String}
judgements#{Judgement Object}a list of Judgement
languageShortString StringThe human language this object is specified in.
malware_refs#{ String}
malwares#{Malware Object}a list of Malware
relationship_refs#{ String}
relationships#{Relationship Object}a list of Relationship
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sighting_refs#{ String}
sightings#{Sighting Object}a list of Sighting
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.
tool_refs#{ String}
tools#{Tool Object}a list of Tool
verdict_refs#{ String}
verdicts#{Verdict Object}a list of Verdict
vulnerabilities#{Vulnerability Object}a list of Vulnerability
vulnerability_refs#{ String}
weakness_refs#{ String}
weaknesses#{Weakness Object}a list of Weakness
  • Reference: #

Property actor_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property actors ∷ #{Actor Object}

a list of Actor

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property attack_pattern_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property attack_patterns ∷ #{AttackPattern Object}

a list of AttackPattern

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property campaign_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property campaigns ∷ #{Campaign Object}

a list of Campaign

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property coa_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property coas ∷ #{COA Object}

a list of COA

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property data_table_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property data_tables ∷ #{DataTable Object}

a list of DataTable

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property feedback_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property feedbacks ∷ #{Feedback Object}

a list of Feedback

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property incidents ∷ #{Incident Object}

a list of Incident

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property indicator_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property indicators ∷ #{Indicator Object}

a list of Indicator

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property judgement_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property judgements ∷ #{Judgement Object}

a list of Judgement

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property malware_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property malwares ∷ #{Malware Object}

a list of Malware

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property relationship_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property relationships ∷ #{Relationship Object}

a list of Relationship

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property sighting_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property sightings ∷ #{Sighting Object}

a list of Sighting

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property source ∷ MedString String

  • This entry is required

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property tool_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property tools ∷ #{Tool Object}

a list of Tool

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property type ∷ BundleTypeIdentifier String

  • This entry is required

    • Must equal: "bundle"

Property valid_time ∷ ValidTime Object

  • This entry is required

Property verdict_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property verdicts ∷ #{Verdict Object}

a list of Verdict

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property vulnerabilities ∷ #{Vulnerability Object}

a list of Vulnerability

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property vulnerability_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property weakness_refs ∷ #{ String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity

Property weaknesses ∷ #{Weakness Object}

a list of Weakness

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Actor Object

Describes malicious actors (or adversaries) related to a cyber attack

PropertyTypeDescriptionRequired?
actor_typeThreatActorType String
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
sourceMedString String
typeActorTypeIdentifier String
valid_timeValidTime Object
confidenceHighMedLow String
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
identityIdentity Object
intended_effectIntendedEffect String
languageShortString StringThe human language this object is specified in.
motivationMotivation String
planning_and_operational_supportLongString String
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sophisticationSophistication String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property actor_type ∷ ThreatActorType String

  • This entry is required

    • Allowed Values:
      • Cyber Espionage Operations
      • Disgruntled Customer / User
      • Hacker
      • Hacker - Black hat
      • Hacker - Gray hat
      • Hacker - White hat
      • Hacktivist
      • Insider Threat
      • State Actor / Agency
      • eCrime Actor - Credential Theft Botnet Operator
      • eCrime Actor - Credential Theft Botnet Service
      • eCrime Actor - Malware Developer
      • eCrime Actor - Money Laundering Network
      • eCrime Actor - Organized Crime Actor
      • eCrime Actor - Spam Service
      • eCrime Actor - Traffic Service
      • eCrime Actor - Underground Call Service

Property confidence ∷ HighMedLow String

  • This entry is optional

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ Identity Object

  • This entry is optional

Property intended_effect ∷ IntendedEffect String

  • This entry is optional

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property motivation ∷ Motivation String

  • This entry is optional

    • Allowed Values:
      • Ego
      • Financial or Economic
      • Ideological
      • Ideological - Anti-Corruption
      • Ideological - Anti-Establishment
      • Ideological - Environmental
      • Ideological - Ethnic / Nationalist
      • Ideological - Human Rights
      • Ideological - Information Freedom
      • Ideological - Religious
      • Ideological - Security Awareness
      • Military
      • Opportunistic
      • Political

Property planning_and_operational_support ∷ LongString String

  • This entry is optional

    • String with at most 5000 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property sophistication ∷ Sophistication String

  • This entry is optional

    • Allowed Values:
      • Aspirant
      • Expert
      • Innovator
      • Novice
      • Practitioner

Property source ∷ MedString String

  • This entry is required

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ ActorTypeIdentifier String

  • This entry is required

    • Must equal: "actor"

Property valid_time ∷ ValidTime Object

  • This entry is required

Identity Object

Describes a person or an organization

PropertyTypeDescriptionRequired?
descriptionMarkdown String
related_identitiesRelatedIdentity Object ListIdentifies other entity Identities related to this Identity

Property description ∷ Markdown String

  • This entry is required

    • Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

RelatedIdentity Object

Describes a related Identity

PropertyTypeDescriptionRequired?
identityStringThe reference (URI) of the related Identity object
confidenceHighMedLow StringSpecifies the level of confidence in the assertion of the relationship between the two objects
information_sourceStringSpecifies the source of the information about the relationship between the two components
relationshipString

Property confidence ∷ HighMedLow String

Specifies the level of confidence in the assertion of the relationship between the two objects

  • This entry is optional

Property identity ∷ String

The reference (URI) of the related Identity object

  • This entry is required

    • A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

AttackPattern Object

Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.

PropertyTypeDescriptionRequired?
descriptionMarkdown StringA description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.
idStringGlobally unique URI identifying this object.
nameShortString StringA name used to identify the Attack Pattern.
schema_versionStringCTIM schema version for this entity
typeAttackPatternTypeIdentifier String
abstraction_levelAttackPatternAbstractions StringThe CAPEC abstraction level for patterns describing techniques to attack a system.
external_idsString List
external_referencesExternalReference Object ListA list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
kill_chain_phasesKillChainPhase Object ListThe list of Kill Chain Phases for which this Attack Pattern is used.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
tlpTLP StringSpecification for how, and to whom, this object can be shared.
x_mitre_contributorsShortString String ListATT&CK Technique.Contributors
x_mitre_data_sourcesShortString String ListATT&CK Technique.Data Sources
x_mitre_platformsShortString String ListATT&CK Technique.Platforms

Property abstraction_level ∷ AttackPatternAbstractions String

The CAPEC abstraction level for patterns describing techniques to attack a system.

Property description ∷ Markdown String

A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics.

  • This entry is required

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Attack Pattern is used.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property name ∷ ShortString String

A name used to identify the Attack Pattern.

  • This entry is required

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ AttackPatternTypeIdentifier String

  • This entry is required

    • Must equal: "attack-pattern"

Property x_mitre_contributors ∷ ShortString String List

ATT&CK Technique.Contributors

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

Property x_mitre_data_sources ∷ ShortString String List

ATT&CK Technique.Data Sources

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

Property x_mitre_platforms ∷ ShortString String List

ATT&CK Technique.Platforms

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Campaign Object

Represents a campaign by an actor pursing an intent

PropertyTypeDescriptionRequired?
campaign_typeShortString String
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
typeCampaignTypeIdentifier String
valid_timeValidTime ObjectTimestamp for the definition of a specific version of a campaign
activityActivity Object ListActions taken in regards to this Campaign
confidenceHighMedLow StringLevel of confidence held in the characterization of this Campaign
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effectIntendedEffect String ListCharacterizes the intended effect of this cyber threat campaign
languageShortString StringThe human language this object is specified in.
namesShortString String ListNames used to identify this campaign
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
statusCampaignStatus StringStatus of this Campaign
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property activity ∷ Activity Object List

Actions taken in regards to this Campaign

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property campaign_type ∷ ShortString String

  • This entry is required

  • Dev Notes: Should we define a vocabulary for this?

    • String with at most 1024 characters

Property confidence ∷ HighMedLow String

Level of confidence held in the characterization of this Campaign

  • This entry is optional

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffect String List

Characterizes the intended effect of this cyber threat campaign

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property names ∷ ShortString String List

Names used to identify this campaign

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property status ∷ CampaignStatus String

Status of this Campaign

  • This entry is optional

    • Allowed Values:
      • Future
      • Historic
      • Ongoing

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ CampaignTypeIdentifier String

  • This entry is required

    • Must equal: "campaign"

Property valid_time ∷ ValidTime Object

Timestamp for the definition of a specific version of a campaign

  • This entry is required

Activity Object

What happend, when?

PropertyTypeDescriptionRequired?
date_timeInst (Date)Specifies the date and time at which the activity occured
descriptionMarkdown StringA description of the activity

Property date_time ∷ Inst (Date)

Specifies the date and time at which the activity occured

  • This entry is required

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property description ∷ Markdown String

A description of the activity

  • This entry is required

    • Markdown string with at most 5000 characters

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

COA Object

Course of Action. A corrective or preventative action to be taken in response to a threat

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
typeCOATypeIdentifier String
valid_timeValidTime Object
coa_typeCOAType StringThe type of this COA
costHighMedLow StringCharacterizes the estimated cost for applying this course of action
descriptionMarkdown StringA description of object, which may be detailed.
efficacyHighMedLow StringEffectiveness of this course of action in achieving its targeted objective
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
impactShortString StringCharacterizes the estimated impact of applying this course of action
languageShortString StringThe human language this object is specified in.
objectiveShortString String ListCharacterizes the objective of this course of action
open_c2_coaOpenC2COA Object
related_COAsRelatedCOA Object ListIdentifies or characterizes relationships to one or more related courses of action
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
stageCOAStage StringSpecifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to
structured_coa_typeOpenC2StructuredCOAType String
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property coa_type ∷ COAType String

The type of this COA

  • This entry is optional

    • Allowed Values:
      • Diplomatic Actions
      • Eradication
      • Hardening
      • Internal Blocking
      • Logical Access Restrictions
      • Monitoring
      • Other
      • Patching
      • Perimeter Blocking
      • Physical Access Restrictions
      • Policy Actions
      • Public Disclosure
      • Rebuilding
      • Redirection
      • Redirection (Honey Pot)
      • Training
    • Reference: CourseOfActionTypeVocab

Property cost ∷ HighMedLow String

Characterizes the estimated cost for applying this course of action

  • This entry is optional

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property efficacy ∷ HighMedLow String

Effectiveness of this course of action in achieving its targeted objective

  • This entry is optional

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ ShortString String

Characterizes the estimated impact of applying this course of action

  • This entry is optional

    • String with at most 1024 characters

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property objective ∷ ShortString String List

Characterizes the objective of this course of action

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

  • Dev Notes: Squashed / simplified

    • String with at most 1024 characters

Property open_c2_coa ∷ OpenC2COA Object

  • This entry is optional

Property related_COAs ∷ RelatedCOA Object List

Identifies or characterizes relationships to one or more related courses of action

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property stage ∷ COAStage String

Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to

  • This entry is optional

Property structured_coa_type ∷ OpenC2StructuredCOAType String

  • This entry is optional

    • Must equal: "openc2"

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ COATypeIdentifier String

  • This entry is required

    • Must equal: "coa"

Property valid_time ∷ ValidTime Object

  • This entry is required

OpenC2COA Object

PropertyTypeDescriptionRequired?
actionActionType Object
idShortString String
typeStructuredCOAType String
actuatorActuatorType Object
modifiersModifierType Object
targetTargetType Object

Property action ∷ ActionType Object

  • This entry is required

Property actuator ∷ ActuatorType Object

  • This entry is optional

Property id ∷ ShortString String

  • This entry is required

    • String with at most 1024 characters

Property modifiers ∷ ModifierType Object

  • This entry is optional

Property target ∷ TargetType Object

  • This entry is optional

Property type ∷ StructuredCOAType String

  • This entry is required

    • Must equal: "structured_coa"

ModifierType Object

PropertyTypeDescriptionRequired?
additional_propertiesAdditionalProperties Object
delayInst (Date)
destinationString
durationInst (Date)
frequencyShortString String
idShortString String
locationString
methodString List
optionShortString String
responseString
searchString
sourceShortString String
timeValidTime Object

Property additional_properties ∷ AdditionalProperties Object

  • This entry is optional

Property delay ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property destination ∷ String

  • This entry is optional

    • Allowed Values:
      • copy-to
      • modify-to
      • move-to
      • report-to
      • restore-point
      • save-to
      • set-to

Property duration ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property frequency ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property id ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property location ∷ String

  • This entry is optional

    • Allowed Values:
      • internal
      • perimeter

Property method ∷ String List

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • acl
      • authenticated
      • blackhole
      • blacklist
      • graceful
      • hibernate
      • honeypot
      • immediate
      • segmentation
      • spawn
      • suspend
      • unauthenticated
      • whitelist

Property option ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property response ∷ String

  • This entry is optional

    • Allowed Values:
      • acknowledge
      • command-ref
      • query
      • status

Property search ∷ String

  • This entry is optional

    • Allowed Values:
      • cve
      • patch
      • signature
      • vendor_bulletin

Property source ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property time ∷ ValidTime Object

  • This entry is optional

AdditionalProperties Object

PropertyTypeDescriptionRequired?
contextShortString String

Property context ∷ ShortString String

  • This entry is required

    • String with at most 1024 characters

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ActuatorType Object

PropertyTypeDescriptionRequired?
typeActuatorType String
specifiersShortString String Listlist of additional properties describing the actuator

Property specifiers ∷ ShortString String List

list of additional properties describing the actuator

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

Property type ∷ ActuatorType String

  • This entry is required

    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • other
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

TargetType Object

PropertyTypeDescriptionRequired?
typeShortString String
specifiersShortString StringCybox object representing the target

Property specifiers ∷ ShortString String

Cybox object representing the target

  • This entry is optional

    • String with at most 1024 characters

Property type ∷ ShortString String

  • This entry is required

    • String with at most 1024 characters

ActionType Object

PropertyTypeDescriptionRequired?
typeCOAType String

Property type ∷ COAType String

  • This entry is required

    • Allowed Values:
      • alert
      • allow
      • augment
      • contain
      • delete
      • deny
      • detonate
      • distill
      • get
      • investigate
      • locate
      • mitigate
      • modify
      • move
      • notify
      • other
      • pause
      • query
      • redirect
      • remediate
      • report
      • response
      • restart
      • restore
      • resume
      • save
      • scan
      • set
      • snapshot
      • start
      • stop
      • substitute
      • sync
      • throttle
      • update
    • Reference: OpenC2/STIX COA XML schema

RelatedCOA Object

PropertyTypeDescriptionRequired?
COA_idString
confidenceHighMedLow String
relationshipString
sourceString

Property COA_id ∷ String

  • This entry is required

    • A URI leading to a COA

Property confidence ∷ HighMedLow String

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

Property source ∷ String

  • This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Feedback Object

Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?

PropertyTypeDescriptionRequired?
entity_idString
feedbackInteger
idStringGlobally unique URI identifying this object.
reasonString
schema_versionStringCTIM schema version for this entity
typeFeedbackTypeIdentifier String
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property entity_id ∷ String

  • This entry is required

    • A URI leading to an entity

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property feedback ∷ Integer

  • This entry is required

    • Allowed Values:
      • -1
      • 0
      • 1

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property reason ∷ String

  • This entry is required

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ FeedbackTypeIdentifier String

  • This entry is required

    • Must equal: "feedback"

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Incident Object

Discrete instance of indicators affecting an organization as well as information associated with incident response

PropertyTypeDescriptionRequired?
confidenceHighMedLow Stringlevel of confidence held in the characterization of this Incident
idStringGlobally unique URI identifying this object.
incident_timeIncidentTime Objectrelevant time values associated with this Incident
schema_versionStringCTIM schema version for this entity
statusStatus Stringcurrent status of the incident
typeIncidentTypeIdentifier String
categoriesIncidentCategory String Lista set of categories for this incident
descriptionMarkdown StringA description of object, which may be detailed.
discovery_methodDiscoveryMethod Stringidentifies how the incident was discovered
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effectIntendedEffect Stringspecifies the suspected intended effect of this incident
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property categories ∷ IncidentCategory String List

a set of categories for this incident

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Denial of Service
      • Exercise/Network Defense Testing
      • Improper Usage
      • Investigation
      • Malicious Code
      • Scans/Probes/Attempted Access
      • Unauthorized Access

Property confidence ∷ HighMedLow String

level of confidence held in the characterization of this Incident

  • This entry is required

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property discovery_method ∷ DiscoveryMethod String

identifies how the incident was discovered

  • This entry is optional

    • Allowed Values:
      • Agent Disclosure
      • Antivirus
      • Audit
      • Customer
      • External - Fraud Detection
      • Financial Audit
      • HIPS
      • IT Audit
      • Incident Response
      • Internal - Fraud Detection
      • Law Enforcement
      • Log Review
      • Monitoring Service
      • NIDS
      • Security Alarm
      • Unknown
      • Unrelated Party
      • User

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_time ∷ IncidentTime Object

relevant time values associated with this Incident

  • This entry is required
  • Dev Notes: Was 'time'; renamed for clarity

Property intended_effect ∷ IntendedEffect String

specifies the suspected intended effect of this incident

  • This entry is optional

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property status ∷ Status String

current status of the incident

  • This entry is required

    • Allowed Values:
      • Closed
      • Containment Achieved
      • Incident Reported
      • New
      • Open
      • Rejected
      • Restoration Achieved
      • Stalled

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ IncidentTypeIdentifier String

  • This entry is required

    • Must equal: "incident"

IncidentTime Object

PropertyTypeDescriptionRequired?
openedInst (Date)
closedInst (Date)
discoveredInst (Date)
rejectedInst (Date)
remediatedInst (Date)
reportedInst (Date)

Property closed ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property discovered ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property opened ∷ Inst (Date)

  • This entry is required

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property rejected ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property remediated ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property reported ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Indicator Object

An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.

We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.

Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
producerShortString String
schema_versionStringCTIM schema version for this entity
typeIndicatorTypeIdentifier StringThe fixed value indicator
valid_timeValidTime ObjectThe time range during which this Indicator is considered valid.
composite_indicator_expressionCompositeIndicatorExpression Object
confidenceHighMedLow Stringlevel of confidence held in the accuracy of this Indicator
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
indicator_typeIndicatorType String ListSpecifies the type or types for this Indicator
kill_chain_phasesKillChainPhase Object Listrelevant kill chain phases indicated by this Indicator
languageShortString StringThe human language this object is specified in.
likely_impactLongString Stringlikely potential impact within the relevant context if this Indicator were to occur
negateBooleanspecifies the absence of the pattern
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
severityHighMedLow String
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
specificationJudgementSpecification Object
tagsShortString String ListDescriptors for this indicator
test_mechanismsMedString String ListTest Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property composite_indicator_expression ∷ CompositeIndicatorExpression Object

  • This entry is optional

Property confidence ∷ HighMedLow String

level of confidence held in the accuracy of this Indicator

  • This entry is optional

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property indicator_type ∷ IndicatorType String List

Specifies the type or types for this Indicator

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Anonymization
      • C2
      • Compromised PKI Certificate
      • Domain Watchlist
      • Exfiltration
      • File Hash Watchlist
      • Host Characteristics
      • IMEI Watchlist
      • IMSI Watchlist
      • IP Watchlist
      • Login Name
      • Malicious E-mail
      • Malware Artifacts
      • URL Watchlist
    • Reference: IndicatorTypeVocab

Property kill_chain_phases ∷ KillChainPhase Object List

relevant kill chain phases indicated by this Indicator

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)
  • Dev Notes: simplified

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property likely_impact ∷ LongString String

likely potential impact within the relevant context if this Indicator were to occur

  • This entry is optional

    • String with at most 5000 characters

Property negate ∷ Boolean

specifies the absence of the pattern

  • This entry is optional

Property producer ∷ ShortString String

  • This entry is required

  • Dev Notes: TODO - Document what is supposed to be in this field!

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ HighMedLow String

  • This entry is optional

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property specification ∷ Either

  • This entry is optional

    • Only one of the following schemas will match

Property tags ∷ ShortString String List

Descriptors for this indicator

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

Property test_mechanisms ∷ MedString String List

Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

  • Dev Notes: simplified

    • String with at most 2048 characters

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ IndicatorTypeIdentifier String

The fixed value indicator

  • This entry is required

    • The fixed value "indicator"
    • Must equal: "indicator"

Property valid_time ∷ ValidTime Object

The time range during which this Indicator is considered valid.

  • This entry is required

OpenIOCSpecification Object

An indicator which contains an XML blob of an openIOC indicator..

PropertyTypeDescriptionRequired?
open_IOCString
typeOpenIOCSpecificationType String

Property open_IOC ∷ String

  • This entry is required

Property type ∷ OpenIOCSpecificationType String

  • This entry is required

    • Must equal: "OpenIOC"

SIOCSpecification Object

An indicator which runs in snort...

PropertyTypeDescriptionRequired?
SIOCString
typeSIOCSpecificationType String

Property SIOC ∷ String

  • This entry is required

Property type ∷ SIOCSpecificationType String

  • This entry is required

    • Must equal: "SIOC"

SnortSpecification Object

An indicator which runs in snort...

PropertyTypeDescriptionRequired?
snort_sigString
typeSnortSpecificationType String

Property snort_sig ∷ String

  • This entry is required

Property type ∷ SnortSpecificationType String

  • This entry is required

    • Must equal: "Snort"

ThreatBrainSpecification Object

An indicator which runs in threatbrain...

PropertyTypeDescriptionRequired?
typeThreatBrainSpecificationType String
variablesString List
queryString

Property query ∷ String

  • This entry is optional

Property type ∷ ThreatBrainSpecificationType String

  • This entry is required

    • Must equal: "ThreatBrain"

Property variables ∷ String List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

JudgementSpecification Object

An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.

PropertyTypeDescriptionRequired?
judgementsString List
required_judgementsRelatedJudgement Object List
typeJudgementSpecificationType String

Property judgements ∷ String List

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • A URI leading to a judgement

Property required_judgements ∷ RelatedJudgement Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property type ∷ JudgementSpecificationType String

  • This entry is required

    • Must equal: "Judgement"

RelatedJudgement Object

PropertyTypeDescriptionRequired?
judgement_idString
confidenceHighMedLow String
relationshipString
sourceString

Property confidence ∷ HighMedLow String

  • This entry is optional

Property judgement_id ∷ String

  • This entry is required

    • A URI leading to a judgement

Property relationship ∷ String

  • This entry is optional

Property source ∷ String

  • This entry is optional

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

CompositeIndicatorExpression Object

PropertyTypeDescriptionRequired?
indicator_idsString List
operatorBooleanOperator String

Property indicator_ids ∷ String List

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • A URI leading to an indicator

Property operator ∷ BooleanOperator String

  • This entry is required

    • Allowed Values:
      • and
      • not
      • or

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Judgement Object

A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.

Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.

PropertyTypeDescriptionRequired?
confidenceHighMedLow String
dispositionDispositionNumberIntegerMatches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
disposition_nameDispositionName String
idStringGlobally unique URI identifying this object.
observableObservable Object
priorityInteger
schema_versionStringCTIM schema version for this entity
severityHighMedLow String
sourceMedString String
typeJudgementTypeIdentifier String
valid_timeValidTime Object
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
languageShortString StringThe human language this object is specified in.
reasonShortString String
reason_uriString
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property confidence ∷ HighMedLow String

  • This entry is required

Property disposition ∷ DispositionNumberInteger

Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

  • This entry is required

    • Numeric verdict identifiers
    • Allowed Values:
      • 1
      • 2
      • 3
      • 4
      • 5

Property disposition_name ∷ DispositionName String

  • This entry is required

    • String verdict identifiers
    • Allowed Values:
      • Clean
      • Common
      • Malicious
      • Suspicious
      • Unknown

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property observable ∷ Observable Object

  • This entry is required

Property priority ∷ Integer

  • This entry is required

    • A value 0-100 that determine the priority of a judgement. Curated feeds of black/white lists, for example known good products within your organizations, should use a 95. All automated systems should use a priority of 90, or less. Human judgements should have a priority of 100, so that humans can always override machines.

Property reason ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property reason_uri ∷ String

  • This entry is optional

    • A URI

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ HighMedLow String

  • This entry is required

Property source ∷ MedString String

  • This entry is required

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ JudgementTypeIdentifier String

  • This entry is required

    • Must equal: "judgement"

Property valid_time ∷ ValidTime Object

  • This entry is required

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Malware Object

Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
labelsMalwareLabel String ListThe type of malware being described.
nameShortString StringA name used to identify the Malware sample.
schema_versionStringCTIM schema version for this entity
typeMalwareTypeIdentifier String
abstraction_levelMalwareAbstractions StringMalware abstraction level
descriptionMarkdown StringA description that provides more details and context about the Malware, potentially including its purpose and its key characteristics.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phasesKillChainPhase Object ListThe list of Kill Chain Phases for which this Malware can be used.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
tlpTLP StringSpecification for how, and to whom, this object can be shared.
x_mitre_aliasesShortString String ListATT&CK Software.aliases

Property abstraction_level ∷ MalwareAbstractions String

Malware abstraction level

  • This entry is optional

    • Malware Abstraction level
    • Allowed Values:
      • family
      • variant
      • version

Property description ∷ Markdown String

A description that provides more details and context about the Malware, potentially including its purpose and its key characteristics.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Malware can be used.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property labels ∷ MalwareLabel String List

The type of malware being described.

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool.
    • Allowed Values:
      • adware
      • backdoor
      • bot
      • ddos
      • dropper
      • exploit-kit
      • keylogger
      • ransomware
      • remote-access-trojan
      • resource-exploitation
      • rogue-security-software
      • rootkit
      • screen-capture
      • spyware
      • trojan
      • virus
      • worm
    • Reference: Malware Label

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property name ∷ ShortString String

A name used to identify the Malware sample.

  • This entry is required

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ MalwareTypeIdentifier String

  • This entry is required

    • Must equal: "malware"

Property x_mitre_aliases ∷ ShortString String List

ATT&CK Software.aliases

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Relationship Object

Represents a relationship between two entities

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
relationship_typeRelationshipType String
schema_versionStringCTIM schema version for this entity
source_refString
target_refString
typeRelationshipTypeIdentifier String
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property relationship_type ∷ RelationshipType String

  • This entry is required

    • Allowed Values:
      • attributed-to
      • based-on
      • derived-from
      • detects
      • duplicate-of
      • element-of
      • exploits
      • indicates
      • member-of
      • mitigates
      • related-to
      • targets
      • uses
      • variant-of

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_ref ∷ String

  • This entry is required

    • A URI leading to an entity

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property target_ref ∷ String

  • This entry is required

    • A URI leading to an entity

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ RelationshipTypeIdentifier String

  • This entry is required

    • Must equal: "relationship"

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Sighting Object

A single sighting of an indicator

PropertyTypeDescriptionRequired?
confidenceHighMedLow String
countIntegerThe number of times the sighting was seen
idStringGlobally unique URI identifying this object.
observed_timeObservedTime Object
schema_versionStringCTIM schema version for this entity
typeSightingTypeIdentifier String
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
internalBooleanIs it internal to our network
languageShortString StringThe human language this object is specified in.
observablesObservable Object ListThe object(s) of interest
relationsObservedRelation Object ListProvide any context we can about where the observable came from
resolutionResolution String
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sensorSensor StringThe OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
severityHighMedLow String
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
targetsSightingTarget Object ListThe target device. Where the sighting came from.
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property confidence ∷ HighMedLow String

  • This entry is required

Property count ∷ Integer

The number of times the sighting was seen

  • This entry is required

    • Zero, or a positive integer

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

Is it internal to our network

  • This entry is optional

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property observables ∷ Observable Object List

The object(s) of interest

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property resolution ∷ Resolution String

  • This entry is optional

    • indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP
    • Default: detected
    • Allowed Values:
      • allowed
      • blocked
      • contained
      • detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ Sensor String

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

  • This entry is optional

    • The openC2 Actuator name that best fits a device See also the Open C2 Language Description, Actuator Vocabulary, page 24.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner
    • Reference: OpenC2 Language Description

Property severity ∷ HighMedLow String

  • This entry is optional

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property targets ∷ SightingTarget Object List

The target device. Where the sighting came from.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ SightingTypeIdentifier String

  • This entry is required

    • Must equal: "sighting"

ObservedRelation Object

A relation inside a Sighting.

PropertyTypeDescriptionRequired?
originString
relatedObservable Object
relationObservableRelationType String
sourceObservable Object
origin_uriString
relation_infoObject

Property origin ∷ String

  • This entry is required

Property origin_uri ∷ String

  • This entry is optional

    • A URI

Property related ∷ Observable Object

  • This entry is required

Property relation ∷ ObservableRelationType String

  • This entry is required

    • Allowed Values:
      • Allocated
      • Allocated_By
      • Attached_To
      • Bound
      • Bound_By
      • Characterized_By
      • Characterizes
      • Child_Of
      • Closed
      • Closed_By
      • Compressed
      • Compressed_By
      • Compressed_From
      • Compressed_Into
      • Connected_From
      • Connected_To
      • Contained_Within
      • Contains
      • Copied
      • Copied_By
      • Copied_From
      • Copied_To
      • Created
      • Created_By
      • Decoded
      • Decoded_By
      • Decompressed
      • Decompressed_By
      • Decrypted
      • Decrypted_By
      • Deleted
      • Deleted_By
      • Deleted_From
      • Downloaded
      • Downloaded_By
      • Downloaded_From
      • Downloaded_To
      • Dropped
      • Dropped_By
      • Encoded
      • Encoded_By
      • Encrypted
      • Encrypted_By
      • Encrypted_From
      • Encrypted_To
      • Extracted_From
      • FQDN_Of
      • Freed
      • Freed_By
      • Hooked
      • Hooked_By
      • Initialized_By
      • Initialized_To
      • Injected
      • Injected_As
      • Injected_By
      • Injected_Into
      • Installed
      • Installed_By
      • Joined
      • Joined_By
      • Killed
      • Killed_By
      • Listened_On
      • Listened_On_By
      • Loaded_From
      • Loaded_Into
      • Locked
      • Locked_By
      • Mapped_By
      • Mapped_Into
      • Merged
      • Merged_By
      • Modified_Properties_Of
      • Monitored
      • Monitored_By
      • Moved
      • Moved_By
      • Moved_From
      • Moved_To
      • Opened
      • Opened_By
      • Packed
      • Packed_By
      • Packed_From
      • Packed_Into
      • Parent_Of
      • Paused
      • Paused_By
      • Previously_Contained
      • Properties_Modified_By
      • Properties_Queried
      • Properties_Queried_By
      • Read_From
      • Read_From_By
      • Received
      • Received_By
      • Received_From
      • Received_Via_Upload
      • Redirects_To
      • Refers_To
      • Related_To
      • Renamed
      • Renamed_By
      • Renamed_From
      • Renamed_To
      • Resolved_To
      • Resumed
      • Resumed_By
      • Root_Domain_Of
      • Searched_For
      • Searched_For_By
      • Sent
      • Sent_By
      • Sent_To
      • Sent_Via_Upload
      • Set_From
      • Set_To
      • Sub-domain_Of
      • Supra-domain_Of
      • Suspended
      • Suspended_By
      • Unhooked
      • Unhooked_By
      • Unlocked
      • Unlocked_By
      • Unpacked
      • Unpacked_By
      • Uploaded
      • Uploaded_By
      • Uploaded_From
      • Uploaded_To
      • Used
      • Used_By
      • Values_Enumerated
      • Values_Enumerated_By
      • Written_To_By
      • Wrote_To

Property relation_info ∷ Object

  • This entry is optional

Property source ∷ Observable Object

  • This entry is required

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

Object

PropertyTypeDescriptionRequired?
KeywordAnything

Property Keyword ∷ Anything

  • This entry is required

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

SightingTarget Object

Describes a target device where a sighting came from.

PropertyTypeDescriptionRequired?
observablesObservable Object List
observed_timeObservedTime Object
typeSensor String
osString
properties_data_tablesString

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property os ∷ String

  • This entry is optional

Property properties_data_tables ∷ String

  • This entry is optional

    • A URI leading to a data table

Property type ∷ Sensor String

  • This entry is required

    • The openC2 Actuator name that best fits a device See also the Open C2 Language Description, Actuator Vocabulary, page 24.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner
    • Reference: OpenC2 Language Description

ObservedTime Object

Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

ObservedTime Object

Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Tool Object

Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
labelsToolLabel String ListThe kind(s) of tool(s) being described.
nameShortString StringThe name used to identify the Tool.
schema_versionStringCTIM schema version for this entity
typeToolTypeIdentifier String
descriptionMarkdown StringA description that provides more details and context about the Tool, potentially including its purpose and its key characteristics.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phasesKillChainPhase Object ListThe list of kill chain phases for which this Tool can be used.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
tlpTLP StringSpecification for how, and to whom, this object can be shared.
tool_versionShortString StringThe version identifier associated with the Tool.
x_mitre_aliasesShortString String ListATT&CK Software.aliases

Property description ∷ Markdown String

A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of kill chain phases for which this Tool can be used.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property labels ∷ ToolLabel String List

The kind(s) of tool(s) being described.

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • Tool labels describe the categories of tools that can be used to perform attacks.
    • Allowed Values:
      • credential-exploitation
      • denial-of-service
      • exploitation
      • information-gathering
      • network-capture
      • remote-access
      • vulnerability-scanning
    • Reference: Tool Label

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property name ∷ ShortString String

The name used to identify the Tool.

  • This entry is required

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property tool_version ∷ ShortString String

The version identifier associated with the Tool.

  • This entry is optional

    • String with at most 1024 characters

Property type ∷ ToolTypeIdentifier String

  • This entry is required

    • Must equal: "tool"

Property x_mitre_aliases ∷ ShortString String List

ATT&CK Software.aliases

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • String with at most 1024 characters

KillChainPhase Object

The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Verdict Object

A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.

The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"

PropertyTypeDescriptionRequired?
dispositionDispositionNumberInteger
observableObservable Object
typeVerdictTypeIdentifier String
valid_timeValidTime Object
disposition_nameDispositionName StringThe disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
judgement_idString

Property disposition ∷ DispositionNumberInteger

  • This entry is required

    • Numeric verdict identifiers
    • Allowed Values:
      • 1
      • 2
      • 3
      • 4
      • 5

Property disposition_name ∷ DispositionName String

The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

  • This entry is optional

    • String verdict identifiers
    • Allowed Values:
      • Clean
      • Common
      • Malicious
      • Suspicious
      • Unknown

Property judgement_id ∷ String

  • This entry is optional

    • A URI leading to a judgement

Property observable ∷ Observable Object

  • This entry is required

Property type ∷ VerdictTypeIdentifier String

  • This entry is required

    • Must equal: "verdict"

Property valid_time ∷ ValidTime Object

  • This entry is required

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifier String
valueString

Property type ∷ ObservableTypeIdentifier String

  • This entry is required

    • Observable type names
    • Allowed Values:
      • amp_computer_guid
      • cisco_mid
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • odns_identity
      • odns_identity_label
      • pki_serial
      • sha1
      • sha256
      • url
      • user

Property value ∷ String

  • This entry is required

DataTable Object

A generic table of data, consisting of types and documented columns, and 1 or more rows of data.

PropertyTypeDescriptionRequired?
columnsColumnDefinition Object Listan ordered list of column definitions
idStringGlobally unique URI identifying this object.
rowsAnything Listan ordered list of rows
schema_versionStringCTIM schema version for this entity
typeDataTableTypeIdentifier String
descriptionMarkdown StringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
languageShortString StringThe human language this object is specified in.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
row_countIntegerThe number of rows in the data table.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.
valid_timeValidTime Object

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property description ∷ Markdown String

A description of object, which may be detailed.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property row_count ∷ Integer

The number of rows in the data table.

  • This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ DataTableTypeIdentifier String

  • This entry is required

    • Must equal: "data-table"

Property valid_time ∷ ValidTime Object

  • This entry is optional

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ColumnDefinition Object

PropertyTypeDescriptionRequired?
nameString
typeColumnType String
descriptionMarkdown String
requiredBooleanIf true, the row entries for this column cannot contain nulls. Defaults to true
short_descriptionString

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property name ∷ String

  • This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true

  • This entry is optional

Property short_description ∷ String

  • This entry is optional

Property type ∷ ColumnType String

  • This entry is required

    • Allowed Values:
      • integer
      • markdown
      • number
      • observable
      • string
      • url

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Weakness Object

a mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.

PropertyTypeDescriptionRequired?
descriptionMarkdown Stringshould be short and limited to the key points that define this weakness
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
typeWeaknessTypeIdentifier StringThe fixed value weakness
abstraction_levelWeaknessAbstractionLevel Stringdefines the abstraction level for this weakness
affected_resourcesSystemResource String Listidentify system resources that can be affected by an exploit of this weakness
alternate_termsAlternateTerm Object Listindicates one or more other names used to describe this weakness
architecturesArchitecture Object ListApplicable architectures
background_detailsMarkdown Stringinformation that is relevant but not related to the nature of the weakness itself
common_consequencesConsequence Object Listspecify individual consequences associated with a weakness
detection_methodsDetectionMethod Object Listidentify methods that may be employed to detect this weakness, including their strengths and limitations
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
functional_areasFunctionalArea String Listidentifies the functional area of the software in which the weakness is most likely to occur
languageShortString StringThe human language this object is specified in.
languagesLanguage Object ListApplicable Languages
likelihoodHighMedLow StringLikelihood of exploit
modes_of_introductionModeOfIntroduction Object Listinformation about how and when a given weakness may be introduced
notesNote Object Listprovide any additional comments about the weakness
operating_systemsOperatingSystem Object ListApplicable operating systems
paradigmsParadigm Object ListApplicable paradigms
potential_mitigationsMitigation Object Listdescribe potential mitigations associated with a weakness
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
structureWeaknessStructure Stringdefines the structural nature of the weakness
technologiesTechnology Object ListApplicable technologies
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property abstraction_level ∷ WeaknessAbstractionLevel String

defines the abstraction level for this weakness

  • This entry is optional

    • defines the different abstraction levels that apply to a weakness. A Class is the most abstract type of weakness, typically described independent of any specific language or technology. A Base is a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A Variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A Compound weakness is a meaningful aggregation of several weaknesses, currently known as either a Chain or Composite.
    • Allowed Values:
      • Base
      • Class
      • Compound
      • Variant
    • Reference: AbstractionEnumeration

Property affected_resources ∷ SystemResource String List

identify system resources that can be affected by an exploit of this weakness

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • defines a resource of a system
    • Allowed Values:
      • CPU
      • File or Directory
      • Memory
      • System Process
    • Reference: ResourceEnumeration

Property alternate_terms ∷ AlternateTerm Object List

indicates one or more other names used to describe this weakness

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property architectures ∷ Architecture Object List

Applicable architectures

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property background_details ∷ Markdown String

information that is relevant but not related to the nature of the weakness itself

  • This entry is optional

    • Markdown string with at most 5000 characters

Property common_consequences ∷ Consequence Object List

specify individual consequences associated with a weakness

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property description ∷ Markdown String

should be short and limited to the key points that define this weakness

  • This entry is required

    • Markdown string with at most 5000 characters

Property detection_methods ∷ DetectionMethod Object List

identify methods that may be employed to detect this weakness, including their strengths and limitations

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property functional_areas ∷ FunctionalArea String List

identifies the functional area of the software in which the weakness is most likely to occur

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Defines the different functional areas of software in which the weakness may appear
    • Allowed Values:
      • Authentication
      • Authorization
      • Code Libraries
      • Counters
      • Cryptography
      • Error Handling
      • File Processing
      • Functional-Area-Independent
      • Interprocess Communication
      • Logging
      • Memory Management
      • Networking
      • Number Processing
      • Program Invocation
      • Protection Mechanism
      • Session Management
      • Signals
      • String Processing
    • Reference: FunctionalAreaEnumeration

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property languages ∷ Language Object List

Applicable Languages

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property likelihood ∷ HighMedLow String

Likelihood of exploit

  • This entry is optional

Property modes_of_introduction ∷ ModeOfIntroduction Object List

information about how and when a given weakness may be introduced

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property notes ∷ Note Object List

provide any additional comments about the weakness

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property operating_systems ∷ OperatingSystem Object List

Applicable operating systems

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property paradigms ∷ Paradigm Object List

Applicable paradigms

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property potential_mitigations ∷ Mitigation Object List

describe potential mitigations associated with a weakness

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property structure ∷ WeaknessStructure String

defines the structural nature of the weakness

  • This entry is optional

    • structural natures of a weakness. A Simple structure represents a single weakness whose exploitation is not dependent on the presence of another weakness. A Composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability, while a Chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability.
    • Allowed Values:
      • Chain
      • Composite
      • Simple
    • Reference: StructureEnumeration)

Property technologies ∷ Technology Object List

Applicable technologies

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ WeaknessTypeIdentifier String

The fixed value weakness

  • This entry is required

    • The fixed value "weakness"
    • Must equal: "weakness"

Note Object

PropertyTypeDescriptionRequired?
noteMarkdown String
typeNoteType String

Property note ∷ Markdown String

  • This entry is required

    • Markdown string with at most 5000 characters

Property type ∷ NoteType String

Mitigation Object

PropertyTypeDescriptionRequired?
descriptionMarkdown Stringa description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness
effectivenessEffectiveness Stringsummarizes how effective the mitigation may be in preventing the weakness
effectiveness_notesMarkdown String
phasesSoftwarePhase String Listindicates the development life cycle phase during which this particular mitigation may be applied
strategyMitigationStrategy Stringa general strategy for protecting a system to which this mitigation contributes

Property description ∷ Markdown String

a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness

  • This entry is required

    • Markdown string with at most 5000 characters

Property effectiveness ∷ Effectiveness String

summarizes how effective the mitigation may be in preventing the weakness

  • This entry is optional

    • related to how effective a mitigation may be in preventing the weakness
    • Allowed Values:
      • Defense in Depth
      • High
      • Incidental
      • Limited
      • Moderate
      • None
    • Reference: EffectivenessEnumeration

Property effectiveness_notes ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property phases ∷ SoftwarePhase String List

indicates the development life cycle phase during which this particular mitigation may be applied

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Architecture and Design
      • Build and Compilation
      • Bundling
      • Distribution
      • Documentation
      • Implementation
      • Installation
      • Operation
      • Patching and Maintenance
      • Policy
      • Porting
      • Requirements
      • System Configuration
      • Testing
    • Reference: PhaseEnumeration

Property strategy ∷ MitigationStrategy String

a general strategy for protecting a system to which this mitigation contributes

  • This entry is optional

    • strategy for protecting a system to which a mitigation contributes
    • Allowed Values:
      • Attack Surface Reduction
      • Compilation or Build Hardening
      • Enforcement by Conversion
      • Environment Hardening
      • Firewall
      • Input Validation
      • Language Selection
      • Libraries or Frameworks
      • Output Encoding
      • Parameterization
      • Refactoring
      • Resource Limitation
      • Sandbox or Jail
      • Separation of Privilege
    • Reference: MitigationStrategyEnumeration

DetectionMethod Object

PropertyTypeDescriptionRequired?
descriptionMarkdown Stringprovide some context of how this method can be applied to a specific weakness
methodDetectionMethod Stringidentifies the particular detection method being described
effectivenessDetectionEffectiveness Stringhow effective the detection method may be in detecting the associated weakness
effectiveness_notesMarkdown Stringprovides additional discussion of the strengths and shortcomings of this detection method

Property description ∷ Markdown String

provide some context of how this method can be applied to a specific weakness

  • This entry is required

    • Markdown string with at most 5000 characters

Property effectiveness ∷ DetectionEffectiveness String

how effective the detection method may be in detecting the associated weakness

  • This entry is optional

    • level of effectiveness that a detection method may have in detecting an associated weakness
    • Allowed Values:
      • High
      • Limited
      • Moderate
      • None
      • Opportunistic
      • SOAR Partial
    • Reference: DetectionEffectivenessEnumeration

Property effectiveness_notes ∷ Markdown String

provides additional discussion of the strengths and shortcomings of this detection method

  • This entry is optional

    • Markdown string with at most 5000 characters

Property method ∷ DetectionMethod String

identifies the particular detection method being described

  • This entry is required

    • method used to detect a weakness
    • Allowed Values:
      • Architecture or Design Review
      • Automated Analysis
      • Automated Dynamic Analysis
      • Automated Static Analysis
      • Automated Static Analysis - Binary or Bytecode
      • Automated Static Analysis - Source Code
      • Black Box
      • Dynamic Analysis with Automated Results Interpretation
      • Dynamic Analysis with Manual Results Interpretation
      • Fuzzing
      • Manual Analysis
      • Manual Dynamic Analysis
      • Manual Static Analysis
      • Manual Static Analysis - Binary or Bytecode
      • Manual Static Analysis - Source Code
      • Other
      • White Box
    • Reference: DetectionMethodEnumeration

Consequence Object

PropertyTypeDescriptionRequired?
scopesConsequenceScope String Listidentifies the security property that is violated
impactsTechnicalImpact String Listdescribes the technical impact that arises if an adversary succeeds in exploiting this weakness
likelihoodHighMedLow Stringhow likely the specific consequence is expected to be seen relative to the other consequences
noteMarkdown Stringadditional commentary about a consequence

Property impacts ∷ TechnicalImpact String List

describes the technical impact that arises if an adversary succeeds in exploiting this weakness

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Alter Execution Logic
      • Bypass Protection Mechanism
      • DoS: Amplification
      • DoS: Crash, Exit, or Restart
      • DoS: Instability
      • DoS: Resource Consumption (CPU)
      • DoS: Resource Consumption (Memory)
      • DoS: Resource Consumption (Other)
      • Execute Unauthorized Code or Commands
      • Gain Privileges or Assume Identity
      • Hide Activities
      • Modify Application Data
      • Modify Files or Directories
      • Modify Memory
      • Quality Degradation
      • Read Application Data
      • Read Files or Directories
      • Read Memory
      • Unexpected State
      • Varies by Context
    • Reference: TechnicalImpactEnumeration

Property likelihood ∷ HighMedLow String

how likely the specific consequence is expected to be seen relative to the other consequences

  • This entry is optional

Property note ∷ Markdown String

additional commentary about a consequence

  • This entry is optional

    • Markdown string with at most 5000 characters

Property scopes ∷ ConsequenceScope String List

identifies the security property that is violated

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • defines the different areas of software security that can be affected by exploiting a weakness.
    • Allowed Values:
      • Access Control
      • Accountability
      • Authentication
      • Authorization
      • Availability
      • Confidentiality
      • Integrity
      • Non-Repudiation
    • Reference: ScopeEnumeration

ModeOfIntroduction Object

PropertyTypeDescriptionRequired?
phaseSoftwarePhase Stringidentifies the point in the software life cycle at which the weakness may be introduced
noteMarkdown Stringprovides a typical scenario related to introduction during the given phase

Property note ∷ Markdown String

provides a typical scenario related to introduction during the given phase

  • This entry is optional

    • Markdown string with at most 5000 characters

Property phase ∷ SoftwarePhase String

identifies the point in the software life cycle at which the weakness may be introduced

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Architecture and Design
      • Build and Compilation
      • Bundling
      • Distribution
      • Documentation
      • Implementation
      • Installation
      • Operation
      • Patching and Maintenance
      • Policy
      • Porting
      • Requirements
      • System Configuration
      • Testing
    • Reference: PhaseEnumeration

AlternateTerm Object

PropertyTypeDescriptionRequired?
termShortString Stringthe actual alternate term
descriptionMarkdown Stringprovides context for the alternate term by which this weakness may be known.

Property description ∷ Markdown String

provides context for the alternate term by which this weakness may be known.

  • This entry is optional

    • Markdown string with at most 5000 characters

Property term ∷ ShortString String

the actual alternate term

  • This entry is required

    • String with at most 1024 characters

Technology Object

PropertyTypeDescriptionRequired?
prevalencePrevalence Stringdefines the different regularities that guide the applicability of platforms
nameShortString Stringtechnology name (Web Server, Web Client)

Property name ∷ ShortString String

technology name (Web Server, Web Client)

  • This entry is optional

    • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Paradigm Object

PropertyTypeDescriptionRequired?
prevalencePrevalence Stringdefines the different regularities that guide the applicability of platforms
nameShortString Stringparadigm name (Client Server, Mainframe)

Property name ∷ ShortString String

paradigm name (Client Server, Mainframe)

  • This entry is optional

    • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Architecture Object

PropertyTypeDescriptionRequired?
prevalencePrevalence Stringdefines the different regularities that guide the applicability of platforms
classArchitectureClass Stringclass of architecture
nameShortString Stringarchitecture name (ARM, x86, ...)

Property class ∷ ArchitectureClass String

class of architecture

Property name ∷ ShortString String

architecture name (ARM, x86, ...)

  • This entry is optional

    • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

OperatingSystem Object

PropertyTypeDescriptionRequired?
prevalencePrevalence Stringdefines the different regularities that guide the applicability of platforms
classOperatingSystemClass String
cpe_idShortString String
nameShortString String
versionShortString String

Property class ∷ OperatingSystemClass String

  • This entry is optional

Property cpe_id ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property name ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Property version ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Language Object

PropertyTypeDescriptionRequired?
prevalencePrevalence Stringdefines the different regularities that guide the applicability of platforms
classLanguageClass Stringclass of language
nameShortString StringLanguage name (Clojure, Java, ...)

Property class ∷ LanguageClass String

class of language

  • This entry is optional

Property name ∷ ShortString String

Language name (Clojure, Java, ...)

  • This entry is optional

    • String with at most 1024 characters

Property prevalence ∷ Prevalence String

defines the different regularities that guide the applicability of platforms

  • This entry is required

    • defines the different regularities that guide the applicability of platforms
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

Vulnerability Object

a mistake in software that can be directly used by a hacker to gain access to a system or network

PropertyTypeDescriptionRequired?
descriptionMarkdown StringA description that provides more details and context about the Vulnerability,potentially including its purpose and its key characteristics.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity
typeVulnerabilityTypeIdentifier StringThe fixed value vulnerability
cveCVE Object
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
impactVulnerabilityImpact Object
languageShortString StringThe human language this object is specified in.
last_modified_dateInst (Date)
published_dateInst (Date)
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedString StringA single line, short summary of the object.
sourceMedString String
source_uriString
timestampInst (Date)The time this object was created at, or last modified.
titleShortString StringA short title for this object, used as primary display and reference value
tlpTLP StringSpecification for how, and to whom, this object can be shared.

Property cve ∷ CVE Object

  • This entry is optional

Property description ∷ Markdown String

A description that provides more details and context about the Vulnerability,potentially including its purpose and its key characteristics.

  • This entry is required

    • Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ VulnerabilityImpact Object

  • This entry is optional

Property language ∷ ShortString String

The human language this object is specified in.

  • This entry is optional

    • String with at most 1024 characters

Property last_modified_date ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property published_date ∷ Inst (Date)

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedString String

A single line, short summary of the object.

  • This entry is optional

    • String with at most 2048 characters

Property source ∷ MedString String

  • This entry is optional

    • String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortString String

A short title for this object, used as primary display and reference value

  • This entry is optional

    • String with at most 1024 characters

Property tlp ∷ TLP String

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ VulnerabilityTypeIdentifier String

The fixed value vulnerability

  • This entry is required

    • The fixed value "vulnerability"
    • Must equal: "vulnerability"

VulnerabilityImpact Object

PropertyTypeDescriptionRequired?
cvss_v2CVSSv2 Object
cvss_v3CVSSv3 Object

Property cvss_v2 ∷ CVSSv2 Object

  • This entry is optional

Property cvss_v3 ∷ CVSSv3 Object

  • This entry is optional

CVSSv3 Object

PropertyTypeDescriptionRequired?
base_scoreNumber
base_severityCVSSv3Severity String
vector_stringString
attack_complexityCVSSv3AttackComplexity Stringdescribes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability
attack_vectorCVSSv3AttackVector StringReflects the context by which vulnerability exploitation is possible
availability_impactCVSSv3AvailabilityImpact Stringmeasures the impact to the availability of the impacted component resulting from a successfullyexploited vulnerability
availability_requirementCVSSv3SecurityRequirements String
confidentiality_impactCVSSv3ConfidentialityImpact Stringmeasures the impact to the confidentiality ofthe information resources managed by a software component due to a successfully exploited vulnerability
confidentiality_requirementCVSSv3SecurityRequirements String
environmental_scoreNumber
environmental_severityCVSSv3Severity String
exploit_code_maturityCVSSv3ExploitCodeMaturity Stringmeasures the likelihood of the vulnerability being attacked
exploitability_scoreNumber
impact_scoreNumber
integrity_impactCVSSv3IntegrityImpact Stringmeasures the impact to integrity of a successfully exploited vulnerability
integrity_requirementCVSSv3SecurityRequirements String
modified_attack_complexityCVSSv3ModifiedAttackComplexity Stringmodified attack complexity
modified_attack_vectorCVSSv3ModifiedAttackVector Stringmodified attack vector
modified_availability_impactCVSSv3ModifiedAvailabilityImpact Stringmodified availability impact
modified_confidentiality_impactCVSSv3ModifiedConfidentialityImpact Stringmodified confidentiality impact
modified_integrity_impactCVSSv3ModifiedIntegrityImpact Stringmodified integrity impact
modified_privileges_requiredCVSSv3ModifiedPrivilegesRequired Stringmodified privileges required
modified_scopeCVSSv3ModifiedScope Stringmodified scope
modified_user_interactionCVSSv3ModifiedUserInteraction Stringmodified user interaction
privileges_requiredCVSSv3PrivilegesRequired Stringdescribes the level of privileges an attacker must possess before successfully exploiting the vulnerability
remediation_levelCVSSv3RemediationLevel StringRemediation Level of a vulnerability is an important factor for prioritization
report_confidenceCVSSv3ReportConfidence Stringmeasures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details
scopeCVSSv3Scope Stringthe ability for a vulnerability in one software component to impact resources beyond its means, or privileges
temporal_scoreNumberRound up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)
temporal_severityNumbertemporal severity
user_interactionCVSSv3UserInteraction Stringcaptures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

Property attack_complexity ∷ CVSSv3AttackComplexity String

describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability

  • This entry is optional

    • describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. high A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).
    • Allowed Values:
      • high
      • low
    • Reference: Attack Complexity

Property attack_vector ∷ CVSSv3AttackVector String

Reflects the context by which vulnerability exploitation is possible

  • This entry is optional

    • This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: network A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed remotely exploitable and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).adjacent_network A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. local A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. physical A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.
    • Allowed Values:
      • adjacent_network
      • local
      • network
      • physical
    • Reference: Attack Vector

Property availability_impact ∷ CVSSv3AvailabilityImpact String

measures the impact to the availability of the impacted component resulting from a successfullyexploited vulnerability

  • This entry is optional

    • This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: high: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). low: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. none: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Availability Impact] (https://www.first.org/cvss/specification-document#2-3-3-Availability-Impact-A)

Property availability_requirement ∷ CVSSv3SecurityRequirements String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property base_score ∷ Number

  • This entry is required

    • a Score number from 0 to 10

Property base_severity ∷ CVSSv3Severity String

  • This entry is required

    • Allowed Values:
      • critical
      • high
      • low
      • medium
      • none

Property confidentiality_impact ∷ CVSSv3ConfidentialityImpact String

measures the impact to the confidentiality ofthe information resources managed by a software component due to a successfully exploited vulnerability

  • This entry is optional

    • measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: high: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. low: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. none: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Confientiality Impact] (https://www.first.org/cvss/specification-document#2-3-1-Confidentiality-Impact-C)

Property confidentiality_requirement ∷ CVSSv3SecurityRequirements String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property environmental_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property environmental_severity ∷ CVSSv3Severity String

  • This entry is optional

    • Allowed Values:
      • critical
      • high
      • low
      • medium
      • none

Property exploit_code_maturity ∷ CVSSv3ExploitCodeMaturity String

measures the likelihood of the vulnerability being attacked

  • This entry is optional

    • This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. high: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. functional: Functional exploit code is available. The code works in most situations where the vulnerability exists. proof_of_concept: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. unproven: No exploit code is available, or an exploit is theoretical.
    • Allowed Values:
      • functional
      • high
      • not_defined
      • proof_of_concept
      • unproven
    • Reference: [Exploit Code Maturity] (https://www.first.org/cvss/specification-document#3-1-Exploit-Code-Maturity-E)

Property exploitability_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property impact_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property integrity_impact ∷ CVSSv3IntegrityImpact String

measures the impact to integrity of a successfully exploited vulnerability

  • This entry is optional

    • This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: high: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. low: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.none: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Integrity Impact] (https://www.first.org/cvss/specification-document#2-3-2-Integrity-Impact-I)

Property integrity_requirement ∷ CVSSv3SecurityRequirements String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property modified_attack_complexity ∷ CVSSv3ModifiedAttackComplexity String

modified attack complexity

Property modified_attack_vector ∷ CVSSv3ModifiedAttackVector String

modified attack vector

Property modified_availability_impact ∷ CVSSv3ModifiedAvailabilityImpact String

modified availability impact

Property modified_confidentiality_impact ∷ CVSSv3ModifiedConfidentialityImpact String

modified confidentiality impact

Property modified_integrity_impact ∷ CVSSv3ModifiedIntegrityImpact String

modified integrity impact

Property modified_privileges_required ∷ CVSSv3ModifiedPrivilegesRequired String

modified privileges required

Property modified_scope ∷ CVSSv3ModifiedScope String

modified scope

Property modified_user_interaction ∷ CVSSv3ModifiedUserInteraction String

modified user interaction

Property privileges_required ∷ CVSSv3PrivilegesRequired String

describes the level of privileges an attacker must possess before successfully exploiting the vulnerability

  • This entry is optional

    • This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: none: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. low: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. high: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Privileges Required] (https://www.first.org/cvss/specification-document#2-1-3-Privileges-Required-PR)

Property remediation_level ∷ CVSSv3RemediationLevel String

Remediation Level of a vulnerability is an important factor for prioritization

  • This entry is optional

    • The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. unavailable: There is either no solution available or it is impossible to apply. workaround: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. temporary_fix: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.official_fix: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score.
    • Allowed Values:
      • high
      • not_defined
      • offical_fix
      • temporary_fix
      • unavailable
      • workaround
    • Reference: [Remediation Level] (https://www.first.org/cvss/specification-document#3-2-Remediation-Level-RL)

Property report_confidence ∷ CVSSv3ReportConfidence String

measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details

  • This entry is optional

    • measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. confirmed: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. reasonable: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. unknown: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
    • Allowed Values:
      • confirmed
      • reasonable
      • unknown
    • Reference: [Report Confidence] (https://www.first.org/cvss/specification-document#3-3-Report-Confidence-RC)

Property scope ∷ CVSSv3Scope String

the ability for a vulnerability in one software component to impact resources beyond its means, or privileges

  • This entry is optional

    • An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: unchanged: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. changed: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.
    • Allowed Values:
      • changed
      • unchanged
    • Reference: [Scope] (https://www.first.org/cvss/specification-document#2-2-Scope-S)

Property temporal_score ∷ Number

Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)

  • This entry is optional

    • a Score number from 0 to 10

Property temporal_severity ∷ Number

temporal severity

  • This entry is optional

    • a Score number from 0 to 10

Property user_interaction ∷ CVSSv3UserInteraction String

captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

  • This entry is optional

    • captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: none: The vulnerable system can be exploited without interaction from any user. required: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.
    • Allowed Values:
      • none
      • required
    • Reference: [User Interaction] (https://www.first.org/cvss/specification-document#2-1-4-User-Interaction-UI)

Property vector_string ∷ String

  • This entry is required

    • a text representation of a set of CVSSv3 metrics.It is commonly used to record or transfer CVSSv3 metric information in a concise form

CVSSv2 Object

PropertyTypeDescriptionRequired?
base_scoreNumber
base_severityHighMedLow String
vector_stringString
access_complexityCVSSv2AccessComplexity String
access_vectorCVSSv2AccessVector String
authenticationCVSSv2Authentication String
availability_impactCVSSv2AvailabilityImpact String
availability_requirementCVSSv2SecurityRequirement String
collateral_damage_potentialCVSSv2CollateralDamagePotential String
confidentiality_impactCVSSv2ConfidentialityImpact String
confidentiality_requirementCVSSv2SecurityRequirement String
environmental_vector_stringString
exploitabilityCVSSv2Exploitability String
exploitability_scoreNumber
impact_scoreNumber
integrity_impactCVSSv2IntegrityImpact String
integrity_requirementCVSSv2SecurityRequirement String
obtain_all_privilegeBoolean
obtain_other_privilegeBoolean
obtain_user_privilegeBoolean
remediation_levelCVSSv2RemediationLevel String
report_confidenceCVSSv2ReportConfidence String
target_distributionCVSSv2TargetDistribution String
temporal_vector_stringString
user_interaction_requiredBoolean

Property access_complexity ∷ CVSSv2AccessComplexity String

  • This entry is optional

    • This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.
    • Default: low
    • Allowed Values:
      • high
      • low
      • medium
    • Reference: https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC

Property access_vector ∷ CVSSv2AccessVector String

  • This entry is optional

Property authentication ∷ CVSSv2Authentication String

  • This entry is optional

    • This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The fewer authentication instances that are required, the higher the vulnerability score.
    • Default: none
    • Allowed Values:
      • multiple
      • none
      • single
    • Reference: https://www.first.org/cvss/v2/guide#2-1-3-Authentication-Au

Property availability_impact ∷ CVSSv2AvailabilityImpact String

  • This entry is optional

    • This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. Increased availability impact increases the vulnerability score.
    • Default: complete
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A

Property availability_requirement ∷ CVSSv2SecurityRequirement String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Default: not_defined
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property base_score ∷ Number

  • This entry is required

    • a Score number from 0 to 10

Property base_severity ∷ HighMedLow String

  • This entry is required

Property collateral_damage_potential ∷ CVSSv2CollateralDamagePotential String

  • This entry is optional

    • This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. Naturally, the greater the damage potential, the higher the vulnerability score.
    • Default: not_defined
    • Allowed Values:
      • high
      • low
      • low_medium
      • medium_high
      • none
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-1-Collateral-Damage-Potential-CDP

Property confidentiality_impact ∷ CVSSv2ConfidentialityImpact String

  • This entry is optional

    • This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. Increasedconfidentiality impact increases the vulnerability score.
    • Default: complete
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C

Property confidentiality_requirement ∷ CVSSv2SecurityRequirement String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Default: not_defined
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property environmental_vector_string ∷ String

  • This entry is optional

    • A text representation of a set of CVSSv2 environmental metrics. Environmental metrics allow analysists to calculate threat scores in relation to environmental security requirements, collateral damage potential, and target availability. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property exploitability ∷ CVSSv2Exploitability String

  • This entry is optional

    • This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled thereby increasing the severity of the vulnerability.
    • Default: not_defined
    • Allowed Values:
      • functional
      • high
      • not_defined
      • proof_of_concept
      • unproven
    • Reference: https://www.first.org/cvss/v2/guide#2-2-1-Exploitability-E

Property exploitability_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property impact_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property integrity_impact ∷ CVSSv2IntegrityImpact String

  • This entry is optional

    • This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the vulnerability score.
    • Default: complete
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I

Property integrity_requirement ∷ CVSSv2SecurityRequirement String

  • This entry is optional

    • These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Default: not_defined
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property obtain_all_privilege ∷ Boolean

  • This entry is optional

Property obtain_other_privilege ∷ Boolean

  • This entry is optional

Property obtain_user_privilege ∷ Boolean

  • This entry is optional

Property remediation_level ∷ CVSSv2RemediationLevel String

  • This entry is optional

    • The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The less official and permanent a fix, the higher the vulnerability score is.
    • Default: not_defined
    • Allowed Values:
      • not_defined
      • official_fix
      • temporary_fix
      • unavailable
      • workaround
    • Reference: https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL

Property report_confidence ∷ CVSSv2ReportConfidence String

  • This entry is optional

    • This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
    • Default: not_defined
    • Allowed Values:
      • confirmed
      • not_defined
      • unconfirmed
      • uncorroborated
    • Reference: https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC

Property target_distribution ∷ CVSSv2TargetDistribution String

  • This entry is optional

    • This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. The greater the proportion of vulnerable systems, the higher the score.
    • Default: not_defined
    • Allowed Values:
      • high
      • low
      • medium
      • none
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-2-Target-Distribution-TD

Property temporal_vector_string ∷ String

  • This entry is optional

    • A text representation of a set of CVSSv2 temporal metrics.Temporal metrics allow analysists to calculate threat severity based on temporal factors such as reliability of vulnerability reports, availability of mitigations, and the ease or difficulty of conducting the exploit. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property user_interaction_required ∷ Boolean

  • This entry is optional

Property vector_string ∷ String

  • This entry is required

    • a text representation of a set of CVSSv2 metrics.It is commonly used to record or transfer CVSSv2 metric information in a concise form

CVE Object

PropertyTypeDescriptionRequired?
cve_data_metaCVEDataMeta Object

Property cve_data_meta ∷ CVEDataMeta Object

  • This entry is required

CVEDataMeta Object

PropertyTypeDescriptionRequired?
assignerShortString String
idShortString String

Property assigner ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

Property id ∷ ShortString String

  • This entry is optional

    • String with at most 1024 characters

ExternalReference Object

External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedString StringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdown String
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ Markdown String

  • This entry is optional

    • Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedString String

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

ValidTime Object

Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

  • This entry is optional

    • Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Can you improve this documentation?Edit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close