Liking cljdoc? Tell your friends :D

Bundle Object

Bundle Describes a Bundle of any set of CTIM entities.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
typeBundleTypeIdentifierString
valid_timeValidTime Object
actor_refs#{String}
actors#{Actor Object}a list of Actors.
asset_mapping_refs#{String}
asset_mappings#{AssetMapping Object}a list of AssetMappings.
asset_properties#{AssetProperties Object}a list of AssetProperties.
asset_properties_refs#{String}
asset_refs#{String}
assets#{Asset Object}a list of Assets.
attack_pattern_refs#{String}
attack_patterns#{AttackPattern Object}a list of AttackPatterns.
campaign_refs#{String}
campaigns#{Campaign Object}a list of Campaigns.
coa_refs#{String}
coas#{COA Object}a list of COAs.
data_table_refs#{String}
data_tables#{DataTable Object}a list of DataTables.
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
feedback_refs#{String}
feedbacks#{Feedback Object}a list of Feedbacks.
identity_assertion_refs#{String}
identity_assertions#{IdentityAssertion Object}a list of IdentityAssertions.
incident_refs#{String}
incidents#{Incident Object}a list of Incidents.
indicator_refs#{String}
indicators#{Indicator Object}a list of Indicators.
judgement_refs#{String}
judgements#{Judgement Object}a list of Judgements.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
malware_refs#{String}
malwares#{Malware Object}a list of Malwares.
note_refs#{String}
notes#{Note Object}a list of Notes.
relationship_refs#{String}
relationships#{Relationship Object}a list of Relationships.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
sighting_refs#{String}
sightings#{Sighting Object}a list of Sightings.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
target_record_refs#{String}
target_records#{TargetRecord Object}a list of TargetRecords.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
tool_refs#{String}
tools#{Tool Object}a list of Tools.
verdict_refs#{String}
verdicts#{Verdict Object}a list of Verdicts.
vulnerabilities#{Vulnerability Object}a list of Vulnerabilitys.
vulnerability_refs#{String}
weakness_refs#{String}
weaknesses#{Weakness Object}a list of Weaknesss.
  • Reference: #

Property actor_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property actors ∷ #{Actor Object}

a list of Actors.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property asset_mapping_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property asset_mappings ∷ #{AssetMapping Object}

a list of AssetMappings.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property asset_properties ∷ #{AssetProperties Object}

a list of AssetProperties.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property asset_properties_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property asset_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property assets ∷ #{Asset Object}

a list of Assets.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property attack_pattern_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property attack_patterns ∷ #{AttackPattern Object}

a list of AttackPatterns.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property campaign_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property campaigns ∷ #{Campaign Object}

a list of Campaigns.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property coa_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property coas ∷ #{COA Object}

a list of COAs.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property data_table_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property data_tables ∷ #{DataTable Object}

a list of DataTables.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property feedback_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property feedbacks ∷ #{Feedback Object}

a list of Feedbacks.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity_assertion_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property identity_assertions ∷ #{IdentityAssertion Object}

a list of IdentityAssertions.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property incident_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property incidents ∷ #{Incident Object}

a list of Incidents.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property indicator_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property indicators ∷ #{Indicator Object}

a list of Indicators.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property judgement_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property judgements ∷ #{Judgement Object}

a list of Judgements.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property malware_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property malwares ∷ #{Malware Object}

a list of Malwares.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property note_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property notes ∷ #{Note Object}

a list of Notes.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property relationship_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property relationships ∷ #{Relationship Object}

a list of Relationships.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property sighting_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property sightings ∷ #{Sighting Object}

a list of Sightings.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property target_record_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property target_records ∷ #{TargetRecord Object}

a list of TargetRecords.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property tool_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property tools ∷ #{Tool Object}

a list of Tools.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property type ∷ BundleTypeIdentifierString

  • This entry is required

    • Must equal: "bundle"

Property valid_time ∷ ValidTime Object

  • This entry is required

Property verdict_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property verdicts ∷ #{Verdict Object}

a list of Verdicts.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property vulnerabilities ∷ #{Vulnerability Object}

a list of Vulnerabilitys.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

Property vulnerability_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property weakness_refs ∷ #{String}

  • This entry is optional

  • This entry's type is a set (allows zero or more distinct values)

    • A URI leading to an entity.

Property weaknesses ∷ #{Weakness Object}

a list of Weaknesss.

  • This entry is optional
  • This entry's type is a set (allows zero or more distinct values)

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Actor Object

Actor Describes malicious actors or adversaries related to a cyber attack.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringA description of object, which may be detailed.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
titleShortStringStringA short title for this object, used as primary display and reference value.
typeActorTypeIdentifierString
valid_timeValidTime ObjectIndicates the time span for which the information about the Actor is relevant, and after which it could become outdated.
actor_typesThreatActorTypeString List
aliasesShortStringString ListA list of other names that this Threat Actor is believed to use.
confidenceHighMedLowStringThis field can help analysts decide how much trust they can put in the information provided by the threat intelligence sources. For example, an Actor entity can have high confidence if the organization's security researchers have been tracking it for a long time and have gathered a significant amount of intelligence about it through various sources, such as analysis of malware, network traffic, and human intelligence. In contrast, low confidence may indicate the organization has only seen limited or circumstantial evidence.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
identityIdentity ObjectCan contain information such as the name of the attacker, the group or organization they belong to, or any other identifier that can help in the attribution process.
intended_effectIntendedEffectStringRepresents the desired outcome or impact the threat actor is trying to achieve through their malicious activities. Helps security analysts to understand the attacker's goals beyond the immediate impact of the attack. By understanding the intended effect, analysts can draw connections between seemingly unrelated attacks and build a more complete understanding of an attacker's long-term goals and motivations.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
motivationMotivationStringThe reason or purpose behind the malicious activity attributed to this Actor. By understanding a threat actor's motivation, analysts can better predict the attacker's behavior and anticipate future malicious actions.
planning_and_operational_supportLongStringStringProvides information about the resources and capabilities of the attacker that could be used to assist in planning and operations related to the threat. It can be used to describe Infrastructure, Tools, Techniques, and Capabilities used by the threat actor.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sophisticationSophisticationStringRepresents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property actor_types ∷ ThreatActorTypeString List

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Cyber Espionage Operations
      • Disgruntled Customer / User
      • Hacker
      • Hacker - Black hat
      • Hacker - Gray hat
      • Hacker - White hat
      • Hacktivist
      • Insider Threat
      • State Actor / Agency
      • eCrime Actor - Credential Theft Botnet Operator
      • eCrime Actor - Credential Theft Botnet Service
      • eCrime Actor - Malware Developer
      • eCrime Actor - Money Laundering Network
      • eCrime Actor - Organized Crime Actor
      • eCrime Actor - Spam Service
      • eCrime Actor - Traffic Service
      • eCrime Actor - Underground Call Service

Property aliases ∷ ShortStringString List

A list of other names that this Threat Actor is believed to use.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property confidence ∷ HighMedLowString

This field can help analysts decide how much trust they can put in the information provided by the threat intelligence sources.

For example, an Actor entity can have high confidence if the organization's security researchers have been tracking it for a long time and have gathered a significant amount of intelligence about it through various sources, such as analysis of malware, network traffic, and human intelligence. In contrast, low confidence may indicate the organization has only seen limited or circumstantial evidence.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ Identity Object

Can contain information such as the name of the attacker, the group or organization they belong to, or any other identifier that can help in the attribution process.

  • This entry is optional

Property intended_effect ∷ IntendedEffectString

Represents the desired outcome or impact the threat actor is trying to achieve through their malicious activities.

Helps security analysts to understand the attacker's goals beyond the immediate impact of the attack. By understanding the intended effect, analysts can draw connections between seemingly unrelated attacks and build a more complete understanding of an attacker's long-term goals and motivations.

  • This entry is optional

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property motivation ∷ MotivationString

The reason or purpose behind the malicious activity attributed to this Actor. By understanding a threat actor's motivation, analysts can better predict the attacker's behavior and anticipate future malicious actions.

  • This entry is optional

    • Allowed Values:
      • Ego
      • Financial or Economic
      • Ideological
      • Ideological - Anti-Corruption
      • Ideological - Anti-Establishment
      • Ideological - Environmental
      • Ideological - Ethnic / Nationalist
      • Ideological - Human Rights
      • Ideological - Information Freedom
      • Ideological - Religious
      • Ideological - Security Awareness
      • Military
      • Opportunistic
      • Political

Property planning_and_operational_support ∷ LongStringString

Provides information about the resources and capabilities of the attacker that could be used to assist in planning and operations related to the threat.

It can be used to describe Infrastructure, Tools, Techniques, and Capabilities used by the threat actor.

  • This entry is optional

    • LongString String with at most 5000 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is required

    • MedString String with at most 2048 characters.

Property sophistication ∷ SophisticationString

Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface.

For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware.

The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected.

If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.

  • This entry is optional

    • Allowed Values:
      • Aspirant
      • Expert
      • Innovator
      • Novice
      • Practitioner

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ ActorTypeIdentifierString

  • This entry is required

    • Must equal: "actor"

Property valid_time ∷ ValidTime Object

Indicates the time span for which the information about the Actor is relevant, and after which it could become outdated.

  • This entry is required

Identity Object

Identity Describes a person or an organization.

PropertyTypeDescriptionRequired?
descriptionMarkdownString
related_identitiesRelatedIdentity Object ListIdentifies other entity Identities related to this Identity.

Property description ∷ MarkdownString

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity.

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

RelatedIdentity Object

RelatedIdentity Describes a related Identity

PropertyTypeDescriptionRequired?
identityStringThe reference (URI) of the related Identity object.
confidenceHighMedLowStringSpecifies the level of confidence in the assertion of the relationship between the two objects.
information_sourceStringSpecifies the source of the information about the relationship between the two components.
relationshipString

Property confidence ∷ HighMedLowString

Specifies the level of confidence in the assertion of the relationship between the two objects.

  • This entry is optional

Property identity ∷ String

The reference (URI) of the related Identity object.

  • This entry is required

    • A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components.

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Asset Object

Asset Describes a protected resource. It could be a Device, User, Network, Application or Data.

PropertyTypeDescriptionRequired?
asset_typeAssetTypeStringType of the Asset: Device, Person, Application, etc.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
typeAssetTypeIdentifierString
valid_timeValidTime ObjectSpecifies the time range during which the asset is considered valid or accurate. For example, if an asset entity represents a device, the valid_time field could be used to indicate the period during which the device's configuration information is deemed accurate.
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property asset_type ∷ AssetTypeString

Type of the Asset: Device, Person, Application, etc.

  • This entry is required

    • Allowed Values:
      • application
      • data
      • device
      • network
      • person

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ AssetTypeIdentifierString

  • This entry is required

    • Must equal: "asset"

Property valid_time ∷ ValidTime Object

Specifies the time range during which the asset is considered valid or accurate. For example, if an asset entity represents a device, the valid_time field could be used to indicate the period during which the device's configuration information is deemed accurate.

  • This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

AssetMapping Object

AssetMapping A record that maps a specific Observable to an asset for a specified period of time.

PropertyTypeDescriptionRequired?
asset_refStringURI that points to the mapped Asset.
asset_typeAssetTypeStringType of the mapped Asset: Device, Person, Application, etc.
confidenceHighMedLowStringLevel of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation?
idStringGlobally unique URI identifying this object.
observableObservable ObjectAn AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time.
schema_versionStringCTIM schema version for this entity.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
specificitySpecificityStringDenotes the level of how many assets potentially could have this same identifier.
stabilityStabilityStringDo we manage when it changes, or is it always a time bound assignment?
typeAssetMappingTypeIdentifierString
valid_timeValidTime ObjectFor each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property asset_ref ∷ String

URI that points to the mapped Asset.

  • This entry is required

    • A URI leading to an entity.

Property asset_type ∷ AssetTypeString

Type of the mapped Asset: Device, Person, Application, etc.

  • This entry is required

    • Allowed Values:
      • application
      • data
      • device
      • network
      • person

Property confidence ∷ HighMedLowString

Level of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation?

  • This entry is required

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property observable ∷ Observable Object

An AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time.

  • This entry is required

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property specificity ∷ SpecificityString

Denotes the level of how many assets potentially could have this same identifier.

  • This entry is required

    • Allowed Values:
      • Low
      • Medium
      • Unique

Property stability ∷ StabilityString

Do we manage when it changes, or is it always a time bound assignment?

  • This entry is required

    • Allowed Values:
      • Managed
      • Physical
      • Temporary

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ AssetMappingTypeIdentifierString

  • This entry is required

    • Must equal: "asset-mapping"

Property valid_time ∷ ValidTime Object

For each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history.

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

AssetProperties Object

AssetProperties Assets do not have any product specific properties, those are represented in AssetProperties - which is a record that asserts one or more properties of an Asset for a specific time.

PropertyTypeDescriptionRequired?
asset_refStringURI that points to the associated Asset.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
typeAssetPropertiesTypeIdentifierString
valid_timeValidTime ObjectThe time range during which the AssetProperties is considered valid.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
propertiesAssetProperty Object List
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property asset_ref ∷ String

URI that points to the associated Asset.

  • This entry is required

    • A URI leading to an entity.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property properties ∷ AssetProperty Object List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ AssetPropertiesTypeIdentifierString

  • This entry is required

    • Must equal: "asset-properties"

Property valid_time ∷ ValidTime Object

The time range during which the AssetProperties is considered valid.

  • This entry is required

AssetProperty Object

PropertyTypeDescriptionRequired?
nameStringThe properties are an open vocabulary.
valueString

Property name ∷ String

The properties are an open vocabulary.

Property value ∷ String

  • This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

AttackPattern Object

AttackPattern Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringA description of object, which may be detailed.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
short_descriptionMedStringStringA single line, short summary of the object.
titleShortStringStringA short title for this object, used as primary display and reference value.
typeAttackPatternTypeIdentifierString
abstraction_levelAttackPatternAbstractionsStringThe CAPEC abstraction level for patterns describing techniques to attack a system.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListA list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
kill_chain_phasesKillChainPhase Object ListA kill chain is a series of steps that an attacker must go through to successfully achieve their objective. The concept was originally developed by the military, but has been adapted to the cybersecurity field to describe the steps an attacker goes through to compromise a target system and achieve their goal.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
x_mitre_contributorsShortStringString ListATT&CK Technique.Contributors.
x_mitre_data_sourcesShortStringString ListATT&CK Technique.Data Sources.
x_mitre_platformsShortStringString ListATT&CK Technique.Platforms.

Property abstraction_level ∷ AttackPatternAbstractionsString

The CAPEC abstraction level for patterns describing techniques to attack a system.

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

A kill chain is a series of steps that an attacker must go through to successfully achieve their objective. The concept was originally developed by the military, but has been adapted to the cybersecurity field to describe the steps an attacker goes through to compromise a target system and achieve their goal.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ AttackPatternTypeIdentifierString

  • This entry is required

    • Must equal: "attack-pattern"

Property x_mitre_contributors ∷ ShortStringString List

ATT&CK Technique.Contributors.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property x_mitre_data_sources ∷ ShortStringString List

ATT&CK Technique.Data Sources.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property x_mitre_platforms ∷ ShortStringString List

ATT&CK Technique.Platforms.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Campaign Object

Campaign Represents a campaign by an actor pursing an intent.

PropertyTypeDescriptionRequired?
campaign_typeShortStringStringString value that describes the type of campaign. For example, a campaign type could be 'Ransomware', 'Advanced Persistent Threat', 'Business Email Compromise', 'Phishing', etc.
descriptionMarkdownStringA description of object, which may be detailed.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
short_descriptionMedStringStringA single line, short summary of the object.
titleShortStringStringA short title for this object, used as primary display and reference value.
typeCampaignTypeIdentifierString
valid_timeValidTime ObjectTimestamp for the definition of a specific version of a campaign.
activityActivity Object ListUsed to capture specific activities or tactics associated with the campaign. The 'activity' field is an array of objects, and each element represents a specific activity and time associated with the campaign. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc. By capturing these activities analysts can identify the specific tactics used by the threat actor(s) behind the campaign.
confidenceHighMedLowStringLevel of confidence held in the characterization of this Campaign.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
intended_effectIntendedEffectString ListCharacterizes the intended effect of this cyber threat campaign.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
namesShortStringString ListUsed to capture alternate names or aliases associated with the campaign. A cyberattack campaign may have multiple names or aliases depending on the group or actor(s) behind the attack, e.g., 'Wannacry' is also known as 'WannaCrypt', 'WCry', 'Wanna Decryptor', etc.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
statusCampaignStatusStringIndicates current Status of the Campaign. Can have one of the following values: - Ongoing: Indicates that the campaign is currently active and ongoing. For example, a mass phishing campaign that is actively targeting users is considered 'ongoing'. - Historic: Campaign has already occurred and is now in the past. - Future: This indicates that a campaign is planned or expected to occur in the future. For example, a threat actor may announce their intention to launch a specific cyberattack campaign at a future date.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property activity ∷ Activity Object List

Used to capture specific activities or tactics associated with the campaign. The 'activity' field is an array of objects, and each element represents a specific activity and time associated with the campaign. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc. By capturing these activities analysts can identify the specific tactics used by the threat actor(s) behind the campaign.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property campaign_type ∷ ShortStringString

String value that describes the type of campaign. For example, a campaign type could be 'Ransomware', 'Advanced Persistent Threat', 'Business Email Compromise', 'Phishing', etc.

  • This entry is required

  • Dev Notes: Should we define a vocabulary for this?

    • ShortString String with at most 1024 characters.

Property confidence ∷ HighMedLowString

Level of confidence held in the characterization of this Campaign.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffectString List

Characterizes the intended effect of this cyber threat campaign.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property names ∷ ShortStringString List

Used to capture alternate names or aliases associated with the campaign. A cyberattack campaign may have multiple names or aliases depending on the group or actor(s) behind the attack, e.g., 'Wannacry' is also known as 'WannaCrypt', 'WCry', 'Wanna Decryptor', etc.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property status ∷ CampaignStatusString

Indicates current Status of the Campaign.

Can have one of the following values:

  • Ongoing: Indicates that the campaign is currently active and ongoing. For example, a mass phishing campaign that is actively targeting users is considered 'ongoing'.

  • Historic: Campaign has already occurred and is now in the past.

  • Future: This indicates that a campaign is planned or expected to occur in the future. For example, a threat actor may announce their intention to launch a specific cyberattack campaign at a future date.

  • This entry is optional

    • Allowed Values:
      • Future
      • Historic
      • Ongoing

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ CampaignTypeIdentifierString

  • This entry is required

    • Must equal: "campaign"

Property valid_time ∷ ValidTime Object

Timestamp for the definition of a specific version of a campaign.

  • This entry is required

Activity Object

Activity Captures the specific activities or tactics associated with the entity. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc.

PropertyTypeDescriptionRequired?
date_timeInst (Date)Specifies the date and time at which the activity occured.
descriptionMarkdownStringA description of the activity.

Property date_time ∷ Inst (Date)

Specifies the date and time at which the activity occured.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property description ∷ MarkdownString

A description of the activity.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

COA Object

COA Course of Action. A corrective or preventative action to be taken in response to a threat.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
typeCOATypeIdentifierString
valid_timeValidTime Object
coa_typeCOATypeStringThe type of this COA
costHighMedLowStringCharacterizes the estimated cost for applying this course of action.
descriptionMarkdownStringA description of object, which may be detailed.
efficacyHighMedLowStringEffectiveness of this course of action in achieving its targeted objective.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
impactShortStringStringCharacterizes the estimated impact of applying this course of action.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
objectiveShortStringString ListCharacterizes the objective to provide guidance on how to mitigate a security incident that has been identified.
open_c2_coaOpenC2COA Object
related_COAsRelatedCOA Object ListIdentifies or characterizes relationships to one or more related courses of action.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
stageCOAStageStringSpecifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to.
structured_coa_typeOpenC2StructuredCOATypeString
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property coa_type ∷ COATypeString

The type of this COA

  • This entry is optional

    • Allowed Values:
      • Diplomatic Actions
      • Eradication
      • Hardening
      • Internal Blocking
      • Logical Access Restrictions
      • Monitoring
      • Other
      • Patching
      • Perimeter Blocking
      • Phase
      • Physical Access Restrictions
      • Playbook
      • Policy Actions
      • Public Disclosure
      • Rebuilding
      • Redirection
      • Redirection (Honey Pot)
      • Task
      • Training
    • Reference: CourseOfActionTypeVocab

Property cost ∷ HighMedLowString

Characterizes the estimated cost for applying this course of action.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property efficacy ∷ HighMedLowString

Effectiveness of this course of action in achieving its targeted objective.

  • This entry is optional

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ ShortStringString

Characterizes the estimated impact of applying this course of action.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property objective ∷ ShortStringString List

Characterizes the objective to provide guidance on how to mitigate a security incident that has been identified.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

  • Dev Notes: Squashed / simplified

    • ShortString String with at most 1024 characters.

Property open_c2_coa ∷ OpenC2COA Object

  • This entry is optional

Property related_COAs ∷ RelatedCOA Object List

Identifies or characterizes relationships to one or more related courses of action.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property stage ∷ COAStageString

Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to.

  • This entry is optional

    • Allowed Values:
      • Containment
      • Eradication
      • Identification
      • Lessons Learned
      • Preparation
      • Recovery
      • Remedy
      • Response
    • Reference: COAStageVocab

Property structured_coa_type ∷ OpenC2StructuredCOATypeString

  • This entry is optional

    • Must equal: "openc2"

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ COATypeIdentifierString

  • This entry is required

    • Must equal: "coa"

Property valid_time ∷ ValidTime Object

  • This entry is required

OpenC2COA Object

PropertyTypeDescriptionRequired?
actionActionType Object
typeStructuredCOATypeString
actuatorActuatorType Object
idShortStringString
modifiersModifierType Object
targetTargetType Object

Property action ∷ ActionType Object

  • This entry is required

Property actuator ∷ ActuatorType Object

  • This entry is optional

Property id ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property modifiers ∷ ModifierType Object

  • This entry is optional

Property target ∷ TargetType Object

  • This entry is optional

Property type ∷ StructuredCOATypeString

  • This entry is required

    • Must equal: "structured_coa"

ModifierType Object

PropertyTypeDescriptionRequired?
additional_propertiesAdditionalProperties Object
delayInst (Date)
destinationString
durationInst (Date)
frequencyShortStringString
idShortStringString
locationString
methodString List
optionShortStringString
responseString
searchString
sourceShortStringString
timeValidTime Object

Property additional_properties ∷ AdditionalProperties Object

  • This entry is optional

Property delay ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property destination ∷ String

  • This entry is optional

    • Allowed Values:
      • copy-to
      • modify-to
      • move-to
      • report-to
      • restore-point
      • save-to
      • set-to

Property duration ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property frequency ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property id ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property location ∷ String

  • This entry is optional

    • Allowed Values:
      • internal
      • perimeter

Property method ∷ String List

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • acl
      • authenticated
      • blackhole
      • blacklist
      • graceful
      • hibernate
      • honeypot
      • immediate
      • segmentation
      • spawn
      • suspend
      • unauthenticated
      • whitelist

Property option ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property response ∷ String

  • This entry is optional

    • Allowed Values:
      • acknowledge
      • command-ref
      • query
      • status

Property search ∷ String

  • This entry is optional

    • Allowed Values:
      • cve
      • patch
      • signature
      • vendor_bulletin

Property source ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ValidTime Object

  • This entry is optional

AdditionalProperties Object

PropertyTypeDescriptionRequired?
contextShortStringString

Property context ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ActuatorType Object

PropertyTypeDescriptionRequired?
typeActuatorTypeString
specifiersShortStringString ListList of additional properties describing the actuator.

Property specifiers ∷ ShortStringString List

List of additional properties describing the actuator.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property type ∷ ActuatorTypeString

  • This entry is required

    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • other
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

TargetType Object

PropertyTypeDescriptionRequired?
typeTargetTypeVocabString
specifiersShortStringStringObservable types that can be acted upon.

Property specifiers ∷ ShortStringString

Observable types that can be acted upon.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property type ∷ TargetTypeVocabString

  • This entry is required

    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

ActionType Object

PropertyTypeDescriptionRequired?
typeCOATypeString

Property type ∷ COATypeString

  • This entry is required

    • Allowed Values:
      • alert
      • allow
      • augment
      • contain
      • delete
      • deny
      • detonate
      • distill
      • get
      • investigate
      • locate
      • mitigate
      • modify
      • move
      • notify
      • other
      • pause
      • query
      • redirect
      • remediate
      • report
      • response
      • restart
      • restore
      • resume
      • save
      • scan
      • set
      • snapshot
      • start
      • stop
      • substitute
      • sync
      • throttle
      • update
    • Reference: OpenC2/STIX COA XML schema

RelatedCOA Object

PropertyTypeDescriptionRequired?
COA_idString
confidenceHighMedLowString
relationshipString
sourceString

Property COA_id ∷ String

  • This entry is required

    • A URI leading to a COA.

Property confidence ∷ HighMedLowString

  • This entry is optional

Property relationship ∷ String

  • This entry is optional

Property source ∷ String

  • This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Feedback Object

Feedback Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?

PropertyTypeDescriptionRequired?
entity_idString
feedbackInteger
idStringGlobally unique URI identifying this object.
reasonString
schema_versionStringCTIM schema version for this entity.
typeFeedbackTypeIdentifierString
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property entity_id ∷ String

  • This entry is required

    • A URI leading to an entity.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property feedback ∷ Integer

  • This entry is required

    • Allowed Values:
      • -1
      • 0
      • 1

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property reason ∷ String

  • This entry is required

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ FeedbackTypeIdentifierString

  • This entry is required

    • Must equal: "feedback"

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Incident Object

Incident Information about computer security incident response. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents pertain to one or more adverse events, each of which is modeled as a sighting.

PropertyTypeDescriptionRequired?
confidenceHighMedLowStringRepresents the level of certainty or trustworthiness associated with the incident. It denotes the reliability of the intelligence associated with the incident. The confidence field can take on several values, including: - info: Indicates that the incident information is based on sources with no previous track record or there is no track record for the source reporting the incident. - low: Indicates that the incident information is based on sources with a questionable track record or there is limited information about the accuracy of the source. - medium: Indicates that the incident information is based on sources with a mixed track record or of uncertain reliability. - high: Indicates that the incident information is based on sources with a proven track record and high degree of reliability. The confidence field can be used to indicate the level of trust and confidence that can be attributed to the incident, and it may impact how the incident is prioritized, analyzed and addressed. It can also help in the decision-making process associated with the incident response activities. It is important to note that the confidence field is subjective and can be interpreted differently by different organizations or analysts. As such, it is often used in conjunction with other intelligence attributes, such as the severity field, to provide a more complete picture of the incident.
idStringGlobally unique URI identifying this object.
incident_timeIncidentTime ObjectRelevant time values associated with this Incident.
schema_versionStringCTIM schema version for this entity.
statusStatusStringThe status field represents the current state of an incident within the incident management process. Its values help in tracking and reporting the progress of the incident from its discovery to its resolution.
typeIncidentTypeIdentifierString
assigneesShortStringString ListA set of owners assigned to this incident.
categoriesIncidentCategoryString ListA set of categories for this incident.
descriptionMarkdownStringA description of object, which may be detailed.
discovery_methodDiscoveryMethodStringIdentifies how the incident was discovered.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
intended_effectIntendedEffectStringSpecifies the suspected intended effect of this incident
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
metaMetaData Objectmetadata associated to the incident.
promotion_methodPromotionMethodStringDescribes method for promoting an Incident, whether manually or automatically. An Incident may be created manually by a SOAR analyst or SOC operator, or through an automated correlation or aggregation rule or engine that matches a specific set of events or alerts, and promotes them to Incident(s).
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
scoresIncidentScores ObjectUsed to indicate the severity or impact score of the threat represented by the incident.
severitySeverityStringRepresents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the severity field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the confidence field, to provide a more comprehensive view of the incident.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
tacticsShortStringString ListRepresents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.
techniquesShortStringString ListRepresents the specific methods or actions used by an attacker to carry out an offensive maneuver or achieve their goals.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property assignees ∷ ShortStringString List

A set of owners assigned to this incident.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property categories ∷ IncidentCategoryString List

A set of categories for this incident.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Attrition
      • Denial of Service
      • Exercise
      • Exercise/Network Defense Testing
      • Explained Anomaly
      • Forensics
      • Improper Usage
      • Intelligence
      • Investigating
      • Investigation
      • Malicious Code
      • Malicious Logic
      • Non-Compliant
      • Reconnaissance
      • Root Level
      • Scans/Probes/Attempted Access
      • Unauthorized Access
      • Unsuccessful
      • User Level
      • eDiscovery

Property confidence ∷ HighMedLowString

Represents the level of certainty or trustworthiness associated with the incident. It denotes the reliability of the intelligence associated with the incident. The confidence field can take on several values, including:

  • info: Indicates that the incident information is based on sources with no previous track record or there is no track record for the source reporting the incident.
  • low: Indicates that the incident information is based on sources with a questionable track record or there is limited information about the accuracy of the source.
  • medium: Indicates that the incident information is based on sources with a mixed track record or of uncertain reliability.
  • high: Indicates that the incident information is based on sources with a proven track record and high degree of reliability. The confidence field can be used to indicate the level of trust and confidence that can be attributed to the incident, and it may impact how the incident is prioritized, analyzed and addressed. It can also help in the decision-making process associated with the incident response activities. It is important to note that the confidence field is subjective and can be interpreted differently by different organizations or analysts. As such, it is often used in conjunction with other intelligence attributes, such as the severity field, to provide a more complete picture of the incident.
  • This entry is required

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property discovery_method ∷ DiscoveryMethodString

Identifies how the incident was discovered.

  • This entry is optional

    • Allowed Values:
      • Agent Disclosure
      • Antivirus
      • Audit
      • Customer
      • External - Fraud Detection
      • Financial Audit
      • HIPS
      • IT Audit
      • Incident Response
      • Internal - Fraud Detection
      • Law Enforcement
      • Log Review
      • Monitoring Service
      • NIDS
      • Security Alarm
      • Unknown
      • Unrelated Party
      • User

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_time ∷ IncidentTime Object

Relevant time values associated with this Incident.

  • This entry is required
  • Dev Notes: Was 'time'; renamed for clarity

Property intended_effect ∷ IntendedEffectString

Specifies the suspected intended effect of this incident

  • This entry is optional

    • Allowed Values:
      • Account Takeover
      • Advantage
      • Advantage - Economic
      • Advantage - Military
      • Advantage - Political
      • Brand Damage
      • Competitive Advantage
      • Degradation of Service
      • Denial and Deception
      • Destruction
      • Disruption
      • Embarrassment
      • Exposure
      • Extortion
      • Fraud
      • Harassment
      • ICS Control
      • Theft
      • Theft - Credential Theft
      • Theft - Identity Theft
      • Theft - Intellectual Property
      • Theft - Theft of Proprietary Information
      • Traffic Diversion
      • Unauthorized Access

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property meta ∷ MetaData Object

metadata associated to the incident.

  • This entry is optional

Property promotion_method ∷ PromotionMethodString

Describes method for promoting an Incident, whether manually or automatically. An Incident may be created manually by a SOAR analyst or SOC operator, or through an automated correlation or aggregation rule or engine that matches a specific set of events or alerts, and promotes them to Incident(s).

  • This entry is optional

    • Allowed Values:
      • Automated
      • Manual

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property scores ∷ IncidentScores Object

Used to indicate the severity or impact score of the threat represented by the incident.

  • This entry is optional

Property severity ∷ SeverityString

Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the severity field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the confidence field, to provide a more comprehensive view of the incident.

  • This entry is optional

    • Allowed Values:
      • Critical
      • High
      • Info
      • Low
      • Medium
      • None
      • Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property status ∷ StatusString

The status field represents the current state of an incident within the incident management process. Its values help in tracking and reporting the progress of the incident from its discovery to its resolution.

  • This entry is required

    • Allowed Values:
      • Closed
      • Closed: Confirmed Threat
      • Closed: False Positive
      • Closed: Merged
      • Closed: Near-Miss
      • Closed: Other
      • Closed: Suspected
      • Closed: Under Review
      • Containment Achieved
      • Hold
      • Hold: External
      • Hold: Internal
      • Hold: Legal
      • Incident Reported
      • New
      • New: Presented
      • New: Processing
      • Open
      • Open: Contained
      • Open: Investigating
      • Open: Recovered
      • Open: Reported
      • Rejected
      • Restoration Achieved
      • Stalled

Property tactics ∷ ShortStringString List

Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property techniques ∷ ShortStringString List

Represents the specific methods or actions used by an attacker to carry out an offensive maneuver or achieve their goals.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ IncidentTypeIdentifierString

  • This entry is required

    • Must equal: "incident"

IncidentScores Object

PropertyTypeDescriptionRequired?
KeywordNumberField is used to indicate the severity or impact of the threat represented by the incident. It's an open-type dictionary object with score types and numeric value of the score. For example, systems can have the following score types: - asset - assesses the potential damage or harm that the threat can cause to the affected asset(s). The scale ranges from 0 to 10, with 10 indicating the highest potential harm. - global - assesses the overall impact or significance of the threat to the organization or wider community. The scale ranges from 0 to 1000, with 1000 indicating the highest impact. - ttp - a measure of the threat actor's proficiency in utilizing TTPs. Typically, ranges from 0-100, with a higher score indicating a greater threat or concern.

Property Keyword ∷ Number

Field is used to indicate the severity or impact of the threat represented by the incident. It's an open-type dictionary object with score types and numeric value of the score.

For example, systems can have the following score types:

  • asset - assesses the potential damage or harm that the threat can cause to the affected asset(s). The scale ranges from 0 to 10, with 10 indicating the highest potential harm.

  • global - assesses the overall impact or significance of the threat to the organization or wider community. The scale ranges from 0 to 1000, with 1000 indicating the highest impact.

  • ttp - a measure of the threat actor's proficiency in utilizing TTPs. Typically, ranges from 0-100, with a higher score indicating a greater threat or concern.

  • This entry is optional

    • Allowed Values:

      • :asset
      • :global
      • :ttp
    • A non-negative score number.

MetaData Object

PropertyTypeDescriptionRequired?
KeywordStringcustom field relevant to attach meta data to.

Property Keyword ∷ Either

custom field relevant to attach meta data to.

  • This entry is optional

    • Only one of the following schemas will match

IncidentTime Object

PropertyTypeDescriptionRequired?
openedInst (Date)Time the incident was first opened.
closedInst (Date)Time that the incident was last closed.
discoveredInst (Date)Time the incident was first discovered.
rejectedInst (Date)Time that the incident was first rejected.
remediatedInst (Date)Time that the remediation of the damage from the incident was completed.
reportedInst (Date)Time the incident was first reported.

Property closed ∷ Inst (Date)

Time that the incident was last closed.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property discovered ∷ Inst (Date)

Time the incident was first discovered.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property opened ∷ Inst (Date)

Time the incident was first opened.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property rejected ∷ Inst (Date)

Time that the incident was first rejected.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property remediated ∷ Inst (Date)

Time that the remediation of the damage from the incident was completed.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property reported ∷ Inst (Date)

Time the incident was first reported.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Indicator Object

Indicator An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.

We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.

Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
producerShortStringString
schema_versionStringCTIM schema version for this entity.
typeIndicatorTypeIdentifierStringThe fixed value indicator
valid_timeValidTime ObjectThe time range during which this Indicator is considered valid.
composite_indicator_expressionCompositeIndicatorExpression Object
confidenceHighMedLowStringlevel of confidence held in the accuracy of this Indicator.
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
indicator_typeIndicatorTypeString ListSpecifies the type or types for this Indicator.
kill_chain_phasesKillChainPhase Object ListRelevant kill chain phases indicated by this Indicator.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
likely_impactLongStringStringLikely potential impact within the relevant context if this Indicator were to occur.
negateBooleanSpecifies the absence of the pattern.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
severitySeverityString
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
specificationJudgementSpecification Object
tagsShortStringString ListDescriptors for this indicator.
test_mechanismsMedStringString ListTest Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property composite_indicator_expression ∷ CompositeIndicatorExpression Object

  • This entry is optional

Property confidence ∷ HighMedLowString

level of confidence held in the accuracy of this Indicator.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property indicator_type ∷ IndicatorTypeString List

Specifies the type or types for this Indicator.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Anonymization
      • C2
      • Compromised PKI Certificate
      • Domain Watchlist
      • Exfiltration
      • File Hash Watchlist
      • Host Characteristics
      • IMEI Watchlist
      • IMSI Watchlist
      • IP Watchlist
      • Login Name
      • Malicious E-mail
      • Malware Artifacts
      • Private Threat Feed
      • URL Watchlist
    • Reference: IndicatorTypeVocab

Property kill_chain_phases ∷ KillChainPhase Object List

Relevant kill chain phases indicated by this Indicator.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)
  • Dev Notes: simplified

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property likely_impact ∷ LongStringString

Likely potential impact within the relevant context if this Indicator were to occur.

  • This entry is optional

    • LongString String with at most 5000 characters.

Property negate ∷ Boolean

Specifies the absence of the pattern.

  • This entry is optional

Property producer ∷ ShortStringString

  • This entry is required

  • Dev Notes: TODO - Document what is supposed to be in this field!

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ SeverityString

  • This entry is optional

    • Allowed Values:
      • Critical
      • High
      • Info
      • Low
      • Medium
      • None
      • Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property specification ∷ Either

  • This entry is optional

    • Only one of the following schemas will match

Property tags ∷ ShortStringString List

Descriptors for this indicator.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

Property test_mechanisms ∷ MedStringString List

Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

  • Dev Notes: simplified

    • MedString String with at most 2048 characters.

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ IndicatorTypeIdentifierString

The fixed value indicator

  • This entry is required

    • IndicatorTypeIdentifier The fixed value "indicator"
    • Must equal: "indicator"

Property valid_time ∷ ValidTime Object

The time range during which this Indicator is considered valid.

  • This entry is required

OpenIOCSpecification Object

OpenIOCSpecification An indicator which contains an XML blob of an openIOC indicator.

PropertyTypeDescriptionRequired?
open_IOCString
typeOpenIOCSpecificationTypeString

Property open_IOC ∷ String

  • This entry is required

Property type ∷ OpenIOCSpecificationTypeString

  • This entry is required

    • Must equal: "OpenIOC"

SIOCSpecification Object

SIOCSpecification An indicator which runs in snort...

PropertyTypeDescriptionRequired?
SIOCString
typeSIOCSpecificationTypeString

Property SIOC ∷ String

  • This entry is required

Property type ∷ SIOCSpecificationTypeString

  • This entry is required

    • Must equal: "SIOC"

SnortSpecification Object

SnortSpecification An indicator which runs in snort...

PropertyTypeDescriptionRequired?
snort_sigString
typeSnortSpecificationTypeString

Property snort_sig ∷ String

  • This entry is required

Property type ∷ SnortSpecificationTypeString

  • This entry is required

    • Must equal: "Snort"

ThreatBrainSpecification Object

ThreatBrainSpecification An indicator which runs in threatbrain...

PropertyTypeDescriptionRequired?
typeThreatBrainSpecificationTypeString
variablesString List
queryString

Property query ∷ String

  • This entry is optional

Property type ∷ ThreatBrainSpecificationTypeString

  • This entry is required

    • Must equal: "ThreatBrain"

Property variables ∷ String List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

JudgementSpecification Object

JudgementSpecification An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.

PropertyTypeDescriptionRequired?
judgementsString List
required_judgementsRelatedJudgement Object List
typeJudgementSpecificationTypeString

Property judgements ∷ String List

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • A URI leading to a judgement.

Property required_judgements ∷ RelatedJudgement Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property type ∷ JudgementSpecificationTypeString

  • This entry is required

    • Must equal: "Judgement"

RelatedJudgement Object

PropertyTypeDescriptionRequired?
judgement_idString
confidenceHighMedLowString
relationshipString
sourceString

Property confidence ∷ HighMedLowString

  • This entry is optional

Property judgement_id ∷ String

  • This entry is required

    • A URI leading to a judgement.

Property relationship ∷ String

  • This entry is optional

Property source ∷ String

  • This entry is optional

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

CompositeIndicatorExpression Object

PropertyTypeDescriptionRequired?
indicator_idsString List
operatorBooleanOperatorString

Property indicator_ids ∷ String List

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • A URI leading to an indicator.

Property operator ∷ BooleanOperatorString

  • This entry is required

    • Allowed Values:
      • and
      • not
      • or

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Judgement Object

Judgement A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.

Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.

PropertyTypeDescriptionRequired?
confidenceHighMedLowString
dispositionDispositionNumberIntegerMatches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
disposition_nameDispositionNameString
idStringGlobally unique URI identifying this object.
observableObservable Object
priorityInteger
schema_versionStringCTIM schema version for this entity.
severitySeverityString
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
typeJudgementTypeIdentifierString
valid_timeValidTime Object
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
reasonShortStringString
reason_uriString
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property confidence ∷ HighMedLowString

  • This entry is required

Property disposition ∷ DispositionNumberInteger

Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

  • This entry is required

    • DispositionNumber Numeric verdict identifiers.
    • Allowed Values:
      • 1
      • 2
      • 3
      • 4
      • 5

Property disposition_name ∷ DispositionNameString

  • This entry is required

    • DispositionName String verdict identifiers.
    • Allowed Values:
      • Clean
      • Common
      • Malicious
      • Suspicious
      • Unknown

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property observable ∷ Observable Object

  • This entry is required

Property priority ∷ Integer

  • This entry is required

    • A value 0-100 that determine the priority of a judgement. Curated feeds of black/white lists, for example known good products within your organizations, should use a 95. All automated systems should use a priority of 90, or less. Human judgements should have a priority of 100, so that humans can always override machines.

Property reason ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property reason_uri ∷ String

  • This entry is optional

    • A URI

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ SeverityString

  • This entry is required

    • Allowed Values:
      • Critical
      • High
      • Info
      • Low
      • Medium
      • None
      • Unknown

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ JudgementTypeIdentifierString

  • This entry is required

    • Must equal: "judgement"

Property valid_time ∷ ValidTime Object

  • This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Malware Object

Malware Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringA description of object, which may be detailed.
idStringGlobally unique URI identifying this object.
labelsMalwareLabelString ListThe type of malware being described.
schema_versionStringCTIM schema version for this entity.
short_descriptionMedStringStringA single line, short summary of the object.
titleShortStringStringA short title for this object, used as primary display and reference value.
typeMalwareTypeIdentifierString
abstraction_levelMalwareAbstractionsStringMalware abstraction level.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
kill_chain_phasesKillChainPhase Object ListThe list of Kill Chain Phases for which this Malware can be used.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
x_mitre_aliasesShortStringString ListATT&CK Software.aliases.

Property abstraction_level ∷ MalwareAbstractionsString

Malware abstraction level.

  • This entry is optional

    • MalwareAbstractions Malware Abstraction level
    • Allowed Values:
      • family
      • variant
      • version

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Malware can be used.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property labels ∷ MalwareLabelString List

The type of malware being described.

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • MalwareLabel Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool.
    • Allowed Values:
      • adware
      • backdoor
      • bot
      • ddos
      • dropper
      • exploit-kit
      • keylogger
      • ransomware
      • remote-access-trojan
      • resource-exploitation
      • rogue-security-software
      • rootkit
      • screen-capture
      • spyware
      • trojan
      • virus
      • worm
    • Reference: Malware Label

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ MalwareTypeIdentifierString

  • This entry is required

    • Must equal: "malware"

Property x_mitre_aliases ∷ ShortStringString List

ATT&CK Software.aliases.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Note Object

Note A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the Objects, assigning Text/content to the Object the Note relates to Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum.

PropertyTypeDescriptionRequired?
contentMarkdownString
idStringGlobally unique URI identifying this object.
note_classKeyword
related_entitiesNoteRelatedEntity Object List
schema_versionStringCTIM schema version for this entity.
typeNoteTypeIdentifierString
authorString
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property author ∷ String

  • This entry is optional

Property content ∷ MarkdownString

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property note_class ∷ Keyword

  • This entry is required

Property related_entities ∷ NoteRelatedEntity Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ NoteTypeIdentifierString

  • This entry is required

    • Must equal: "note"

NoteRelatedEntity Object

PropertyTypeDescriptionRequired?
entity_idString
entity_typeString

Property entity_id ∷ String

  • This entry is required

    • A URI leading to an entity.

Property entity_type ∷ String

  • This entry is required

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Relationship Object

Relationship Represents a relationship between two entities.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
relationship_typeRelationshipTypeString
schema_versionStringCTIM schema version for this entity.
source_refString
target_refString
typeRelationshipTypeIdentifierString
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property relationship_type ∷ RelationshipTypeString

  • This entry is required

    • Allowed Values:
      • attributed-to
      • based-on
      • derived-from
      • detects
      • duplicate-of
      • element-of
      • exploits
      • indicates
      • member-of
      • mitigates
      • phase-of
      • related-to
      • sighting-of
      • subtechnique-of
      • targets
      • task-of
      • technique-of
      • uses
      • variant-of

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_ref ∷ String

  • This entry is required

    • A URI leading to an entity.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property target_ref ∷ String

  • This entry is required

    • A URI leading to an entity.

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ RelationshipTypeIdentifierString

  • This entry is required

    • Must equal: "relationship"

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Sighting Object

Sighting A sighting indicates that a particular entity or indicator was observed in an environment and can be an indication of a current or potential threat.

PropertyTypeDescriptionRequired?
confidenceHighMedLowString
countIntegerThe number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.
idStringGlobally unique URI identifying this object.
observed_timeObservedTime Object
schema_versionStringCTIM schema version for this entity.
typeSightingTypeIdentifierString
contextContext ObjectContext including the event type that best fits the type of the sighting.
dataSightingDataTable ObjectAn embedded data table for the Sighting.
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
internalBooleanIf true, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
observablesObservable Object ListThe object(s) of interest.
relationsObservedRelation Object ListProvide any context we can about where the observable came from.
resolutionResolutionStringRepresents the disposition or actions taken on the associated threat intelligence.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sensorSensorStringThe OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
sensor_coordinatesSensorCoordinates Object
severitySeverityString
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
targetsIdentitySpecification Object ListMay include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise. Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property confidence ∷ HighMedLowString

  • This entry is required

Property context ∷ Context Object

Context including the event type that best fits the type of the sighting.

  • This entry is optional

Property count ∷ Integer

The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.

  • This entry is required

    • Zero, or a positive integer.

Property data ∷ SightingDataTable Object

An embedded data table for the Sighting.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

If true, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.

  • This entry is optional

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property observables ∷ Observable Object List

The object(s) of interest.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property resolution ∷ ResolutionString

Represents the disposition or actions taken on the associated threat intelligence.

  • This entry is optional

    • Resolution indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP.
    • Allowed Values:
      • allowed
      • blocked
      • contained
      • detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ SensorString

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

  • This entry is optional

    • Sensor The sensor/actuator name that best fits a device.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

Property sensor_coordinates ∷ SensorCoordinates Object

  • This entry is optional

Property severity ∷ SeverityString

  • This entry is optional

    • Allowed Values:
      • Critical
      • High
      • Info
      • Low
      • Medium
      • None
      • Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property targets ∷ IdentitySpecification Object List

May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise.

Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ SightingTypeIdentifierString

  • This entry is required

    • Must equal: "sighting"

Context Object

PropertyTypeDescriptionRequired?
file_create_eventsFileCreateType Object Lista list of FileCreateType
file_delete_eventsFileDeleteType Object Lista list of FileDeleteType
file_modify_eventsFileModifyType Object Lista list of FileModifyType
file_move_eventsFileMoveType Object Lista list of FileMoveType
http_eventsHTTPType Object Lista list of HTTPType
library_load_eventsLibraryLoadType Object Lista list of LibraryLoadType
netflow_eventsNetflowType Object Lista list of NetflowType
process_create_eventsProcessCreateType Object Lista list of ProcessCreate
registry_create_eventsRegistryCreateType Object Lista list of RegistryCreateType
registry_delete_eventsRegistryDeleteType Object Lista list of RegistryDeleteType
registry_rename_eventsRegistryRenameType Object Lista list of RegistryRenameType
registry_set_eventsRegistrySetType Object Lista list of RegistrySetType

Property file_create_events ∷ FileCreateType Object List

a list of FileCreateType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_delete_events ∷ FileDeleteType Object List

a list of FileDeleteType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_modify_events ∷ FileModifyType Object List

a list of FileModifyType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_move_events ∷ FileMoveType Object List

a list of FileMoveType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property http_events ∷ HTTPType Object List

a list of HTTPType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property library_load_events ∷ LibraryLoadType Object List

a list of LibraryLoadType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property netflow_events ∷ NetflowType Object List

a list of NetflowType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property process_create_events ∷ ProcessCreateType Object List

a list of ProcessCreate

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_create_events ∷ RegistryCreateType Object List

a list of RegistryCreateType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_delete_events ∷ RegistryDeleteType Object List

a list of RegistryDeleteType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_rename_events ∷ RegistryRenameType Object List

a list of RegistryRenameType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_set_events ∷ RegistrySetType Object List

a list of RegistrySetType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

RegistryRenameType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
registry_old_keyShortStringString
timeObservedTime Object
typeRegistryRenameTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property registry_old_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryRenameTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryRenameEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryDeleteType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
timeObservedTime Object
typeRegistryDeleteTypeIdentifierString
process_guidInteger
process_usernameShortStringString
registry_valueMedStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property registry_value ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryDeleteTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistrySetType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
registry_valueMedStringString
timeObservedTime Object
typeRegistrySetTypeIdentifierString
process_guidInteger
process_usernameShortStringString
registry_dataLongStringString
registry_data_lengthInteger

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property registry_data ∷ LongStringString

  • This entry is optional

    • LongString String with at most 5000 characters.

Property registry_data_length ∷ Integer

  • This entry is optional

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property registry_value ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistrySetTypeIdentifierString

  • This entry is required

    • Must equal: "RegistrySetEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryCreateType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
timeObservedTime Object
typeRegistryCreateTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryCreateTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

HTTPType Object

PropertyTypeDescriptionRequired?
hostShortStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
trafficTraffic Object
typeHTTPTypeIdentifierString
encryptedBoolean
methodHTTPMethodString
process_guidInteger
process_usernameShortStringString
queryLongStringString
url_portInteger

Property encrypted ∷ Boolean

  • This entry is optional

Property host ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property method ∷ HTTPMethodString

  • This entry is optional

    • Allowed Values:
      • CONNECT
      • GET
      • HEAD
      • OPTIONS
      • PATCH
      • POST
      • PUT
      • TRACE

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property query ∷ LongStringString

  • This entry is optional

    • LongString String with at most 5000 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property traffic ∷ Traffic Object

  • This entry is required

Property type ∷ HTTPTypeIdentifierString

  • This entry is required

    • Must equal: "HTTPEvent"

Property url_port ∷ Integer

  • This entry is optional

Traffic Object

PropertyTypeDescriptionRequired?
destination_ipString
destination_portInteger
directionTrafficDirectionString
protocolIntegerThe IP protocol id
source_ipString
source_portInteger
destination_host_nameString
destination_subnetString
source_subnetString

Property destination_host_name ∷ String

  • This entry is optional

Property destination_ip ∷ String

  • This entry is required

Property destination_port ∷ Integer

  • This entry is required

Property destination_subnet ∷ String

  • This entry is optional

Property direction ∷ TrafficDirectionString

  • This entry is required

    • Allowed Values:
      • incoming
      • outgoing

Property protocol ∷ Integer

The IP protocol id

  • This entry is required

Property source_ip ∷ String

  • This entry is required

Property source_port ∷ Integer

  • This entry is required

Property source_subnet ∷ String

  • This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

NetflowType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
timeObservedTime Object
trafficTraffic Object
typeNetflowTypeIdentifierString
byte_count_inInteger
byte_count_outInteger
flow_timeInst (Date)
parent_process_accountShortStringString
parent_process_account_typeShortStringString
parent_process_argsShortStringString
parent_process_hashShortStringString
parent_process_idInteger
parent_process_nameShortStringString
parent_process_pathShortStringString
process_accountShortStringString
process_account_typeShortStringString
process_argsShortStringString
process_guidInteger
process_hashShortStringString
process_pathShortStringString
process_usernameShortStringString

Property byte_count_in ∷ Integer

  • This entry is optional

Property byte_count_out ∷ Integer

  • This entry is optional

Property flow_time ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_account ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_account_type ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_args ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_hash ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_id ∷ Integer

  • This entry is optional

Property parent_process_name ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_path ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_account ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_account_type ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_args ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_hash ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_path ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property traffic ∷ Traffic Object

  • This entry is required

Property type ∷ NetflowTypeIdentifierString

  • This entry is required

    • Must equal: "NetflowEvent"

Traffic Object

PropertyTypeDescriptionRequired?
destination_ipString
destination_portInteger
directionTrafficDirectionString
protocolIntegerThe IP protocol id
source_ipString
source_portInteger
destination_host_nameString
destination_subnetString
source_subnetString

Property destination_host_name ∷ String

  • This entry is optional

Property destination_ip ∷ String

  • This entry is required

Property destination_port ∷ Integer

  • This entry is required

Property destination_subnet ∷ String

  • This entry is optional

Property direction ∷ TrafficDirectionString

  • This entry is required

    • Allowed Values:
      • incoming
      • outgoing

Property protocol ∷ Integer

The IP protocol id

  • This entry is required

Property source_ip ∷ String

  • This entry is required

Property source_port ∷ Integer

  • This entry is required

Property source_subnet ∷ String

  • This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileMoveType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
new_nameShortStringString
old_nameShortStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileMoveTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property new_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property old_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileMoveTypeIdentifierString

  • This entry is required

    • Must equal: "FileMoveEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileModifyType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileModifyTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileModifyTypeIdentifierString

  • This entry is required

    • Must equal: "FileModifyEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileDeleteType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileDeleteTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileDeleteTypeIdentifierString

  • This entry is required

    • Must equal: "FileDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileCreateType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileCreateTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileCreateTypeIdentifierString

  • This entry is required

    • Must equal: "FileCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

LibraryLoadType Object

PropertyTypeDescriptionRequired?
dll_library_nameShortStringString
dll_library_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeLibraryLoadTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property dll_library_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property dll_library_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ LibraryLoadTypeIdentifierString

  • This entry is required

    • Must equal: "LibraryLoadEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ProcessCreateType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeProcessCreateTypeIdentifierString
parent_creation_timeInst (Date)
parent_process_argsMedStringString
parent_process_dispositionShortStringString
parent_process_guidInteger
parent_process_hashMedStringString
parent_process_idInteger
parent_process_nameShortStringString
parent_process_sizeInteger
parent_process_usernameShortStringString
process_argsMedStringString
process_dispositionShortStringString
process_guidInteger
process_hashMedStringString
process_sizeInteger
process_usernameShortStringString

Property parent_creation_time ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_args ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters.

Property parent_process_disposition ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_guid ∷ Integer

  • This entry is optional

Property parent_process_hash ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters.

Property parent_process_id ∷ Integer

  • This entry is optional

Property parent_process_name ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property parent_process_size ∷ Integer

  • This entry is optional

Property parent_process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_args ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters.

Property process_disposition ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

  • This entry is optional

Property process_hash ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters.

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters.

Property process_size ∷ Integer

  • This entry is optional

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ ProcessCreateTypeIdentifierString

  • This entry is required

    • Must equal: "ProcessCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ObservedRelation Object

ObservedRelation A relation inside a Sighting.

PropertyTypeDescriptionRequired?
originString
relatedObservable Object
relationObservableRelationTypeString
sourceObservable Object
origin_uriString
relation_infoObject

Property origin ∷ String

  • This entry is required

Property origin_uri ∷ String

  • This entry is optional

    • A URI

Property related ∷ Observable Object

  • This entry is required

Property relation ∷ ObservableRelationTypeString

  • This entry is required

    • Allowed Values:
      • Allocated
      • Allocated_By
      • Attached_To
      • Bound
      • Bound_By
      • Characterized_By
      • Characterizes
      • Child_Of
      • Closed
      • Closed_By
      • Compressed
      • Compressed_By
      • Compressed_From
      • Compressed_Into
      • Connected_From
      • Connected_To
      • Contained_Within
      • Contains
      • Copied
      • Copied_By
      • Copied_From
      • Copied_To
      • Created
      • Created_By
      • Decoded
      • Decoded_By
      • Decompressed
      • Decompressed_By
      • Decrypted
      • Decrypted_By
      • Deleted
      • Deleted_By
      • Deleted_From
      • Downloaded
      • Downloaded_By
      • Downloaded_From
      • Downloaded_To
      • Dropped
      • Dropped_By
      • Encoded
      • Encoded_By
      • Encrypted
      • Encrypted_By
      • Encrypted_From
      • Encrypted_To
      • Extracted_From
      • FQDN_Of
      • Freed
      • Freed_By
      • Hooked
      • Hooked_By
      • Initialized_By
      • Initialized_To
      • Injected
      • Injected_As
      • Injected_By
      • Injected_Into
      • Installed
      • Installed_By
      • Joined
      • Joined_By
      • Killed
      • Killed_By
      • Listened_On
      • Listened_On_By
      • Loaded_From
      • Loaded_Into
      • Locked
      • Locked_By
      • Mapped_By
      • Mapped_Into
      • Merged
      • Merged_By
      • Modified_Properties_Of
      • Monitored
      • Monitored_By
      • Moved
      • Moved_By
      • Moved_From
      • Moved_To
      • Opened
      • Opened_By
      • Packed
      • Packed_By
      • Packed_From
      • Packed_Into
      • Parent_Of
      • Paused
      • Paused_By
      • Previously_Contained
      • Properties_Modified_By
      • Properties_Queried
      • Properties_Queried_By
      • Read_From
      • Read_From_By
      • Received
      • Received_By
      • Received_From
      • Received_Via_Upload
      • Redirects_To
      • Refers_To
      • Related_To
      • Renamed
      • Renamed_By
      • Renamed_From
      • Renamed_To
      • Resolved_To
      • Resumed
      • Resumed_By
      • Root_Domain_Of
      • Searched_For
      • Searched_For_By
      • Sent
      • Sent_By
      • Sent_To
      • Sent_Via_Upload
      • Set_From
      • Set_To
      • Sub-domain_Of
      • Supra-domain_Of
      • Suspended
      • Suspended_By
      • Unhooked
      • Unhooked_By
      • Unlocked
      • Unlocked_By
      • Unpacked
      • Unpacked_By
      • Uploaded
      • Uploaded_By
      • Uploaded_From
      • Uploaded_To
      • Used
      • Used_By
      • Values_Enumerated
      • Values_Enumerated_By
      • Written_To_By
      • Wrote_To

Property relation_info ∷ Object

  • This entry is optional

Property source ∷ Observable Object

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

Object

PropertyTypeDescriptionRequired?
KeywordAnything

Property Keyword ∷ Anything

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

IdentitySpecification Object

IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.

PropertyTypeDescriptionRequired?
observablesObservable Object List
observed_timeObservedTime Object
typeSensorString
osString

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property os ∷ String

  • This entry is optional

Property type ∷ SensorString

  • This entry is required

    • Sensor The sensor/actuator name that best fits a device.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

SensorCoordinates Object

SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.

PropertyTypeDescriptionRequired?
observablesObservable Object List
typeSensorString
osString

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property os ∷ String

  • This entry is optional

Property type ∷ SensorString

  • This entry is required

    • Sensor The sensor/actuator name that best fits a device.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

SightingDataTable Object

SightingDataTable An embedded data table for sightings data.

PropertyTypeDescriptionRequired?
columnsColumnDefinition Object Listan ordered list of column definitions
rowsAnything Listan ordered list of rows
row_countIntegerThe number of rows in the data table.

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property row_count ∷ Integer

The number of rows in the data table.

  • This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

ColumnDefinition Object

PropertyTypeDescriptionRequired?
nameString
typeColumnTypeString
descriptionMarkdownString
requiredBooleanIf true, the row entries for this column cannot contain nulls. Defaults to true.
short_descriptionString

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property name ∷ String

  • This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true.

  • This entry is optional

Property short_description ∷ String

  • This entry is optional

Property type ∷ ColumnTypeString

  • This entry is required

    • Allowed Values:
      • integer
      • markdown
      • number
      • observable
      • string
      • url

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

IdentityAssertion Object

IdentityAssertion Context attributes about the target or any of its observables. Providers could provide different types of assertions regarding a target depending on their own capabilities.

PropertyTypeDescriptionRequired?
assertionsAssertion Object ListAny known context about the identity attributes.
idStringGlobally unique URI identifying this object.
identityIdentityCoordinates ObjectAttributes for which the assertion is being made.
schema_versionStringCTIM schema version for this entity.
typeIdentityAssertionTypeIdentifierString
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
valid_timeValidTime Object

Property assertions ∷ Assertion Object List

Any known context about the identity attributes.

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ IdentityCoordinates Object

Attributes for which the assertion is being made.

  • This entry is required

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ IdentityAssertionTypeIdentifierString

  • This entry is required

    • Must equal: "identity-assertion"

Property valid_time ∷ ValidTime Object

  • This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Assertion Object

PropertyTypeDescriptionRequired?
nameAssertionTypeString
valueString

Property name ∷ AssertionTypeString

  • This entry is required

    • AssertionType An open vocabulary containing well known assertion types
    • Allowed Values:
      • cisco:ctr:ad:host_domain_name
      • cisco:ctr:ad:host_resolved_dns
      • cisco:ctr:ad:host_resolved_identities
      • cisco:ctr:ad:normalized_user
      • cisco:ctr:ad:user_domain_name
      • cisco:ctr:ad:user_net_bios_name
      • cisco:ctr:ad:user_resolved_dns
      • cisco:ctr:ad:user_resolved_identities
      • cisco:ctr:common:business_value
      • cisco:ctr:common:ir_attributes
      • cisco:ctr:common:node_label
      • cisco:ctr:device:administrators
      • cisco:ctr:device:connector_version
      • cisco:ctr:device:endpoint_profile
      • cisco:ctr:device:hardware_version
      • cisco:ctr:device:has_ip_blocking
      • cisco:ctr:device:id
      • cisco:ctr:device:last_sync_status
      • cisco:ctr:device:last_sync_time
      • cisco:ctr:device:location
      • cisco:ctr:device:manufacturer
      • cisco:ctr:device:mdm_compliant
      • cisco:ctr:device:mdm_imei
      • cisco:ctr:device:mdm_jail_broken
      • cisco:ctr:device:mdm_registered
      • cisco:ctr:device:model
      • cisco:ctr:device:name
      • cisco:ctr:device:os_version
      • cisco:ctr:device:os_version_name
      • cisco:ctr:device:owner
      • cisco:ctr:device:posture
      • cisco:ctr:device:security_group
      • cisco:ctr:device:serial_number
      • cisco:ctr:device:software_version
      • cisco:ctr:device:status
      • cisco:ctr:device:type
      • cisco:ctr:device:vendor
      • cisco:ctr:user:building
      • cisco:ctr:user:department
      • cisco:ctr:user:emails
      • cisco:ctr:user:entitlements
      • cisco:ctr:user:first_name
      • cisco:ctr:user:groups
      • cisco:ctr:user:last_name
      • cisco:ctr:user:manager
      • cisco:ctr:user:phone_numbers
      • cisco:ctr:user:roles
      • cisco:ctr:user:status
      • cisco:ctr:user:timezone
      • cisco:ctr:user:title
      • cisco:ctr:user:two_factor_enable

Property value ∷ String

  • This entry is required

IdentityCoordinates Object

PropertyTypeDescriptionRequired?
observablesObservable Object List

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

TargetRecord Object

TargetRecord A TargetRecord is a Sighting that has no threat or observables associated with it, it's a way of saying they saw a set of observables together as a Target.

PropertyTypeDescriptionRequired?
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
targetsTarget Object List
typeTargetRecordTypeIdentifierString
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property targets ∷ Target Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ TargetRecordTypeIdentifierString

  • This entry is required

    • Must equal: "target-record"

Target Object

Target Schema for TargetRecord Targets

PropertyTypeDescriptionRequired?
observablesObservable Object List
observed_timeObservedTime Object
typeSensorString
internalBooleanIs it internal to our network?
osStringSource Operating System where TargetRecord was originated.
sensorStringThe OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.)
source_uriString

Property internal ∷ Boolean

Is it internal to our network?

  • This entry is optional

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property os ∷ String

Source Operating System where TargetRecord was originated.

  • This entry is optional

Property sensor ∷ String

The OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.)

  • This entry is optional

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property type ∷ SensorString

  • This entry is required

    • Sensor The sensor/actuator name that best fits a device.
    • Allowed Values:
      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period.

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Tool Object

Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringA description of object, which may be detailed.
idStringGlobally unique URI identifying this object.
labelsToolLabelString ListThe kind(s) of tool(s) being described.
schema_versionStringCTIM schema version for this entity.
short_descriptionMedStringStringA single line, short summary of the object.
titleShortStringStringA short title for this object, used as primary display and reference value.
typeToolTypeIdentifierString
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
kill_chain_phasesKillChainPhase Object ListThe list of kill chain phases for which this Tool can be used.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
tool_versionShortStringStringThe version identifier associated with the Tool.
x_mitre_aliasesShortStringString ListATT&CK Software.aliases.

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of kill chain phases for which this Tool can be used.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property labels ∷ ToolLabelString List

The kind(s) of tool(s) being described.

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • ToolLabel Tool labels describe the categories of tools that can be used to perform attacks.
    • Allowed Values:
      • credential-exploitation
      • denial-of-service
      • exploitation
      • information-gathering
      • network-capture
      • remote-access
      • vulnerability-scanning
    • Reference: Tool Label

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is required

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property tool_version ∷ ShortStringString

The version identifier associated with the Tool.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property type ∷ ToolTypeIdentifierString

  • This entry is required

    • Must equal: "tool"

Property x_mitre_aliases ∷ ShortStringString List

ATT&CK Software.aliases.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • ShortString String with at most 1024 characters.

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

PropertyTypeDescriptionRequired?
kill_chain_nameStringThe name of the kill chain.
phase_nameStringThe name of the phase in the kill chain.

Property kill_chain_name ∷ String

The name of the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Must equal: "lockheed-martin-cyber-kill-chain"
    • Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

  • This entry is required

    • SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
    • Allowed Values:
      • actions-on-objective
      • command-and-control
      • delivery
      • exploitation
      • installation
      • reconnaissance
      • weaponization
    • Reference: Open Vocabulary

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Verdict Object

Verdict A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.

The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"

PropertyTypeDescriptionRequired?
dispositionDispositionNumberInteger
observableObservable Object
typeVerdictTypeIdentifierString
valid_timeValidTime Object
disposition_nameDispositionNameStringThe disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
judgement_idString

Property disposition ∷ DispositionNumberInteger

  • This entry is required

    • DispositionNumber Numeric verdict identifiers.
    • Allowed Values:
      • 1
      • 2
      • 3
      • 4
      • 5

Property disposition_name ∷ DispositionNameString

The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

  • This entry is optional

    • DispositionName String verdict identifiers.
    • Allowed Values:
      • Clean
      • Common
      • Malicious
      • Suspicious
      • Unknown

Property judgement_id ∷ String

  • This entry is optional

    • A URI leading to a judgement.

Property observable ∷ Observable Object

  • This entry is required

Property type ∷ VerdictTypeIdentifierString

  • This entry is required

    • Must equal: "verdict"

Property valid_time ∷ ValidTime Object

  • This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierStringThe type of observable.
valueStringThe value of the observable.

Property type ∷ ObservableTypeIdentifierString

The type of observable.

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • acudid
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • cortex_agent_id
      • crowdstrike_id
      • cvm_id
      • cybereason_id
      • darktrace_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • meraki_network_id
      • meraki_node_sn
      • meraki_org_id
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_uid
      • process_username
      • processor_id
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

The value of the observable.

  • This entry is required

DataTable Object

DataTable A generic table of data, consisting of types and documented columns, and 1 or more rows of data.

PropertyTypeDescriptionRequired?
columnsColumnDefinition Object ListAn ordered list of column definitions.
idStringGlobally unique URI identifying this object.
rowsAnything ListAn ordered list of rows
schema_versionStringCTIM schema version for this entity.
typeDataTableTypeIdentifierString
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
row_countIntegerThe number of rows in the data table.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
valid_timeValidTime Object

Property columns ∷ ColumnDefinition Object List

An ordered list of column definitions.

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property row_count ∷ Integer

The number of rows in the data table.

  • This entry is optional

Property rows ∷ Anything List List

An ordered list of rows

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ DataTableTypeIdentifierString

  • This entry is required

    • Must equal: "data-table"

Property valid_time ∷ ValidTime Object

  • This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ColumnDefinition Object

PropertyTypeDescriptionRequired?
nameString
typeColumnTypeString
descriptionMarkdownString
requiredBooleanIf true, the row entries for this column cannot contain nulls. Defaults to true.
short_descriptionString

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property name ∷ String

  • This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true.

  • This entry is optional

Property short_description ∷ String

  • This entry is optional

Property type ∷ ColumnTypeString

  • This entry is required

    • Allowed Values:
      • integer
      • markdown
      • number
      • observable
      • string
      • url

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Weakness Object

Weakness A mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringShould be short and limited to the key points that define this weakness.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
typeWeaknessTypeIdentifierStringThe fixed value weakness
abstraction_levelWeaknessAbstractionLevelStringRefers to the level of abstraction or granularity used to describe the weakness. It helps to categorize the vulnerability based on the level of detail provided.
affected_resourcesSystemResourceString ListIdentifies system resources that can be affected by an exploit of this weakness.
alternate_termsAlternateTerm Object ListIndicates one or more other names used to describe this weakness.
architecturesArchitecture Object ListApplicable architectures.
background_detailsMarkdownStringInformation that is relevant but not related to the nature of the weakness itself.
common_consequencesConsequence Object ListRefers to the typical or expected negative effects that can result from exploiting the weakness. This could include anything from unauthorized access to data, denial of service, system crashes or other things.
detection_methodsDetectionMethod Object ListIdentifies methods that may be employed to detect this weakness, including their strengths and limitations.
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
functional_areasFunctionalAreaString ListIdentifies the functional area of the software in which the weakness is most likely to occur.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
languagesLanguage Object ListApplicable Languages.
likelihoodHighMedLowStringLikelihood of exploit.
modes_of_introductionModeOfIntroduction Object ListInformation about how and when a given weakness may be introduced.
notesNote Object ListProvides any additional comments about the weakness.
operating_systemsOperatingSystem Object ListApplicable operating systems.
paradigmsParadigm Object ListApplicable paradigms.
potential_mitigationsMitigation Object ListDescribes potential mitigations associated with a weakness.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
structureWeaknessStructureStringDefines the structural nature of the weakness.
technologiesTechnology Object ListApplicable technologies.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property abstraction_level ∷ WeaknessAbstractionLevelString

Refers to the level of abstraction or granularity used to describe the weakness. It helps to categorize the vulnerability based on the level of detail provided.

  • This entry is optional

    • WeaknessAbstractionLevel Refers to the level of abstraction or granularity used to describe the weakness. It helps to categorize the vulnerability based on the level of detail provided. CTIM provides four different levels of abstraction for weaknesses: Class, Base, Variant, and Compound.
  • Class: is the highest level of abstraction and describes a general category of weaknesses. Examples of Classes include :"Buffer Errors", "Input Validation", or "Authentication Issues".

  • Base: More specific category than Class. A Base weakness is a concrete form of a Class weakness. An example of a Base weakness could be "SQL Injection".

  • Variant: Describes one specific type of Base weakness that is defined by alterations or extensions to the Base description. For example, "Blind SQL Injection" can be considered a Variant of the Base weakness "SQL Injection".

  • Compound: A Compound Weakness describes a weakness that combines two or more Base weaknesses to exploit a system. For example, a "Buffer-Overflow with Format-String Exploit" combines the Base weaknesses of "Buffer-Overflow" and "Format-String Vulnerability".

By specifying the abstraction level, cybersec professionals can more easily identify weaknesses that are related and prioritize their response efforts based on the potential impact of the vulnerability.

Property affected_resources ∷ SystemResourceString List

Identifies system resources that can be affected by an exploit of this weakness.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • SystemResource Defines a resource of a system.
    • Allowed Values:
      • CPU
      • File or Directory
      • Memory
      • System Process
    • Reference: ResourceEnumeration

Property alternate_terms ∷ AlternateTerm Object List

Indicates one or more other names used to describe this weakness.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property architectures ∷ Architecture Object List

Applicable architectures.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property background_details ∷ MarkdownString

Information that is relevant but not related to the nature of the weakness itself.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property common_consequences ∷ Consequence Object List

Refers to the typical or expected negative effects that can result from exploiting the weakness. This could include anything from unauthorized access to data, denial of service, system crashes or other things.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property description ∷ MarkdownString

Should be short and limited to the key points that define this weakness.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property detection_methods ∷ DetectionMethod Object List

Identifies methods that may be employed to detect this weakness, including their strengths and limitations.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property functional_areas ∷ FunctionalAreaString List

Identifies the functional area of the software in which the weakness is most likely to occur.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • FunctionalArea Defines the different functional areas of software in which the weakness may appear.
    • Allowed Values:
      • Authentication
      • Authorization
      • Code Libraries
      • Counters
      • Cryptography
      • Error Handling
      • File Processing
      • Functional-Area-Independent
      • Interprocess Communication
      • Logging
      • Memory Management
      • Networking
      • Number Processing
      • Program Invocation
      • Protection Mechanism
      • Session Management
      • Signals
      • String Processing
    • Reference: FunctionalAreaEnumeration

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property languages ∷ Language Object List

Applicable Languages.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property likelihood ∷ HighMedLowString

Likelihood of exploit.

  • This entry is optional

Property modes_of_introduction ∷ ModeOfIntroduction Object List

Information about how and when a given weakness may be introduced.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property notes ∷ Note Object List

Provides any additional comments about the weakness.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property operating_systems ∷ OperatingSystem Object List

Applicable operating systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property paradigms ∷ Paradigm Object List

Applicable paradigms.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property potential_mitigations ∷ Mitigation Object List

Describes potential mitigations associated with a weakness.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property structure ∷ WeaknessStructureString

Defines the structural nature of the weakness.

  • This entry is optional

    • WeaknessStructure Structural nature of a weakness. Useful as it categorizes weaknesses based on their dependencies and complexity and helps analysts to prioritize their response efforts based on the potential impact of the vulnerability.
  • Chain: A chain weakness might involve an attacker chaining together multiple vulnerabilities and exploits in order to achieve their end goal. For example, an attacker might use a phishing attack to gain access to a user's email account, then use information from that account to socially engineer their way through additional systems until they gain access to an internal network. In this case, the attacker is chaining multiple weaknesses together in order to achieve their ultimate objective.

  • Composite: A composite weakness might involve multiple vulnerabilities that exist in different layers or components of a system. For example, a composite weakness in a web application might involve both an injection vulnerability and a cross-site scripting vulnerability. An attacker could use these weaknesses in tandem to steal data or take over the system.

  • Simple: A simple weakness might involve a single vulnerability or exploit that can be used to achieve a specific objective. An example of a simple weakness might be a buffer overflow vulnerability in a software application. If an attacker can exploit this vulnerability, they may be able to execute arbitrary code on the system.

Property technologies ∷ Technology Object List

Applicable technologies.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ WeaknessTypeIdentifierString

The fixed value weakness

  • This entry is required

    • WeaknessTypeIdentifier The fixed value "weakness"
    • Must equal: "weakness"

Note Object

PropertyTypeDescriptionRequired?
noteMarkdownString
typeNoteTypeString

Property note ∷ MarkdownString

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property type ∷ NoteTypeString

  • This entry is required

Mitigation Object

PropertyTypeDescriptionRequired?
descriptionMarkdownStringA description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness.
effectivenessEffectivenessStringSummarizes how effective the mitigation may be in preventing the weakness.
effectiveness_notesMarkdownString
phasesSoftwarePhaseString ListIndicates the development life cycle phase during which this particular mitigation may be applied.
strategyMitigationStrategyStringA general strategy for protecting a system to which this mitigation contributes.

Property description ∷ MarkdownString

A description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property effectiveness ∷ EffectivenessString

Summarizes how effective the mitigation may be in preventing the weakness.

  • This entry is optional

    • Effectiveness Related to how effective a mitigation may be in preventing the weakness.
    • Allowed Values:
      • Defense in Depth
      • High
      • Incidental
      • Limited
      • Moderate
      • None
    • Reference: EffectivenessEnumeration

Property effectiveness_notes ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property phases ∷ SoftwarePhaseString List

Indicates the development life cycle phase during which this particular mitigation may be applied.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • SoftwarePhase Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Architecture and Design
      • Build and Compilation
      • Bundling
      • Distribution
      • Documentation
      • Implementation
      • Installation
      • Operation
      • Patching and Maintenance
      • Policy
      • Porting
      • Requirements
      • System Configuration
      • Testing
    • Reference: PhaseEnumeration

Property strategy ∷ MitigationStrategyString

A general strategy for protecting a system to which this mitigation contributes.

  • This entry is optional

    • MitigationStrategy Strategy for protecting a system to which a mitigation contributes.
    • Allowed Values:
      • Attack Surface Reduction
      • Compilation or Build Hardening
      • Enforcement by Conversion
      • Environment Hardening
      • Firewall
      • Input Validation
      • Language Selection
      • Libraries or Frameworks
      • Output Encoding
      • Parameterization
      • Refactoring
      • Resource Limitation
      • Sandbox or Jail
      • Separation of Privilege
    • Reference: MitigationStrategyEnumeration

DetectionMethod Object

PropertyTypeDescriptionRequired?
descriptionMarkdownStringProvides some context of how this method can be applied to a specific weakness.
methodDetectionMethodStringIdentifies the particular detection method being described.
effectivenessDetectionEffectivenessStringHow effective the detection method may be in detecting the associated weakness.
effectiveness_notesMarkdownStringProvides additional discussion of the strengths and shortcomings of this detection method.

Property description ∷ MarkdownString

Provides some context of how this method can be applied to a specific weakness.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property effectiveness ∷ DetectionEffectivenessString

How effective the detection method may be in detecting the associated weakness.

  • This entry is optional

    • DetectionEffectiveness Level of effectiveness that a detection method may have in detecting an associated weakness.
    • Allowed Values:
      • High
      • Limited
      • Moderate
      • None
      • Opportunistic
      • SOAR Partial
    • Reference: DetectionEffectivenessEnumeration

Property effectiveness_notes ∷ MarkdownString

Provides additional discussion of the strengths and shortcomings of this detection method.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property method ∷ DetectionMethodString

Identifies the particular detection method being described.

  • This entry is required

    • DetectionMethod Method used to detect a weakness.
    • Allowed Values:
      • Architecture or Design Review
      • Automated Analysis
      • Automated Dynamic Analysis
      • Automated Static Analysis
      • Automated Static Analysis - Binary or Bytecode
      • Automated Static Analysis - Source Code
      • Black Box
      • Dynamic Analysis with Automated Results Interpretation
      • Dynamic Analysis with Manual Results Interpretation
      • Fuzzing
      • Manual Analysis
      • Manual Dynamic Analysis
      • Manual Static Analysis
      • Manual Static Analysis - Binary or Bytecode
      • Manual Static Analysis - Source Code
      • Other
      • White Box
    • Reference: DetectionMethodEnumeration

Consequence Object

PropertyTypeDescriptionRequired?
scopesConsequenceScopeString ListIdentifies the security property that is violated.
impactsTechnicalImpactString ListDescribes the technical impact that arises if an adversary succeeds in exploiting this weakness.
likelihoodHighMedLowStringHow likely the specific consequence is expected to be seen relative to the other consequences.
noteMarkdownStringAdditional commentary about a consequence.

Property impacts ∷ TechnicalImpactString List

Describes the technical impact that arises if an adversary succeeds in exploiting this weakness.

  • This entry is optional

  • This entry's type is sequential (allows zero or more values)

    • Allowed Values:
      • Alter Execution Logic
      • Bypass Protection Mechanism
      • DoS: Amplification
      • DoS: Crash, Exit, or Restart
      • DoS: Instability
      • DoS: Resource Consumption (CPU)
      • DoS: Resource Consumption (Memory)
      • DoS: Resource Consumption (Other)
      • Execute Unauthorized Code or Commands
      • Gain Privileges or Assume Identity
      • Hide Activities
      • Modify Application Data
      • Modify Files or Directories
      • Modify Memory
      • Quality Degradation
      • Read Application Data
      • Read Files or Directories
      • Read Memory
      • Unexpected State
      • Varies by Context
    • Reference: TechnicalImpactEnumeration

Property likelihood ∷ HighMedLowString

How likely the specific consequence is expected to be seen relative to the other consequences.

  • This entry is optional

Property note ∷ MarkdownString

Additional commentary about a consequence.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property scopes ∷ ConsequenceScopeString List

Identifies the security property that is violated.

  • This entry is required

  • This entry's type is sequential (allows zero or more values)

    • ConsequenceScope Defines the different areas of software security that can be affected by exploiting a weakness.
    • Allowed Values:
      • Access Control
      • Accountability
      • Authentication
      • Authorization
      • Availability
      • Confidentiality
      • Integrity
      • Non-Repudiation
    • Reference: ScopeEnumeration

ModeOfIntroduction Object

PropertyTypeDescriptionRequired?
phaseSoftwarePhaseStringIdentifies the point in the software life cycle at which the weakness may be introduced.
noteMarkdownStringProvides a typical scenario related to introduction during the given phase.

Property note ∷ MarkdownString

Provides a typical scenario related to introduction during the given phase.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property phase ∷ SoftwarePhaseString

Identifies the point in the software life cycle at which the weakness may be introduced.

  • This entry is required

    • SoftwarePhase Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Architecture and Design
      • Build and Compilation
      • Bundling
      • Distribution
      • Documentation
      • Implementation
      • Installation
      • Operation
      • Patching and Maintenance
      • Policy
      • Porting
      • Requirements
      • System Configuration
      • Testing
    • Reference: PhaseEnumeration

AlternateTerm Object

PropertyTypeDescriptionRequired?
termShortStringStringThe actual alternate term.
descriptionMarkdownStringProvides context for the alternate term by which this weakness may be known.

Property description ∷ MarkdownString

Provides context for the alternate term by which this weakness may be known.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property term ∷ ShortStringString

The actual alternate term.

  • This entry is required

    • ShortString String with at most 1024 characters.

Technology Object

PropertyTypeDescriptionRequired?
prevalencePrevalenceStringDefines the different regularities that guide the applicability of platforms.
nameShortStringStringTechnology name (Web Server, Web Client)

Property name ∷ ShortStringString

Technology name (Web Server, Web Client)

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property prevalence ∷ PrevalenceString

Defines the different regularities that guide the applicability of platforms.

  • This entry is required

    • Prevalence Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Paradigm Object

PropertyTypeDescriptionRequired?
prevalencePrevalenceStringDefines the different regularities that guide the applicability of platforms.
nameShortStringStringParadigm name (Client Server, Mainframe)

Property name ∷ ShortStringString

Paradigm name (Client Server, Mainframe)

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property prevalence ∷ PrevalenceString

Defines the different regularities that guide the applicability of platforms.

  • This entry is required

    • Prevalence Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Architecture Object

PropertyTypeDescriptionRequired?
prevalencePrevalenceStringDefines the different regularities that guide the applicability of platforms.
classArchitectureClassStringClass of architecture
nameShortStringStringArchitecture name (ARM, x86, ...)

Property class ∷ ArchitectureClassString

Class of architecture

Property name ∷ ShortStringString

Architecture name (ARM, x86, ...)

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property prevalence ∷ PrevalenceString

Defines the different regularities that guide the applicability of platforms.

  • This entry is required

    • Prevalence Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

OperatingSystem Object

PropertyTypeDescriptionRequired?
prevalencePrevalenceStringDefines the different regularities that guide the applicability of platforms.
classOperatingSystemClassString
cpe_idShortStringString
nameShortStringString
versionShortStringString

Property class ∷ OperatingSystemClassString

  • This entry is optional

Property cpe_id ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property name ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property prevalence ∷ PrevalenceString

Defines the different regularities that guide the applicability of platforms.

  • This entry is required

    • Prevalence Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

Property version ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Language Object

PropertyTypeDescriptionRequired?
prevalencePrevalenceStringDefines the different regularities that guide the applicability of platforms.
classLanguageClassStringClass of language.
nameShortStringStringLanguage name (Clojure, Java, ...)

Property class ∷ LanguageClassString

Class of language.

  • This entry is optional

    • LanguageClass Class of source code language.
    • Allowed Values:
      • Assembly
      • Compiled
      • Interpreted
    • Reference: LanguageClassEnumeration

Property name ∷ ShortStringString

Language name (Clojure, Java, ...)

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property prevalence ∷ PrevalenceString

Defines the different regularities that guide the applicability of platforms.

  • This entry is required

    • Prevalence Defines the different regularities that guide the applicability of platforms.
    • Allowed Values:
      • Often
      • Rarely
      • Sometimes
      • Undetermined
    • Reference: PrevalenceEnumeration

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

Vulnerability Object

Vulnerability Indicates weakness or flaw in the system that can be exploited by an attacker to gain unauthorized access or cause harm to the system. Vulnerabilities can exist in various components of the system, such as the operating system, applications, network devices, and databases.

PropertyTypeDescriptionRequired?
descriptionMarkdownStringVarious sources of vulnerability information can be used, including third-party resources like the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. The platform then analyzes this data and provides the user with relevant details such as the severity of the vulnerability, the affected systems, and remediation recommendations. Based on this information, the user can prioritize patching and other mitigation strategies to reduce the risk of potential attacks.
idStringGlobally unique URI identifying this object.
schema_versionStringCTIM schema version for this entity.
typeVulnerabilityTypeIdentifierStringThe fixed value vulnerability
configurationsConfigurations ObjectRepresents a list of affected versions or configurations of a software component that is impacted by a vulnerability. By tracking the affected software components and versions, defenders can identify which systems are potentially exposed to an attack, and apply appropriate mitigations.
cveCVE Object
external_idsString ListIt is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
impactVulnerabilityImpact ObjectDescribes the potential impact of a vulnerability that is being tracked in the system. Provides information on the extent of damage that a vulnerability can cause and how serious the consequences could be if it is exploited. May contain granular information about the vulnerability severity using the CVSS system, versions 2 and 3. CVSSv2 and CVSSv3 have different methods of calculating base scores, but both are designed to provide an indication of the level of risk that a vulnerability poses. The base score ranges from 0 to 10, with 10 being the most severe. Additionally, both CVSSv2 and CVSSv3 define severity levels, such as low, medium, high, and critical, based on the base score.
languageShortStringStringThe language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
last_modified_dateInst (Date)Represents the date when the vulnerability metadata was last updated in the internal database. It can be used to track the freshness of the vulnerability information. If the last_modified_date is more recent than the published_date, it can indicate that there has been some new information or updates related to the vulnerability, such as new patch releases or changes in the severity or impact rating.
published_dateInst (Date)Represents the date when a vulnerability was publicly disclosed or made available to the general public. Important for tracking the age of a vulnerability, as well as for determining when a particular vulnerability was first introduced into a system. The published date can be used to identify the time window during which a system may have been vulnerable to a particular exploit. For example, if an organization discovers that a vulnerability was published before their system's installation date, but they did not apply the necessary security updates in a timely manner, it can be concluded that their system was vulnerable for the period between the installation date and the date when the necessary security updates were applied.
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringStringRepresents the source of the intelligence that led to the creation of the entity.
source_uriStringURI of the source of the intelligence that led to the creation of the entity.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value.
tlpTLPStringTLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

Property configurations ∷ Configurations Object

Represents a list of affected versions or configurations of a software component that is impacted by a vulnerability. By tracking the affected software components and versions, defenders can identify which systems are potentially exposed to an attack, and apply appropriate mitigations.

  • This entry is optional

Property cve ∷ CVE Object

  • This entry is optional

Property description ∷ MarkdownString

Various sources of vulnerability information can be used, including third-party resources like the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. The platform then analyzes this data and provides the user with relevant details such as the severity of the vulnerability, the affected systems, and remediation recommendations.

Based on this information, the user can prioritize patching and other mitigation strategies to reduce the risk of potential attacks.

  • This entry is required

    • Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

  • external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.

  • external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ VulnerabilityImpact Object

Describes the potential impact of a vulnerability that is being tracked in the system. Provides information on the extent of damage that a vulnerability can cause and how serious the consequences could be if it is exploited.

May contain granular information about the vulnerability severity using the CVSS system, versions 2 and 3.

CVSSv2 and CVSSv3 have different methods of calculating base scores, but both are designed to provide an indication of the level of risk that a vulnerability poses. The base score ranges from 0 to 10, with 10 being the most severe. Additionally, both CVSSv2 and CVSSv3 define severity levels, such as low, medium, high, and critical, based on the base score.

  • This entry is optional

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property last_modified_date ∷ Inst (Date)

Represents the date when the vulnerability metadata was last updated in the internal database. It can be used to track the freshness of the vulnerability information. If the last_modified_date is more recent than the published_date, it can indicate that there has been some new information or updates related to the vulnerability, such as new patch releases or changes in the severity or impact rating.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property published_date ∷ Inst (Date)

Represents the date when a vulnerability was publicly disclosed or made available to the general public.

Important for tracking the age of a vulnerability, as well as for determining when a particular vulnerability was first introduced into a system. The published date can be used to identify the time window during which a system may have been vulnerable to a particular exploit.

For example, if an organization discovers that a vulnerability was published before their system's installation date, but they did not apply the necessary security updates in a timely manner, it can be concluded that their system was vulnerable for the period between the installation date and the date when the necessary security updates were applied.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

  • This entry is optional

    • A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

  • This entry is optional

    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ VulnerabilityTypeIdentifierString

The fixed value vulnerability

  • This entry is required

    • VulnerabilityTypeIdentifier The fixed value "vulnerability"
    • Must equal: "vulnerability"

Configurations Object

PropertyTypeDescriptionRequired?
CVE_data_versionShortStringStringSpecifies the version of the CVE (Common Vulnerabilities and Exposures) dictionary used by the vulnerability information provider.
nodesCPENode Object ListEach node in the CTIM standard configuration includes information such as the operator (such as "less than", or "greater than or equal to"), and the cpe (Common Platform Enumeration) string which identifies the specific software, CPE is a structured naming scheme for IT systems, platforms, and software packages, and it is instrumental in enabling data exchange between different systems.

Property CVE_data_version ∷ ShortStringString

Specifies the version of the CVE (Common Vulnerabilities and Exposures) dictionary used by the vulnerability information provider.

  • This entry is required

    • ShortString String with at most 1024 characters.

Property nodes ∷ CPENode Object List

Each node in the CTIM standard configuration includes information such as the operator (such as "less than", or "greater than or equal to"), and the cpe (Common Platform Enumeration) string which identifies the specific software, CPE is a structured naming scheme for IT systems, platforms, and software packages, and it is instrumental in enabling data exchange between different systems.

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

CPENode Object

PropertyTypeDescriptionRequired?
operatorcpe-node-operator-stringString
childrenCPELeafNode Object List
cpe_matchCPEMatch Object List
negateBooleanNegates operator when true.

Property children ∷ CPELeafNode Object List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property cpe_match ∷ CPEMatch Object List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property negate ∷ Boolean

Negates operator when true.

  • This entry is optional

Property operator ∷ cpe-node-operator-stringString

  • This entry is required

    • cpe-node-operator-string The operator string influences how seqs of cpe matches are related to one another.
    • Allowed Values:
      • AND
      • OR

CPELeafNode Object

PropertyTypeDescriptionRequired?
cpe_matchCPEMatch Object List
operatorcpe-node-operator-stringString
negateBooleanNegates operator when true.

Property cpe_match ∷ CPEMatch Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property negate ∷ Boolean

Negates operator when true.

  • This entry is optional

Property operator ∷ cpe-node-operator-stringString

  • This entry is required

    • cpe-node-operator-string The operator string influences how seqs of cpe matches are related to one another.
    • Allowed Values:
      • AND
      • OR

CPEMatch Object

PropertyTypeDescriptionRequired?
cpe23UriString
vulnerableBoolean
versionEndExcludingStringA string representing the upper bound(exclusive) of version in the CPE.
versionEndIncludingStringA string representing the upper bound(inclusive) of version in the CPE.
versionStartExcludingStringA string representing the lower bound(exclusive) of version in the CPE.
versionStartIncludingStringA string representing the lower bound(inclusive) of version in the CPE.

Property cpe23Uri ∷ String

  • This entry is required

    • A text representation of a software or hardware platform.

Property versionEndExcluding ∷ String

A string representing the upper bound(exclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionEndIncluding ∷ String

A string representing the upper bound(inclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionStartExcluding ∷ String

A string representing the lower bound(exclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionStartIncluding ∷ String

A string representing the lower bound(inclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property vulnerable ∷ Boolean

  • This entry is required

CPEMatch Object

PropertyTypeDescriptionRequired?
cpe23UriString
vulnerableBoolean
versionEndExcludingStringA string representing the upper bound(exclusive) of version in the CPE.
versionEndIncludingStringA string representing the upper bound(inclusive) of version in the CPE.
versionStartExcludingStringA string representing the lower bound(exclusive) of version in the CPE.
versionStartIncludingStringA string representing the lower bound(inclusive) of version in the CPE.

Property cpe23Uri ∷ String

  • This entry is required

    • A text representation of a software or hardware platform.

Property versionEndExcluding ∷ String

A string representing the upper bound(exclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionEndIncluding ∷ String

A string representing the upper bound(inclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionStartExcluding ∷ String

A string representing the lower bound(exclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property versionStartIncluding ∷ String

A string representing the lower bound(inclusive) of version in the CPE.

  • This entry is optional

    • A string representing a bound of a version in the CPE.

Property vulnerable ∷ Boolean

  • This entry is required

VulnerabilityImpact Object

PropertyTypeDescriptionRequired?
cvss_v2CVSSv2 Object
cvss_v3CVSSv3 Object

Property cvss_v2 ∷ CVSSv2 Object

  • This entry is optional

Property cvss_v3 ∷ CVSSv3 Object

  • This entry is optional

CVSSv3 Object

PropertyTypeDescriptionRequired?
base_scoreNumberThe base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v3-1
base_severityCVSSv3SeverityString
vector_stringString
attack_complexityCVSSv3AttackComplexityStringdescribes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability
attack_vectorCVSSv3AttackVectorStringReflects the context by which vulnerability exploitation is possible
availability_impactCVSSv3AvailabilityImpactStringmeasures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability
availability_requirementCVSSv3SecurityRequirementsString
confidentiality_impactCVSSv3ConfidentialityImpactStringmeasures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability
confidentiality_requirementCVSSv3SecurityRequirementsString
environmental_scoreNumber
environmental_severityCVSSv3SeverityString
exploit_code_maturityCVSSv3ExploitCodeMaturityStringmeasures the likelihood of the vulnerability being attacked
exploitability_scoreNumber
impact_scoreNumber
integrity_impactCVSSv3IntegrityImpactStringmeasures the impact to integrity of a successfully exploited vulnerability
integrity_requirementCVSSv3SecurityRequirementsString
modified_attack_complexityCVSSv3ModifiedAttackComplexityStringmodified attack complexity
modified_attack_vectorCVSSv3ModifiedAttackVectorStringmodified attack vector
modified_availability_impactCVSSv3ModifiedAvailabilityImpactStringmodified availability impact
modified_confidentiality_impactCVSSv3ModifiedConfidentialityImpactStringmodified confidentiality impact
modified_integrity_impactCVSSv3ModifiedIntegrityImpactStringmodified integrity impact
modified_privileges_requiredCVSSv3ModifiedPrivilegesRequiredStringmodified privileges required
modified_scopeCVSSv3ModifiedScopeStringmodified scope
modified_user_interactionCVSSv3ModifiedUserInteractionStringmodified user interaction
privileges_requiredCVSSv3PrivilegesRequiredStringdescribes the level of privileges an attacker must possess before successfully exploiting the vulnerability
remediation_levelCVSSv3RemediationLevelStringRemediation Level of a vulnerability is an important factor for prioritization
report_confidenceCVSSv3ReportConfidenceStringmeasures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details
scopeCVSSv3ScopeStringthe ability for a vulnerability in one software component to impact resources beyond its means, or privileges
temporal_scoreNumberRound up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)
temporal_severityCVSSv3SeverityStringtemporal severity
user_interactionCVSSv3UserInteractionStringcaptures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

Property attack_complexity ∷ CVSSv3AttackComplexityString

describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability

  • This entry is optional

    • CVSSv3AttackComplexity Describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. high A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).
    • Allowed Values:
      • high
      • low
    • Reference: Attack Complexity

Property attack_vector ∷ CVSSv3AttackVectorString

Reflects the context by which vulnerability exploitation is possible

  • This entry is optional

    • CVSSv3AttackVector This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: network A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed remotely exploitable and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).adjacent_network A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. local A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. physical A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.
    • Allowed Values:
      • adjacent_network
      • local
      • network
      • physical
    • Reference: Attack Vector

Property availability_impact ∷ CVSSv3AvailabilityImpactString

measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability

  • This entry is optional

    • CVSSv3AvailabilityImpact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: high: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). low: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. none: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Availability Impact] (https://www.first.org/cvss/specification-document#2-3-3-Availability-Impact-A)

Property availability_requirement ∷ CVSSv3SecurityRequirementsString

  • This entry is optional

    • CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property base_score ∷ Number

The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v3-1

  • This entry is required

    • a Score number from 0 to 10

Property base_severity ∷ CVSSv3SeverityString

  • This entry is required

    • Allowed Values:
      • critical
      • high
      • low
      • medium
      • none

Property confidentiality_impact ∷ CVSSv3ConfidentialityImpactString

measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability

  • This entry is optional

    • CVSSv3ConfidentialityImpact Measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: high: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. low: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. none: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Confientiality Impact] (https://www.first.org/cvss/specification-document#2-3-1-Confidentiality-Impact-C)

Property confidentiality_requirement ∷ CVSSv3SecurityRequirementsString

  • This entry is optional

    • CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property environmental_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property environmental_severity ∷ CVSSv3SeverityString

  • This entry is optional

    • Allowed Values:
      • critical
      • high
      • low
      • medium
      • none

Property exploit_code_maturity ∷ CVSSv3ExploitCodeMaturityString

measures the likelihood of the vulnerability being attacked

  • This entry is optional

    • CVSSv3ExploitCodeMaturity This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. high: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. functional: Functional exploit code is available. The code works in most situations where the vulnerability exists. proof_of_concept: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. unproven: No exploit code is available, or an exploit is theoretical.
    • Allowed Values:
      • functional
      • high
      • not_defined
      • proof_of_concept
      • unproven
    • Reference: [Exploit Code Maturity] (https://www.first.org/cvss/specification-document#3-1-Exploit-Code-Maturity-E)

Property exploitability_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property impact_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property integrity_impact ∷ CVSSv3IntegrityImpactString

measures the impact to integrity of a successfully exploited vulnerability

  • This entry is optional

    • CVSSv3IntegrityImpact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: high: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. low: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.none: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Integrity Impact] (https://www.first.org/cvss/specification-document#2-3-2-Integrity-Impact-I)

Property integrity_requirement ∷ CVSSv3SecurityRequirementsString

  • This entry is optional

    • CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
    • Allowed Values:
      • high
      • low
      • none
      • not_defined
    • Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property modified_attack_complexity ∷ CVSSv3ModifiedAttackComplexityString

modified attack complexity

Property modified_attack_vector ∷ CVSSv3ModifiedAttackVectorString

modified attack vector

Property modified_availability_impact ∷ CVSSv3ModifiedAvailabilityImpactString

modified availability impact

Property modified_confidentiality_impact ∷ CVSSv3ModifiedConfidentialityImpactString

modified confidentiality impact

Property modified_integrity_impact ∷ CVSSv3ModifiedIntegrityImpactString

modified integrity impact

Property modified_privileges_required ∷ CVSSv3ModifiedPrivilegesRequiredString

modified privileges required

Property modified_scope ∷ CVSSv3ModifiedScopeString

modified scope

Property modified_user_interaction ∷ CVSSv3ModifiedUserInteractionString

modified user interaction

Property privileges_required ∷ CVSSv3PrivilegesRequiredString

describes the level of privileges an attacker must possess before successfully exploiting the vulnerability

  • This entry is optional

    • CVSSv3PrivilegesRequired This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: none: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. low: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. high: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.
    • Allowed Values:
      • high
      • low
      • none
    • Reference: [Privileges Required] (https://www.first.org/cvss/specification-document#2-1-3-Privileges-Required-PR)

Property remediation_level ∷ CVSSv3RemediationLevelString

Remediation Level of a vulnerability is an important factor for prioritization

  • This entry is optional

    • CVSSv3RemediationLevel The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. unavailable: There is either no solution available or it is impossible to apply. workaround: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. temporary_fix: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.official_fix: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score.
    • Allowed Values:
      • high
      • not_defined
      • offical_fix
      • temporary_fix
      • unavailable
      • workaround
    • Reference: [Remediation Level] (https://www.first.org/cvss/specification-document#3-2-Remediation-Level-RL)

Property report_confidence ∷ CVSSv3ReportConfidenceString

measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details

  • This entry is optional

    • CVSSv3ReportConfidence Measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. confirmed: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. reasonable: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. unknown: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
    • Allowed Values:
      • confirmed
      • reasonable
      • unknown
    • Reference: [Report Confidence] (https://www.first.org/cvss/specification-document#3-3-Report-Confidence-RC)

Property scope ∷ CVSSv3ScopeString

the ability for a vulnerability in one software component to impact resources beyond its means, or privileges

  • This entry is optional

    • CVSSv3Scope An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: unchanged: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. changed: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.
    • Allowed Values:
      • changed
      • unchanged
    • Reference: [Scope] (https://www.first.org/cvss/specification-document#2-2-Scope-S)

Property temporal_score ∷ Number

Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)

  • This entry is optional

    • a Score number from 0 to 10

Property temporal_severity ∷ CVSSv3SeverityString

temporal severity

  • This entry is optional

    • Allowed Values:
      • critical
      • high
      • low
      • medium
      • none

Property user_interaction ∷ CVSSv3UserInteractionString

captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

  • This entry is optional

    • CVSSv3UserInteraction Captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: none: The vulnerable system can be exploited without interaction from any user. required: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.
    • Allowed Values:
      • none
      • required
    • Reference: [User Interaction] (https://www.first.org/cvss/specification-document#2-1-4-User-Interaction-UI)

Property vector_string ∷ String

  • This entry is required

    • a text representation of a set of CVSSv3 metrics. It is commonly used to record or transfer CVSSv3 metric information in a concise form

CVSSv2 Object

PropertyTypeDescriptionRequired?
base_scoreNumberThe base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v2/guide
base_severityHighMedLowString
vector_stringString
access_complexityCVSSv2AccessComplexityString
access_vectorCVSSv2AccessVectorString
authenticationCVSSv2AuthenticationString
availability_impactCVSSv2AvailabilityImpactString
availability_requirementCVSSv2SecurityRequirementString
collateral_damage_potentialCVSSv2CollateralDamagePotentialString
confidentiality_impactCVSSv2ConfidentialityImpactString
confidentiality_requirementCVSSv2SecurityRequirementString
environmental_vector_stringString
exploitabilityCVSSv2ExploitabilityString
exploitability_scoreNumber
impact_scoreNumber
integrity_impactCVSSv2IntegrityImpactString
integrity_requirementCVSSv2SecurityRequirementString
obtain_all_privilegeBoolean
obtain_other_privilegeBoolean
obtain_user_privilegeBoolean
remediation_levelCVSSv2RemediationLevelString
report_confidenceCVSSv2ReportConfidenceString
target_distributionCVSSv2TargetDistributionString
temporal_vector_stringString
user_interaction_requiredBoolean

Property access_complexity ∷ CVSSv2AccessComplexityString

  • This entry is optional

    • CVSSv2AccessComplexity This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.
    • Allowed Values:
      • high
      • low
      • medium
    • Reference: https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC

Property access_vector ∷ CVSSv2AccessVectorString

  • This entry is optional

Property authentication ∷ CVSSv2AuthenticationString

  • This entry is optional

    • CVSSv2Authentication This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The fewer authentication instances that are required, the higher the vulnerability score.
    • Allowed Values:
      • multiple
      • none
      • single
    • Reference: https://www.first.org/cvss/v2/guide#2-1-3-Authentication-Au

Property availability_impact ∷ CVSSv2AvailabilityImpactString

  • This entry is optional

    • CVSSv2AvailabilityImpact This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. Increased availability impact increases the vulnerability score.
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A

Property availability_requirement ∷ CVSSv2SecurityRequirementString

  • This entry is optional

    • CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property base_score ∷ Number

The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v2/guide

  • This entry is required

    • a Score number from 0 to 10

Property base_severity ∷ HighMedLowString

  • This entry is required

Property collateral_damage_potential ∷ CVSSv2CollateralDamagePotentialString

  • This entry is optional

    • CVSSv2CollateralDamagePotential This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. Naturally, the greater the damage potential, the higher the vulnerability score.
    • Allowed Values:
      • high
      • low
      • low_medium
      • medium_high
      • none
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-1-Collateral-Damage-Potential-CDP

Property confidentiality_impact ∷ CVSSv2ConfidentialityImpactString

  • This entry is optional

    • CVSSv2ConfidentialityImpact This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. Increasedconfidentiality impact increases the vulnerability score.
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C

Property confidentiality_requirement ∷ CVSSv2SecurityRequirementString

  • This entry is optional

    • CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property environmental_vector_string ∷ String

  • This entry is optional

    • A text representation of a set of CVSSv2 environmental metrics. Environmental metrics allow analysists to calculate threat scores in relation to environmental security requirements, collateral damage potential, and target availability. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property exploitability ∷ CVSSv2ExploitabilityString

  • This entry is optional

    • CVSSv2Exploitability This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled thereby increasing the severity of the vulnerability.
    • Allowed Values:
      • functional
      • high
      • not_defined
      • proof_of_concept
      • unproven
    • Reference: https://www.first.org/cvss/v2/guide#2-2-1-Exploitability-E

Property exploitability_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property impact_score ∷ Number

  • This entry is optional

    • a Score number from 0 to 10

Property integrity_impact ∷ CVSSv2IntegrityImpactString

  • This entry is optional

    • CVSSv2IntegrityImpact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the vulnerability score.
    • Allowed Values:
      • complete
      • none
      • partial
    • Reference: https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I

Property integrity_requirement ∷ CVSSv2SecurityRequirementString

  • This entry is optional

    • CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
    • Allowed Values:
      • high
      • low
      • medium
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property obtain_all_privilege ∷ Boolean

  • This entry is optional

Property obtain_other_privilege ∷ Boolean

  • This entry is optional

Property obtain_user_privilege ∷ Boolean

  • This entry is optional

Property remediation_level ∷ CVSSv2RemediationLevelString

  • This entry is optional

    • CVSSv2RemediationLevel The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The less official and permanent a fix, the higher the vulnerability score is.
    • Allowed Values:
      • not_defined
      • official_fix
      • temporary_fix
      • unavailable
      • workaround
    • Reference: https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL

Property report_confidence ∷ CVSSv2ReportConfidenceString

  • This entry is optional

    • CVSSv2ReportConfidence This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
    • Allowed Values:
      • confirmed
      • not_defined
      • unconfirmed
      • uncorroborated
    • Reference: https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC

Property target_distribution ∷ CVSSv2TargetDistributionString

  • This entry is optional

    • CVSSv2TargetDistribution This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. The greater the proportion of vulnerable systems, the higher the score.
    • Allowed Values:
      • high
      • low
      • medium
      • none
      • not_defined
    • Reference: https://www.first.org/cvss/v2/guide#2-3-2-Target-Distribution-TD

Property temporal_vector_string ∷ String

  • This entry is optional

    • A text representation of a set of CVSSv2 temporal metrics. Temporal metrics allow analysists to calculate threat severity based on temporal factors such as reliability of vulnerability reports, availability of mitigations, and the ease or difficulty of conducting the exploit. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property user_interaction_required ∷ Boolean

  • This entry is optional

Property vector_string ∷ String

  • This entry is required

    • a text representation of a set of CVSSv2 metrics. It is commonly used to record or transfer CVSSv2 metric information in a concise form

CVE Object

PropertyTypeDescriptionRequired?
cve_data_metaCVEDataMeta Object

Property cve_data_meta ∷ CVEDataMeta Object

  • This entry is required

CVEDataMeta Object

PropertyTypeDescriptionRequired?
assignerShortStringString
idShortStringString

Property assigner ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

Property id ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters.

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource.

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

  • This entry is optional

    • A URI

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

PropertyTypeDescriptionRequired?
end_timeInst (Date)If end_time is not present, then the valid time position of the object does not have an upper bound.
start_timeInst (Date)If not present, the valid time position of the indicator does not have an upper bound.

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Can you improve this documentation? These fine people already did:
Ag Ibragimov, Guillaume Buisson, Guillaume Erétéo, Matthieu Sprunck, Ambrose Bonnaire-Sergeant, jyoverma, Scott McLeod, Sam Waggoner, Guillaume ERETEO, Craig Brozefsky, t2sw, bswanson, Mario Aquino, Kirill Chernyshov, Mark Herman, Mason Costa, mcosta85 & Alexander R. Saint Croix
Edit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close