Casebook Allows to gather and group observables and related analyst notes in one place from across multiple products for easy retrieval and further actions. Through Casebook, analysts can collaborate, share information, track progress, and take necessary actions to mitigate the incident.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | CasebookTypeIdentifierString | ✓ | |
bundle | Bundle Object | ||
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
observables | Observable Object List | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
texts | Text Object List | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
Bundle Describes a Bundle of any set of CTIM entities.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
type | BundleTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | ✓ | |
actor_refs | #{String} | ||
actors | #{Actor Object} | a list of Actor s. | |
asset_mapping_refs | #{String} | ||
asset_mappings | #{AssetMapping Object} | a list of AssetMapping s. | |
asset_properties | #{AssetProperties Object} | a list of AssetProperties . | |
asset_properties_refs | #{String} | ||
asset_refs | #{String} | ||
assets | #{Asset Object} | a list of Asset s. | |
attack_pattern_refs | #{String} | ||
attack_patterns | #{AttackPattern Object} | a list of AttackPattern s. | |
campaign_refs | #{String} | ||
campaigns | #{Campaign Object} | a list of Campaign s. | |
coa_refs | #{String} | ||
coas | #{COA Object} | a list of COA s. | |
data_table_refs | #{String} | ||
data_tables | #{DataTable Object} | a list of DataTable s. | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
feedback_refs | #{String} | ||
feedbacks | #{Feedback Object} | a list of Feedback s. | |
identity_assertion_refs | #{String} | ||
identity_assertions | #{IdentityAssertion Object} | a list of IdentityAssertion s. | |
incident_refs | #{String} | ||
incidents | #{Incident Object} | a list of Incident s. | |
indicator_refs | #{String} | ||
indicators | #{Indicator Object} | a list of Indicator s. | |
judgement_refs | #{String} | ||
judgements | #{Judgement Object} | a list of Judgement s. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
malware_refs | #{String} | ||
malwares | #{Malware Object} | a list of Malware s. | |
note_refs | #{String} | ||
notes | #{Note Object} | a list of Note s. | |
relationship_refs | #{String} | ||
relationships | #{Relationship Object} | a list of Relationship s. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
sighting_refs | #{String} | ||
sightings | #{Sighting Object} | a list of Sighting s. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
target_record_refs | #{String} | ||
target_records | #{TargetRecord Object} | a list of TargetRecord s. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
tool_refs | #{String} | ||
tools | #{Tool Object} | a list of Tool s. | |
verdict_refs | #{String} | ||
verdicts | #{Verdict Object} | a list of Verdict s. | |
vulnerabilities | #{Vulnerability Object} | a list of Vulnerability s. | |
vulnerability_refs | #{String} | ||
weakness_refs | #{String} | ||
weaknesses | #{Weakness Object} | a list of Weakness s. |
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Actor
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of AssetMapping
s.
a list of AssetProperties
.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Asset
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of AttackPattern
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Campaign
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of COA
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of DataTable
s.
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Feedback
s.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of IdentityAssertion
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Incident
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Indicator
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Judgement
s.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Malware
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Note
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Relationship
s.
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Sighting
s.
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of TargetRecord
s.
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Tool
s.
This entry is required
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Verdict
s.
a list of Vulnerability
s.
This entry is optional
This entry's type is a set (allows zero or more distinct values)
This entry is optional
This entry's type is a set (allows zero or more distinct values)
a list of Weakness
s.
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Vulnerability Indicates weakness or flaw in the system that can be exploited by an attacker to gain unauthorized access or cause harm to the system. Vulnerabilities can exist in various components of the system, such as the operating system, applications, network devices, and databases.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | Various sources of vulnerability information can be used, including third-party resources like the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. The platform then analyzes this data and provides the user with relevant details such as the severity of the vulnerability, the affected systems, and remediation recommendations. Based on this information, the user can prioritize patching and other mitigation strategies to reduce the risk of potential attacks. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | VulnerabilityTypeIdentifierString | The fixed value vulnerability | ✓ |
configurations | Configurations Object | Represents a list of affected versions or configurations of a software component that is impacted by a vulnerability. By tracking the affected software components and versions, defenders can identify which systems are potentially exposed to an attack, and apply appropriate mitigations. | |
cve | CVE Object | ||
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
impact | VulnerabilityImpact Object | Describes the potential impact of a vulnerability that is being tracked in the system. Provides information on the extent of damage that a vulnerability can cause and how serious the consequences could be if it is exploited. May contain granular information about the vulnerability severity using the CVSS system, versions 2 and 3. CVSSv2 and CVSSv3 have different methods of calculating base scores, but both are designed to provide an indication of the level of risk that a vulnerability poses. The base score ranges from 0 to 10, with 10 being the most severe. Additionally, both CVSSv2 and CVSSv3 define severity levels, such as low, medium, high, and critical, based on the base score. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
last_modified_date | Inst (Date) | Represents the date when the vulnerability metadata was last updated in the internal database. It can be used to track the freshness of the vulnerability information. If the last_modified_date is more recent than the published_date , it can indicate that there has been some new information or updates related to the vulnerability, such as new patch releases or changes in the severity or impact rating. | |
published_date | Inst (Date) | Represents the date when a vulnerability was publicly disclosed or made available to the general public. Important for tracking the age of a vulnerability, as well as for determining when a particular vulnerability was first introduced into a system. The published date can be used to identify the time window during which a system may have been vulnerable to a particular exploit. For example, if an organization discovers that a vulnerability was published before their system's installation date, but they did not apply the necessary security updates in a timely manner, it can be concluded that their system was vulnerable for the period between the installation date and the date when the necessary security updates were applied. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
Represents a list of affected versions or configurations of a software component that is impacted by a vulnerability. By tracking the affected software components and versions, defenders can identify which systems are potentially exposed to an attack, and apply appropriate mitigations.
Various sources of vulnerability information can be used, including third-party resources like the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. The platform then analyzes this data and provides the user with relevant details such as the severity of the vulnerability, the affected systems, and remediation recommendations.
Based on this information, the user can prioritize patching and other mitigation strategies to reduce the risk of potential attacks.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Describes the potential impact of a vulnerability that is being tracked in the system. Provides information on the extent of damage that a vulnerability can cause and how serious the consequences could be if it is exploited.
May contain granular information about the vulnerability severity using the CVSS system, versions 2 and 3.
CVSSv2 and CVSSv3 have different methods of calculating base scores, but both are designed to provide an indication of the level of risk that a vulnerability poses. The base score ranges from 0 to 10, with 10 being the most severe. Additionally, both CVSSv2 and CVSSv3 define severity levels, such as low, medium, high, and critical, based on the base score.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
Represents the date when the vulnerability metadata was last updated in the internal database.
It can be used to track the freshness of the vulnerability information. If the last_modified_date
is more recent than the published_date
, it can indicate that there has been some new information or updates related to the vulnerability, such as new patch releases or changes in the severity or impact rating.
This entry is optional
Represents the date when a vulnerability was publicly disclosed or made available to the general public.
Important for tracking the age of a vulnerability, as well as for determining when a particular vulnerability was first introduced into a system. The published date can be used to identify the time window during which a system may have been vulnerable to a particular exploit.
For example, if an organization discovers that a vulnerability was published before their system's installation date, but they did not apply the necessary security updates in a timely manner, it can be concluded that their system was vulnerable for the period between the installation date and the date when the necessary security updates were applied.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
The fixed value vulnerability
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
CVE_data_version | ShortStringString | Specifies the version of the CVE (Common Vulnerabilities and Exposures) dictionary used by the vulnerability information provider. | ✓ |
nodes | CPENode Object List | Each node in the CTIM standard configuration includes information such as the operator (such as "less than", or "greater than or equal to"), and the cpe (Common Platform Enumeration) string which identifies the specific software, CPE is a structured naming scheme for IT systems, platforms, and software packages, and it is instrumental in enabling data exchange between different systems. | ✓ |
Specifies the version of the CVE (Common Vulnerabilities and Exposures) dictionary used by the vulnerability information provider.
This entry is required
Each node
in the CTIM standard configuration includes information such as the operator
(such as "less than", or "greater than or equal to"), and the cpe
(Common Platform Enumeration) string which identifies the specific software, CPE
is a structured naming scheme for IT systems, platforms, and software packages, and it is instrumental in enabling data exchange between different systems.
Property | Type | Description | Required? |
---|---|---|---|
operator | cpe-node-operator-stringString | ✓ | |
children | CPELeafNode Object List | ||
cpe_match | CPEMatch Object List | ||
negate | Boolean | Negates operator when true. |
Negates operator when true.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
cpe_match | CPEMatch Object List | ✓ | |
operator | cpe-node-operator-stringString | ✓ | |
negate | Boolean | Negates operator when true. |
Negates operator when true.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
cpe23Uri | String | ✓ | |
vulnerable | Boolean | ✓ | |
versionEndExcluding | String | A string representing the upper bound(exclusive) of version in the CPE. | |
versionEndIncluding | String | A string representing the upper bound(inclusive) of version in the CPE. | |
versionStartExcluding | String | A string representing the lower bound(exclusive) of version in the CPE. | |
versionStartIncluding | String | A string representing the lower bound(inclusive) of version in the CPE. |
This entry is required
A string representing the upper bound(exclusive) of version in the CPE.
This entry is optional
A string representing the upper bound(inclusive) of version in the CPE.
This entry is optional
A string representing the lower bound(exclusive) of version in the CPE.
This entry is optional
A string representing the lower bound(inclusive) of version in the CPE.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
cpe23Uri | String | ✓ | |
vulnerable | Boolean | ✓ | |
versionEndExcluding | String | A string representing the upper bound(exclusive) of version in the CPE. | |
versionEndIncluding | String | A string representing the upper bound(inclusive) of version in the CPE. | |
versionStartExcluding | String | A string representing the lower bound(exclusive) of version in the CPE. | |
versionStartIncluding | String | A string representing the lower bound(inclusive) of version in the CPE. |
This entry is required
A string representing the upper bound(exclusive) of version in the CPE.
This entry is optional
A string representing the upper bound(inclusive) of version in the CPE.
This entry is optional
A string representing the lower bound(exclusive) of version in the CPE.
This entry is optional
A string representing the lower bound(inclusive) of version in the CPE.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
cvss_v2 | CVSSv2 Object | ||
cvss_v3 | CVSSv3 Object |
Property | Type | Description | Required? |
---|---|---|---|
base_score | Number | The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v3-1 | ✓ |
base_severity | CVSSv3SeverityString | ✓ | |
vector_string | String | ✓ | |
attack_complexity | CVSSv3AttackComplexityString | describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability | |
attack_vector | CVSSv3AttackVectorString | Reflects the context by which vulnerability exploitation is possible | |
availability_impact | CVSSv3AvailabilityImpactString | measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability | |
availability_requirement | CVSSv3SecurityRequirementsString | ||
confidentiality_impact | CVSSv3ConfidentialityImpactString | measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability | |
confidentiality_requirement | CVSSv3SecurityRequirementsString | ||
environmental_score | Number | ||
environmental_severity | CVSSv3SeverityString | ||
exploit_code_maturity | CVSSv3ExploitCodeMaturityString | measures the likelihood of the vulnerability being attacked | |
exploitability_score | Number | ||
impact_score | Number | ||
integrity_impact | CVSSv3IntegrityImpactString | measures the impact to integrity of a successfully exploited vulnerability | |
integrity_requirement | CVSSv3SecurityRequirementsString | ||
modified_attack_complexity | CVSSv3ModifiedAttackComplexityString | modified attack complexity | |
modified_attack_vector | CVSSv3ModifiedAttackVectorString | modified attack vector | |
modified_availability_impact | CVSSv3ModifiedAvailabilityImpactString | modified availability impact | |
modified_confidentiality_impact | CVSSv3ModifiedConfidentialityImpactString | modified confidentiality impact | |
modified_integrity_impact | CVSSv3ModifiedIntegrityImpactString | modified integrity impact | |
modified_privileges_required | CVSSv3ModifiedPrivilegesRequiredString | modified privileges required | |
modified_scope | CVSSv3ModifiedScopeString | modified scope | |
modified_user_interaction | CVSSv3ModifiedUserInteractionString | modified user interaction | |
privileges_required | CVSSv3PrivilegesRequiredString | describes the level of privileges an attacker must possess before successfully exploiting the vulnerability | |
remediation_level | CVSSv3RemediationLevelString | Remediation Level of a vulnerability is an important factor for prioritization | |
report_confidence | CVSSv3ReportConfidenceString | measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details | |
scope | CVSSv3ScopeString | the ability for a vulnerability in one software component to impact resources beyond its means, or privileges | |
temporal_score | Number | Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence) | |
temporal_severity | CVSSv3SeverityString | temporal severity | |
user_interaction | CVSSv3UserInteractionString | captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component |
describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability
This entry is optional
low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. high
A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).Reflects the context by which vulnerability exploitation is possible
This entry is optional
network
A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed remotely exploitable
and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).adjacent_network
A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. local
A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. physical
A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability
This entry is optional
high
: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). low
: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. none
: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v3-1
This entry is required
This entry is required
measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability
This entry is optional
high
: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. low
: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. none
: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).This entry is optional
This entry is optional
measures the likelihood of the vulnerability being attacked
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. high
: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. functional
: Functional exploit code is available. The code works in most situations where the vulnerability exists. proof_of_concept
: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. unproven
: No exploit code is available, or an exploit is theoretical.This entry is optional
This entry is optional
measures the impact to integrity of a successfully exploited vulnerability
This entry is optional
high
: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. low
: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.none
: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).modified attack complexity
This entry is optional
modified attack vector
This entry is optional
modified availability impact
This entry is optional
modified confidentiality impact
This entry is optional
modified integrity impact
This entry is optional
modified privileges required
This entry is optional
modified scope
This entry is optional
modified user interaction
This entry is optional
describes the level of privileges an attacker must possess before successfully exploiting the vulnerability
This entry is optional
none
: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. low
: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. high
: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.Remediation Level of a vulnerability is an important factor for prioritization
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. unavailable
: There is either no solution available or it is impossible to apply. workaround
: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. temporary_fix
: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.official_fix
: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score.measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. confirmed
: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. reasonable
: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. unknown
: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.the ability for a vulnerability in one software component to impact resources beyond its means, or privileges
This entry is optional
unchanged
: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. changed
: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)
This entry is optional
temporal severity
This entry is optional
captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component
This entry is optional
none
: The vulnerable system can be exploited without interaction from any user. required
: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.This entry is required
Property | Type | Description | Required? |
---|---|---|---|
base_score | Number | The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v2/guide | ✓ |
base_severity | HighMedLowString | ✓ | |
vector_string | String | ✓ | |
access_complexity | CVSSv2AccessComplexityString | ||
access_vector | CVSSv2AccessVectorString | ||
authentication | CVSSv2AuthenticationString | ||
availability_impact | CVSSv2AvailabilityImpactString | ||
availability_requirement | CVSSv2SecurityRequirementString | ||
collateral_damage_potential | CVSSv2CollateralDamagePotentialString | ||
confidentiality_impact | CVSSv2ConfidentialityImpactString | ||
confidentiality_requirement | CVSSv2SecurityRequirementString | ||
environmental_vector_string | String | ||
exploitability | CVSSv2ExploitabilityString | ||
exploitability_score | Number | ||
impact_score | Number | ||
integrity_impact | CVSSv2IntegrityImpactString | ||
integrity_requirement | CVSSv2SecurityRequirementString | ||
obtain_all_privilege | Boolean | ||
obtain_other_privilege | Boolean | ||
obtain_user_privilege | Boolean | ||
remediation_level | CVSSv2RemediationLevelString | ||
report_confidence | CVSSv2ReportConfidenceString | ||
target_distribution | CVSSv2TargetDistributionString | ||
temporal_vector_string | String | ||
user_interaction_required | Boolean |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
The base score is a key metric in CVSS, which uses a scoring system to determine the level of severity of a vulnerability. see: https://www.first.org/cvss/v2/guide
This entry is required
This entry is required
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
cve_data_meta | CVEDataMeta Object | ✓ |
Property | Type | Description | Required? |
---|---|---|---|
assigner | ShortStringString | ||
id | ShortStringString |
This entry is optional
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Weakness A mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | Should be short and limited to the key points that define this weakness. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | WeaknessTypeIdentifierString | The fixed value weakness | ✓ |
abstraction_level | WeaknessAbstractionLevelString | Refers to the level of abstraction or granularity used to describe the weakness. It helps to categorize the vulnerability based on the level of detail provided. | |
affected_resources | SystemResourceString List | Identifies system resources that can be affected by an exploit of this weakness. | |
alternate_terms | AlternateTerm Object List | Indicates one or more other names used to describe this weakness. | |
architectures | Architecture Object List | Applicable architectures. | |
background_details | MarkdownString | Information that is relevant but not related to the nature of the weakness itself. | |
common_consequences | Consequence Object List | Refers to the typical or expected negative effects that can result from exploiting the weakness. This could include anything from unauthorized access to data, denial of service, system crashes or other things. | |
detection_methods | DetectionMethod Object List | Identifies methods that may be employed to detect this weakness, including their strengths and limitations. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
functional_areas | FunctionalAreaString List | Identifies the functional area of the software in which the weakness is most likely to occur. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
languages | Language Object List | Applicable Languages. | |
likelihood | HighMedLowString | Likelihood of exploit. | |
modes_of_introduction | ModeOfIntroduction Object List | Information about how and when a given weakness may be introduced. | |
notes | Note Object List | Provides any additional comments about the weakness. | |
operating_systems | OperatingSystem Object List | Applicable operating systems. | |
paradigms | Paradigm Object List | Applicable paradigms. | |
potential_mitigations | Mitigation Object List | Describes potential mitigations associated with a weakness. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
structure | WeaknessStructureString | Defines the structural nature of the weakness. | |
technologies | Technology Object List | Applicable technologies. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
Refers to the level of abstraction or granularity used to describe the weakness. It helps to categorize the vulnerability based on the level of detail provided.
This entry is optional
Class: is the highest level of abstraction and describes a general category of weaknesses. Examples of Classes include :"Buffer Errors", "Input Validation", or "Authentication Issues".
Base: More specific category than Class. A Base weakness is a concrete form of a Class weakness. An example of a Base weakness could be "SQL Injection".
Variant: Describes one specific type of Base weakness that is defined by alterations or extensions to the Base description. For example, "Blind SQL Injection" can be considered a Variant of the Base weakness "SQL Injection".
Compound: A Compound Weakness describes a weakness that combines two or more Base weaknesses to exploit a system. For example, a "Buffer-Overflow with Format-String Exploit" combines the Base weaknesses of "Buffer-Overflow" and "Format-String Vulnerability".
By specifying the abstraction level, cybersec professionals can more easily identify weaknesses that are related and prioritize their response efforts based on the potential impact of the vulnerability.
Identifies system resources that can be affected by an exploit of this weakness.
This entry is optional
This entry's type is sequential (allows zero or more values)
Indicates one or more other names used to describe this weakness.
Applicable architectures.
Information that is relevant but not related to the nature of the weakness itself.
This entry is optional
Refers to the typical or expected negative effects that can result from exploiting the weakness. This could include anything from unauthorized access to data, denial of service, system crashes or other things.
Should be short and limited to the key points that define this weakness.
This entry is required
Identifies methods that may be employed to detect this weakness, including their strengths and limitations.
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Identifies the functional area of the software in which the weakness is most likely to occur.
This entry is optional
This entry's type is sequential (allows zero or more values)
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
Applicable Languages.
Likelihood of exploit.
This entry is optional
Information about how and when a given weakness may be introduced.
Provides any additional comments about the weakness.
Applicable operating systems.
Applicable paradigms.
Describes potential mitigations associated with a weakness.
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
Defines the structural nature of the weakness.
This entry is optional
Chain: A chain weakness might involve an attacker chaining together multiple vulnerabilities and exploits in order to achieve their end goal. For example, an attacker might use a phishing attack to gain access to a user's email account, then use information from that account to socially engineer their way through additional systems until they gain access to an internal network. In this case, the attacker is chaining multiple weaknesses together in order to achieve their ultimate objective.
Composite: A composite weakness might involve multiple vulnerabilities that exist in different layers or components of a system. For example, a composite weakness in a web application might involve both an injection vulnerability and a cross-site scripting vulnerability. An attacker could use these weaknesses in tandem to steal data or take over the system.
Simple: A simple weakness might involve a single vulnerability or exploit that can be used to achieve a specific objective. An example of a simple weakness might be a buffer overflow vulnerability in a software application. If an attacker can exploit this vulnerability, they may be able to execute arbitrary code on the system.
Applicable technologies.
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
The fixed value weakness
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
note | MarkdownString | ✓ | |
type | NoteTypeString | ✓ |
This entry is required
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | A description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness. | ✓ |
effectiveness | EffectivenessString | Summarizes how effective the mitigation may be in preventing the weakness. | |
effectiveness_notes | MarkdownString | ||
phases | SoftwarePhaseString List | Indicates the development life cycle phase during which this particular mitigation may be applied. | |
strategy | MitigationStrategyString | A general strategy for protecting a system to which this mitigation contributes. |
A description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness.
This entry is required
Summarizes how effective the mitigation may be in preventing the weakness.
This entry is optional
This entry is optional
Indicates the development life cycle phase during which this particular mitigation may be applied.
This entry is optional
This entry's type is sequential (allows zero or more values)
A general strategy for protecting a system to which this mitigation contributes.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | Provides some context of how this method can be applied to a specific weakness. | ✓ |
method | DetectionMethodString | Identifies the particular detection method being described. | ✓ |
effectiveness | DetectionEffectivenessString | How effective the detection method may be in detecting the associated weakness. | |
effectiveness_notes | MarkdownString | Provides additional discussion of the strengths and shortcomings of this detection method. |
Provides some context of how this method can be applied to a specific weakness.
This entry is required
How effective the detection method may be in detecting the associated weakness.
This entry is optional
Provides additional discussion of the strengths and shortcomings of this detection method.
This entry is optional
Identifies the particular detection method being described.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
scopes | ConsequenceScopeString List | Identifies the security property that is violated. | ✓ |
impacts | TechnicalImpactString List | Describes the technical impact that arises if an adversary succeeds in exploiting this weakness. | |
likelihood | HighMedLowString | How likely the specific consequence is expected to be seen relative to the other consequences. | |
note | MarkdownString | Additional commentary about a consequence. |
Describes the technical impact that arises if an adversary succeeds in exploiting this weakness.
This entry is optional
This entry's type is sequential (allows zero or more values)
How likely the specific consequence is expected to be seen relative to the other consequences.
This entry is optional
Additional commentary about a consequence.
This entry is optional
Identifies the security property that is violated.
This entry is required
This entry's type is sequential (allows zero or more values)
Property | Type | Description | Required? |
---|---|---|---|
phase | SoftwarePhaseString | Identifies the point in the software life cycle at which the weakness may be introduced. | ✓ |
note | MarkdownString | Provides a typical scenario related to introduction during the given phase. |
Provides a typical scenario related to introduction during the given phase.
This entry is optional
Identifies the point in the software life cycle at which the weakness may be introduced.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
term | ShortStringString | The actual alternate term. | ✓ |
description | MarkdownString | Provides context for the alternate term by which this weakness may be known. |
Provides context for the alternate term by which this weakness may be known.
This entry is optional
The actual alternate term.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | PrevalenceString | Defines the different regularities that guide the applicability of platforms. | ✓ |
name | ShortStringString | Technology name (Web Server, Web Client) |
Technology name (Web Server, Web Client)
This entry is optional
Defines the different regularities that guide the applicability of platforms.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | PrevalenceString | Defines the different regularities that guide the applicability of platforms. | ✓ |
name | ShortStringString | Paradigm name (Client Server, Mainframe) |
Paradigm name (Client Server, Mainframe)
This entry is optional
Defines the different regularities that guide the applicability of platforms.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | PrevalenceString | Defines the different regularities that guide the applicability of platforms. | ✓ |
class | ArchitectureClassString | Class of architecture | |
name | ShortStringString | Architecture name (ARM, x86, ...) |
Class of architecture
This entry is optional
Architecture name (ARM, x86, ...)
This entry is optional
Defines the different regularities that guide the applicability of platforms.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
prevalence | PrevalenceString | Defines the different regularities that guide the applicability of platforms. | ✓ |
class | OperatingSystemClassString | ||
cpe_id | ShortStringString | ||
name | ShortStringString | ||
version | ShortStringString |
This entry is optional
This entry is optional
This entry is optional
Defines the different regularities that guide the applicability of platforms.
This entry is required
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
prevalence | PrevalenceString | Defines the different regularities that guide the applicability of platforms. | ✓ |
class | LanguageClassString | Class of language. | |
name | ShortStringString | Language name (Clojure, Java, ...) |
Class of language.
This entry is optional
Language name (Clojure, Java, ...)
This entry is optional
Defines the different regularities that guide the applicability of platforms.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
DataTable A generic table of data, consisting of types and documented columns, and 1 or more rows of data.
Property | Type | Description | Required? |
---|---|---|---|
columns | ColumnDefinition Object List | An ordered list of column definitions. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
rows | Anything List | An ordered list of rows | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | DataTableTypeIdentifierString | ✓ | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
row_count | Integer | The number of rows in the data table. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
valid_time | ValidTime Object |
An ordered list of column definitions.
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
The number of rows in the data table.
An ordered list of rows
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
name | String | ✓ | |
type | ColumnTypeString | ✓ | |
description | MarkdownString | ||
required | Boolean | If true , the row entries for this column cannot contain nulls . Defaults to true . | |
short_description | String |
This entry is optional
If true
, the row entries for this column cannot contain nulls
. Defaults to true
.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Verdict A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.
The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"
Property | Type | Description | Required? |
---|---|---|---|
disposition | DispositionNumberInteger | ✓ | |
observable | Observable Object | ✓ | |
type | VerdictTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | ✓ | |
disposition_name | DispositionNameString | The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"} | |
judgement_id | String |
This entry is required
The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
This entry is optional
This entry is optional
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | A description of object, which may be detailed. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
labels | ToolLabelString List | The kind(s) of tool(s) being described. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
short_description | MedStringString | A single line, short summary of the object. | ✓ |
title | ShortStringString | A short title for this object, used as primary display and reference value. | ✓ |
type | ToolTypeIdentifierString | ✓ | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
kill_chain_phases | KillChainPhase Object List | The list of kill chain phases for which this Tool can be used. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
tool_version | ShortStringString | The version identifier associated with the Tool. | |
x_mitre_aliases | ShortStringString List | ATT&CK Software.aliases. |
A description of object, which may be detailed.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of kill chain phases for which this Tool can be used.
The kind(s) of tool(s) being described.
This entry is required
This entry's type is sequential (allows zero or more values)
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is required
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
The version identifier associated with the Tool.
This entry is optional
This entry is required
ATT&CK Software.aliases.
This entry is optional
This entry's type is sequential (allows zero or more values)
KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
TargetRecord A TargetRecord is a Sighting that has no threat or observables associated with it, it's a way of saying they saw a set of observables together as a Target.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
targets | Target Object List | ✓ | |
type | TargetRecordTypeIdentifierString | ✓ | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Target Schema for TargetRecord Targets
Property | Type | Description | Required? |
---|---|---|---|
observables | Observable Object List | ✓ | |
observed_time | ObservedTime Object | ✓ | |
type | SensorString | ✓ | |
internal | Boolean | Is it internal to our network? | |
os | String | Source Operating System where TargetRecord was originated. | |
sensor | String | The OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.) | |
source_uri | String |
Is it internal to our network?
Source Operating System where TargetRecord was originated.
The OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.)
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
IdentityAssertion Context attributes about the target or any of its observables. Providers could provide different types of assertions regarding a target depending on their own capabilities.
Property | Type | Description | Required? |
---|---|---|---|
assertions | Assertion Object List | Any known context about the identity attributes. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
identity | IdentityCoordinates Object | Attributes for which the assertion is being made. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | IdentityAssertionTypeIdentifierString | ✓ | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
valid_time | ValidTime Object |
Any known context about the identity attributes.
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Attributes for which the assertion is being made.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
name | AssertionTypeString | ✓ | |
value | String | ✓ |
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
observables | Observable Object List | ✓ |
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Sighting A sighting indicates that a particular entity or indicator was observed in an environment and can be an indication of a current or potential threat.
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLowString | ✓ | |
count | Integer | The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
observed_time | ObservedTime Object | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | SightingTypeIdentifierString | ✓ | |
context | Context Object | Context including the event type that best fits the type of the sighting. | |
data | SightingDataTable Object | An embedded data table for the Sighting. | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
internal | Boolean | If true , indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
observables | Observable Object List | The object(s) of interest. | |
relations | ObservedRelation Object List | Provide any context we can about where the observable came from. | |
resolution | ResolutionString | Represents the disposition or actions taken on the associated threat intelligence. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
sensor | SensorString | The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall) | |
sensor_coordinates | SensorCoordinates Object | ||
severity | SeverityString | ||
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
targets | IdentitySpecification Object List | May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise. Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
This entry is required
Context including the event type that best fits the type of the sighting.
The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.
This entry is required
An embedded data table for the Sighting.
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.If true
, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC.
Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization.
Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
The object(s) of interest.
Provide any context we can about where the observable came from.
Represents the disposition or actions taken on the associated threat intelligence.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
This entry is optional
This entry is optional
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise.
Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets
field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
file_create_events | FileCreateType Object List | a list of FileCreateType | |
file_delete_events | FileDeleteType Object List | a list of FileDeleteType | |
file_modify_events | FileModifyType Object List | a list of FileModifyType | |
file_move_events | FileMoveType Object List | a list of FileMoveType | |
http_events | HTTPType Object List | a list of HTTPType | |
library_load_events | LibraryLoadType Object List | a list of LibraryLoadType | |
netflow_events | NetflowType Object List | a list of NetflowType | |
process_create_events | ProcessCreateType Object List | a list of ProcessCreate | |
registry_create_events | RegistryCreateType Object List | a list of RegistryCreateType | |
registry_delete_events | RegistryDeleteType Object List | a list of RegistryDeleteType | |
registry_rename_events | RegistryRenameType Object List | a list of RegistryRenameType | |
registry_set_events | RegistrySetType Object List | a list of RegistrySetType |
a list of FileCreateType
a list of FileDeleteType
a list of FileModifyType
a list of FileMoveType
a list of HTTPType
a list of LibraryLoadType
a list of NetflowType
a list of ProcessCreate
a list of RegistryCreateType
a list of RegistryDeleteType
a list of RegistryRenameType
a list of RegistrySetType
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
registry_key | ShortStringString | ✓ | |
registry_old_key | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | RegistryRenameTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is optional
This entry is required
This entry is required
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
registry_key | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | RegistryDeleteTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString | ||
registry_value | MedStringString |
This entry is required
This entry is optional
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
registry_key | ShortStringString | ✓ | |
registry_value | MedStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | RegistrySetTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString | ||
registry_data | LongStringString | ||
registry_data_length | Integer |
This entry is required
This entry is optional
This entry is optional
This entry is required
This entry is required
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
registry_key | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | RegistryCreateTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is optional
This entry is required
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
host | ShortStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
traffic | Traffic Object | ✓ | |
type | HTTPTypeIdentifierString | ✓ | |
encrypted | Boolean | ||
method | HTTPMethodString | ||
process_guid | Integer | ||
process_username | ShortStringString | ||
query | LongStringString | ||
url_port | Integer |
This entry is required
This entry is optional
This entry is required
This entry is optional
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
destination_ip | String | ✓ | |
destination_port | Integer | ✓ | |
direction | TrafficDirectionString | ✓ | |
protocol | Integer | The IP protocol id | ✓ |
source_ip | String | ✓ | |
source_port | Integer | ✓ | |
destination_host_name | String | ||
destination_subnet | String | ||
source_subnet | String |
This entry is required
The IP protocol id
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
traffic | Traffic Object | ✓ | |
type | NetflowTypeIdentifierString | ✓ | |
byte_count_in | Integer | ||
byte_count_out | Integer | ||
flow_time | Inst (Date) | ||
parent_process_account | ShortStringString | ||
parent_process_account_type | ShortStringString | ||
parent_process_args | ShortStringString | ||
parent_process_hash | ShortStringString | ||
parent_process_id | Integer | ||
parent_process_name | ShortStringString | ||
parent_process_path | ShortStringString | ||
process_account | ShortStringString | ||
process_account_type | ShortStringString | ||
process_args | ShortStringString | ||
process_guid | Integer | ||
process_hash | ShortStringString | ||
process_path | ShortStringString | ||
process_username | ShortStringString |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is required
This entry is optional
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
destination_ip | String | ✓ | |
destination_port | Integer | ✓ | |
direction | TrafficDirectionString | ✓ | |
protocol | Integer | The IP protocol id | ✓ |
source_ip | String | ✓ | |
source_port | Integer | ✓ | |
destination_host_name | String | ||
destination_subnet | String | ||
source_subnet | String |
This entry is required
The IP protocol id
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
file_name | ShortStringString | ✓ | |
file_path | MedStringString | ✓ | |
new_name | ShortStringString | ✓ | |
old_name | ShortStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | FileMoveTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is required
This entry is required
This entry is required
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
file_name | ShortStringString | ✓ | |
file_path | MedStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | FileModifyTypeIdentifierString | ✓ | |
failed | Boolean | ||
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is required
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
file_name | ShortStringString | ✓ | |
file_path | MedStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | FileDeleteTypeIdentifierString | ✓ | |
failed | Boolean | ||
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is required
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
file_name | ShortStringString | ✓ | |
file_path | MedStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | FileCreateTypeIdentifierString | ✓ | |
failed | Boolean | ||
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is required
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
dll_library_name | ShortStringString | ✓ | |
dll_library_path | MedStringString | ✓ | |
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | LibraryLoadTypeIdentifierString | ✓ | |
process_guid | Integer | ||
process_username | ShortStringString |
This entry is required
This entry is required
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
process_id | Integer | ✓ | |
process_name | ShortStringString | ✓ | |
time | ObservedTime Object | ✓ | |
type | ProcessCreateTypeIdentifierString | ✓ | |
parent_creation_time | Inst (Date) | ||
parent_process_args | MedStringString | ||
parent_process_disposition | ShortStringString | ||
parent_process_guid | Integer | ||
parent_process_hash | MedStringString | ||
parent_process_id | Integer | ||
parent_process_name | ShortStringString | ||
parent_process_size | Integer | ||
parent_process_username | ShortStringString | ||
process_args | MedStringString | ||
process_disposition | ShortStringString | ||
process_guid | Integer | ||
process_hash | MedStringString | ||
process_size | Integer | ||
process_username | ShortStringString |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is required
This entry is optional
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
ObservedRelation A relation inside a Sighting.
Property | Type | Description | Required? |
---|---|---|---|
origin | String | ✓ | |
related | Observable Object | ✓ | |
relation | ObservableRelationTypeString | ✓ | |
source | Observable Object | ✓ | |
origin_uri | String | ||
relation_info | Object |
This entry is optional
This entry is required
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
Property | Type | Description | Required? |
---|---|---|---|
Keyword | Anything | ✓ |
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.
Property | Type | Description | Required? |
---|---|---|---|
observables | Observable Object List | ✓ | |
observed_time | ObservedTime Object | ✓ | |
type | SensorString | ✓ | |
os | String |
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.
Property | Type | Description | Required? |
---|---|---|---|
observables | Observable Object List | ✓ | |
type | SensorString | ✓ | |
os | String |
This entry is required
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
SightingDataTable An embedded data table for sightings data.
Property | Type | Description | Required? |
---|---|---|---|
columns | ColumnDefinition Object List | an ordered list of column definitions | ✓ |
rows | Anything List | an ordered list of rows | ✓ |
row_count | Integer | The number of rows in the data table. |
an ordered list of column definitions
The number of rows in the data table.
an ordered list of rows
Property | Type | Description | Required? |
---|---|---|---|
name | String | ✓ | |
type | ColumnTypeString | ✓ | |
description | MarkdownString | ||
required | Boolean | If true , the row entries for this column cannot contain nulls . Defaults to true . | |
short_description | String |
This entry is optional
If true
, the row entries for this column cannot contain nulls
. Defaults to true
.
This entry is required
ObservedTime Period of time when a cyber observation is valid. start_time
must come before end_time
(if specified).
Property | Type | Description | Required? |
---|---|---|---|
start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
If the observation was made over a period of time, than this field indicates the end of that period.
This entry is optional
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Relationship Represents a relationship between two entities.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
relationship_type | RelationshipTypeString | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
source_ref | String | ✓ | |
target_ref | String | ✓ | |
type | RelationshipTypeIdentifierString | ✓ | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
This entry is required
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
This entry is required
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Note A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the Objects, assigning Text/content to the Object the Note relates to Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum.
Property | Type | Description | Required? |
---|---|---|---|
content | MarkdownString | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
note_class | Keyword | ✓ | |
related_entities | NoteRelatedEntity Object List | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | NoteTypeIdentifierString | ✓ | |
author | String | ||
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
entity_id | String | ✓ | |
entity_type | String | ✓ |
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Malware Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | A description of object, which may be detailed. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
labels | MalwareLabelString List | The type of malware being described. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
short_description | MedStringString | A single line, short summary of the object. | ✓ |
title | ShortStringString | A short title for this object, used as primary display and reference value. | ✓ |
type | MalwareTypeIdentifierString | ✓ | |
abstraction_level | MalwareAbstractionsString | Malware abstraction level. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
kill_chain_phases | KillChainPhase Object List | The list of Kill Chain Phases for which this Malware can be used. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
x_mitre_aliases | ShortStringString List | ATT&CK Software.aliases. |
Malware abstraction level.
This entry is optional
A description of object, which may be detailed.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The list of Kill Chain Phases for which this Malware can be used.
The type of malware being described.
This entry is required
This entry's type is sequential (allows zero or more values)
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is required
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ATT&CK Software.aliases.
This entry is optional
This entry's type is sequential (allows zero or more values)
KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Judgement A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.
Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLowString | ✓ | |
disposition | DispositionNumberInteger | Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"} | ✓ |
disposition_name | DispositionNameString | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
observable | Observable Object | ✓ | |
priority | Integer | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
severity | SeverityString | ✓ | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
type | JudgementTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | ✓ | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
reason | ShortStringString | ||
reason_uri | String | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
This entry is required
Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
This entry is required
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
This entry is required
This entry is optional
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Indicator An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.
We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.
Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
producer | ShortStringString | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | IndicatorTypeIdentifierString | The fixed value indicator | ✓ |
valid_time | ValidTime Object | The time range during which this Indicator is considered valid. | ✓ |
composite_indicator_expression | CompositeIndicatorExpression Object | ||
confidence | HighMedLowString | level of confidence held in the accuracy of this Indicator. | |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
indicator_type | IndicatorTypeString List | Specifies the type or types for this Indicator. | |
kill_chain_phases | KillChainPhase Object List | Relevant kill chain phases indicated by this Indicator. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
likely_impact | LongStringString | Likely potential impact within the relevant context if this Indicator were to occur. | |
negate | Boolean | Specifies the absence of the pattern. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
severity | SeverityString | ||
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
specification | JudgementSpecification Object | ||
tags | ShortStringString List | Descriptors for this indicator. | |
test_mechanisms | MedStringString List | Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
level of confidence held in the accuracy of this Indicator.
This entry is optional
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Specifies the type or types for this Indicator.
This entry is optional
This entry's type is sequential (allows zero or more values)
Relevant kill chain phases indicated by this Indicator.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
Likely potential impact within the relevant context if this Indicator were to occur.
This entry is optional
Specifies the absence of the pattern.
This entry is required
Dev Notes: TODO - Document what is supposed to be in this field!
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
This entry is optional
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
This entry is optional
Descriptors for this indicator.
This entry is optional
This entry's type is sequential (allows zero or more values)
Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: simplified
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
The fixed value indicator
This entry is required
The time range during which this Indicator is considered valid.
OpenIOCSpecification An indicator which contains an XML blob of an openIOC indicator.
Property | Type | Description | Required? |
---|---|---|---|
open_IOC | String | ✓ | |
type | OpenIOCSpecificationTypeString | ✓ |
This entry is required
SIOCSpecification An indicator which runs in snort...
Property | Type | Description | Required? |
---|---|---|---|
SIOC | String | ✓ | |
type | SIOCSpecificationTypeString | ✓ |
This entry is required
SnortSpecification An indicator which runs in snort...
Property | Type | Description | Required? |
---|---|---|---|
snort_sig | String | ✓ | |
type | SnortSpecificationTypeString | ✓ |
This entry is required
ThreatBrainSpecification An indicator which runs in threatbrain...
Property | Type | Description | Required? |
---|---|---|---|
type | ThreatBrainSpecificationTypeString | ✓ | |
variables | String List | ✓ | |
query | String |
This entry is required
JudgementSpecification An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.
Property | Type | Description | Required? |
---|---|---|---|
judgements | String List | ✓ | |
required_judgements | RelatedJudgement Object List | ✓ | |
type | JudgementSpecificationTypeString | ✓ |
This entry is required
This entry's type is sequential (allows zero or more values)
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
judgement_id | String | ✓ | |
confidence | HighMedLowString | ||
relationship | String | ||
source | String |
This entry is optional
This entry is required
KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
indicator_ids | String List | ✓ | |
operator | BooleanOperatorString | ✓ |
This entry is required
This entry's type is sequential (allows zero or more values)
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Incident Information about computer security incident response. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents pertain to one or more adverse events, each of which is modeled as a sighting.
Property | Type | Description | Required? |
---|---|---|---|
confidence | HighMedLowString | Represents the level of certainty or trustworthiness associated with the incident. It denotes the reliability of the intelligence associated with the incident. The confidence field can take on several values, including: - info : Indicates that the incident information is based on sources with no previous track record or there is no track record for the source reporting the incident. - low : Indicates that the incident information is based on sources with a questionable track record or there is limited information about the accuracy of the source. - medium : Indicates that the incident information is based on sources with a mixed track record or of uncertain reliability. - high : Indicates that the incident information is based on sources with a proven track record and high degree of reliability. The confidence field can be used to indicate the level of trust and confidence that can be attributed to the incident, and it may impact how the incident is prioritized, analyzed and addressed. It can also help in the decision-making process associated with the incident response activities. It is important to note that the confidence field is subjective and can be interpreted differently by different organizations or analysts. As such, it is often used in conjunction with other intelligence attributes, such as the severity field, to provide a more complete picture of the incident. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
incident_time | IncidentTime Object | Relevant time values associated with this Incident. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
status | StatusString | The status field represents the current state of an incident within the incident management process. Its values help in tracking and reporting the progress of the incident from its discovery to its resolution. | ✓ |
type | IncidentTypeIdentifierString | ✓ | |
assignees | ShortStringString List | A set of owners assigned to this incident. | |
categories | IncidentCategoryString List | A set of categories for this incident. | |
description | MarkdownString | A description of object, which may be detailed. | |
detection_sources | MedStringString List | A set of sources that contributed threat detections to the incident. | |
discovery_method | DiscoveryMethodString | Identifies how the incident was discovered. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
intended_effect | IntendedEffectString | Specifies the suspected intended effect of this incident | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
meta | MetaData Object | metadata associated to the incident. | |
promotion_method | PromotionMethodString | Describes method for promoting an Incident, whether manually or automatically. An Incident may be created manually by a SOAR analyst or SOC operator, or through an automated correlation or aggregation rule or engine that matches a specific set of events or alerts, and promotes them to Incident(s). | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
scores | IncidentScores Object | Used to indicate the severity or impact score of the threat represented by the incident. | |
severity | SeverityString | Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the severity field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the confidence field, to provide a more comprehensive view of the incident. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
tactics | ShortStringString List | Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics. | |
techniques | ShortStringString List | Represents the specific methods or actions used by an attacker to carry out an offensive maneuver or achieve their goals. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
A set of owners assigned to this incident.
This entry is optional
This entry's type is sequential (allows zero or more values)
A set of categories for this incident.
This entry is optional
This entry's type is sequential (allows zero or more values)
Represents the level of certainty or trustworthiness associated with the incident. It denotes the reliability of the intelligence associated with the incident.
The confidence
field can take on several values, including:
info
: Indicates that the incident information is based on sources with no previous track record or there is no track record for the source reporting the incident.low
: Indicates that the incident information is based on sources with a questionable track record or there is limited information about the accuracy of the source.medium
: Indicates that the incident information is based on sources with a mixed track record or of uncertain reliability.high
: Indicates that the incident information is based on sources with a proven track record and high degree of reliability.
The confidence
field can be used to indicate the level of trust and confidence that can be attributed to the incident, and it may impact how the incident is prioritized, analyzed and addressed. It can also help in the decision-making process associated with the incident response activities.
It is important to note that the confidence
field is subjective and can be interpreted differently by different organizations or analysts. As such, it is often used in conjunction with other intelligence attributes, such as the severity
field, to provide a more complete picture of the incident.This entry is required
A description of object, which may be detailed.
This entry is optional
A set of sources that contributed threat detections to the incident.
This entry is optional
This entry's type is sequential (allows zero or more values)
Identifies how the incident was discovered.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Relevant time values associated with this Incident.
Specifies the suspected intended effect of this incident
This entry is optional
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
metadata associated to the incident.
Describes method for promoting an Incident, whether manually or automatically. An Incident may be created manually by a SOAR analyst or SOC operator, or through an automated correlation or aggregation rule or engine that matches a specific set of events or alerts, and promotes them to Incident(s).
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Used to indicate the severity or impact score of the threat represented by the incident.
Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident
It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first.
Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape.
It is important to note that the severity
field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the confidence
field, to provide a more comprehensive view of the incident.
This entry is optional
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The status
field represents the current state of an incident within the incident management process. Its values help in tracking and reporting the progress of the incident from its discovery to its resolution.
This entry is required
Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.
This entry is optional
This entry's type is sequential (allows zero or more values)
Represents the specific methods or actions used by an attacker to carry out an offensive maneuver or achieve their goals.
This entry is optional
This entry's type is sequential (allows zero or more values)
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
Keyword | Number | Field is used to indicate the severity or impact of the threat represented by the incident. It's an open-type dictionary object with score types and numeric value of the score. For example, systems can have the following score types: - asset - assesses the potential damage or harm that the threat can cause to the affected asset(s). The scale ranges from 0 to 10, with 10 indicating the highest potential harm. - global - assesses the overall impact or significance of the threat to the organization or wider community. The scale ranges from 0 to 1000, with 1000 indicating the highest impact. - ttp - a measure of the threat actor's proficiency in utilizing TTPs. Typically, ranges from 0-100, with a higher score indicating a greater threat or concern. |
Field is used to indicate the severity or impact of the threat represented by the incident. It's an open-type dictionary object with score types and numeric value of the score.
For example, systems can have the following score types:
asset
- assesses the potential damage or harm that the threat can cause to the affected asset(s). The scale ranges from 0 to 10, with 10 indicating the highest potential harm.
global
- assesses the overall impact or significance of the threat to the organization or wider community. The scale ranges from 0 to 1000, with 1000 indicating the highest impact.
ttp
- a measure of the threat actor's proficiency in utilizing TTPs. Typically, ranges from 0-100, with a higher score indicating a greater threat or concern.
This entry is optional
Allowed Values:
A non-negative score number.
Property | Type | Description | Required? |
---|---|---|---|
Keyword | String | custom field relevant to attach meta data to. |
custom field relevant to attach meta data to.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
opened | Inst (Date) | Time the incident was first opened. | ✓ |
closed | Inst (Date) | Time that the incident was last closed. | |
discovered | Inst (Date) | Time the incident was first discovered. | |
rejected | Inst (Date) | Time that the incident was first rejected. | |
remediated | Inst (Date) | Time that the remediation of the damage from the incident was completed. | |
reported | Inst (Date) | Time the incident was first reported. |
Time that the incident was last closed.
This entry is optional
Time the incident was first discovered.
This entry is optional
Time the incident was first opened.
This entry is required
Time that the incident was first rejected.
This entry is optional
Time that the remediation of the damage from the incident was completed.
This entry is optional
Time the incident was first reported.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Feedback Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?
Property | Type | Description | Required? |
---|---|---|---|
entity_id | String | ✓ | |
feedback | Integer | ✓ | |
id | String | Globally unique URI identifying this object. | ✓ |
reason | String | ✓ | |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | FeedbackTypeIdentifierString | ✓ | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
This entry is required
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
COA Course of Action. A corrective or preventative action to be taken in response to a threat.
Property | Type | Description | Required? |
---|---|---|---|
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
type | COATypeIdentifierString | ✓ | |
valid_time | ValidTime Object | ✓ | |
coa_type | COATypeString | The type of this COA | |
cost | HighMedLowString | Characterizes the estimated cost for applying this course of action. | |
description | MarkdownString | A description of object, which may be detailed. | |
efficacy | HighMedLowString | Effectiveness of this course of action in achieving its targeted objective. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
impact | ShortStringString | Characterizes the estimated impact of applying this course of action. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
objective | ShortStringString List | Characterizes the objective to provide guidance on how to mitigate a security incident that has been identified. | |
open_c2_coa | OpenC2COA Object | ||
related_COAs | RelatedCOA Object List | Identifies or characterizes relationships to one or more related courses of action. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
stage | COAStageString | Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to. | |
structured_coa_type | OpenC2StructuredCOATypeString | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
The type of this COA
This entry is optional
Characterizes the estimated cost for applying this course of action.
This entry is optional
A description of object, which may be detailed.
This entry is optional
Effectiveness of this course of action in achieving its targeted objective.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Characterizes the estimated impact of applying this course of action.
This entry is optional
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
Characterizes the objective to provide guidance on how to mitigate a security incident that has been identified.
This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: Squashed / simplified
Identifies or characterizes relationships to one or more related courses of action.
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to.
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
action | ActionType Object | ✓ | |
type | StructuredCOATypeString | ✓ | |
actuator | ActuatorType Object | ||
id | ShortStringString | ||
modifiers | ModifierType Object | ||
target | TargetType Object |
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
additional_properties | AdditionalProperties Object | ||
delay | Inst (Date) | ||
destination | String | ||
duration | Inst (Date) | ||
frequency | ShortStringString | ||
id | ShortStringString | ||
location | String | ||
method | String List | ||
option | ShortStringString | ||
response | String | ||
search | String | ||
source | ShortStringString | ||
time | ValidTime Object |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry's type is sequential (allows zero or more values)
This entry is optional
This entry is optional
This entry is optional
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
context | ShortStringString | ✓ |
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
type | ActuatorTypeString | ✓ | |
specifiers | ShortStringString List | List of additional properties describing the actuator. |
List of additional properties describing the actuator.
This entry is optional
This entry's type is sequential (allows zero or more values)
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
type | TargetTypeVocabString | ✓ | |
specifiers | ShortStringString | Observable types that can be acted upon. |
Observable types that can be acted upon.
This entry is optional
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
type | COATypeString | ✓ |
This entry is required
Property | Type | Description | Required? |
---|---|---|---|
COA_id | String | ✓ | |
confidence | HighMedLowString | ||
relationship | String | ||
source | String |
This entry is required
This entry is optional
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Campaign Represents a campaign by an actor pursing an intent.
Property | Type | Description | Required? |
---|---|---|---|
campaign_type | ShortStringString | String value that describes the type of campaign. For example, a campaign type could be 'Ransomware', 'Advanced Persistent Threat', 'Business Email Compromise', 'Phishing', etc. | ✓ |
description | MarkdownString | A description of object, which may be detailed. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
short_description | MedStringString | A single line, short summary of the object. | ✓ |
title | ShortStringString | A short title for this object, used as primary display and reference value. | ✓ |
type | CampaignTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | Timestamp for the definition of a specific version of a campaign. | ✓ |
activity | Activity Object List | Used to capture specific activities or tactics associated with the campaign. The 'activity' field is an array of objects, and each element represents a specific activity and time associated with the campaign. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc. By capturing these activities analysts can identify the specific tactics used by the threat actor(s) behind the campaign. | |
confidence | HighMedLowString | Level of confidence held in the characterization of this Campaign. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
intended_effect | IntendedEffectString List | Characterizes the intended effect of this cyber threat campaign. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
names | ShortStringString List | Used to capture alternate names or aliases associated with the campaign. A cyberattack campaign may have multiple names or aliases depending on the group or actor(s) behind the attack, e.g., 'Wannacry' is also known as 'WannaCrypt', 'WCry', 'Wanna Decryptor', etc. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
status | CampaignStatusString | Indicates current Status of the Campaign. Can have one of the following values: - Ongoing: Indicates that the campaign is currently active and ongoing. For example, a mass phishing campaign that is actively targeting users is considered 'ongoing'. - Historic: Campaign has already occurred and is now in the past. - Future: This indicates that a campaign is planned or expected to occur in the future. For example, a threat actor may announce their intention to launch a specific cyberattack campaign at a future date. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
Used to capture specific activities or tactics associated with the campaign. The 'activity' field is an array of objects, and each element represents a specific activity and time associated with the campaign. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc. By capturing these activities analysts can identify the specific tactics used by the threat actor(s) behind the campaign.
String value that describes the type of campaign. For example, a campaign type could be 'Ransomware', 'Advanced Persistent Threat', 'Business Email Compromise', 'Phishing', etc.
This entry is required
Dev Notes: Should we define a vocabulary for this?
Level of confidence held in the characterization of this Campaign.
This entry is optional
A description of object, which may be detailed.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Characterizes the intended effect of this cyber threat campaign.
This entry is optional
This entry's type is sequential (allows zero or more values)
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
Used to capture alternate names or aliases associated with the campaign. A cyberattack campaign may have multiple names or aliases depending on the group or actor(s) behind the attack, e.g., 'Wannacry' is also known as 'WannaCrypt', 'WCry', 'Wanna Decryptor', etc.
This entry is optional
This entry's type is sequential (allows zero or more values)
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
Indicates current Status of the Campaign.
Can have one of the following values:
Ongoing: Indicates that the campaign is currently active and ongoing. For example, a mass phishing campaign that is actively targeting users is considered 'ongoing'.
Historic: Campaign has already occurred and is now in the past.
Future: This indicates that a campaign is planned or expected to occur in the future. For example, a threat actor may announce their intention to launch a specific cyberattack campaign at a future date.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is required
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Timestamp for the definition of a specific version of a campaign.
Activity Captures the specific activities or tactics associated with the entity. Examples of activities may include malicious software delivery, command and control communication, network reconnaissance, data exfiltration, etc.
Property | Type | Description | Required? |
---|---|---|---|
date_time | Inst (Date) | Specifies the date and time at which the activity occured. | ✓ |
description | MarkdownString | A description of the activity. | ✓ |
Specifies the date and time at which the activity occured.
This entry is required
A description of the activity.
This entry is required
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
AttackPattern Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | A description of object, which may be detailed. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
short_description | MedStringString | A single line, short summary of the object. | ✓ |
title | ShortStringString | A short title for this object, used as primary display and reference value. | ✓ |
type | AttackPatternTypeIdentifierString | ✓ | |
abstraction_level | AttackPatternAbstractionsString | The CAPEC abstraction level for patterns describing techniques to attack a system. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id]. | |
kill_chain_phases | KillChainPhase Object List | A kill chain is a series of steps that an attacker must go through to successfully achieve their objective. The concept was originally developed by the military, but has been adapted to the cybersecurity field to describe the steps an attacker goes through to compromise a target system and achieve their goal. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. | |
x_mitre_contributors | ShortStringString List | ATT&CK Technique.Contributors. | |
x_mitre_data_sources | ShortStringString List | ATT&CK Technique.Data Sources. | |
x_mitre_platforms | ShortStringString List | ATT&CK Technique.Platforms. |
The CAPEC abstraction level for patterns describing techniques to attack a system.
This entry is optional
A description of object, which may be detailed.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.A kill chain is a series of steps that an attacker must go through to successfully achieve their objective. The concept was originally developed by the military, but has been adapted to the cybersecurity field to describe the steps an attacker goes through to compromise a target system and achieve their goal.
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is optional
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is required
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
ATT&CK Technique.Contributors.
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Data Sources.
This entry is optional
This entry's type is sequential (allows zero or more values)
ATT&CK Technique.Platforms.
This entry is optional
This entry's type is sequential (allows zero or more values)
KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
Property | Type | Description | Required? |
---|---|---|---|
kill_chain_name | String | The name of the kill chain. | ✓ |
phase_name | String | The name of the phase in the kill chain. | ✓ |
The name of the kill chain.
This entry is required
The name of the phase in the kill chain.
This entry is required
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
AssetProperties Assets do not have any product specific properties, those are represented in AssetProperties - which is a record that asserts one or more properties of an Asset for a specific time.
Property | Type | Description | Required? |
---|---|---|---|
asset_ref | String | URI that points to the associated Asset. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
type | AssetPropertiesTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | The time range during which the AssetProperties is considered valid. | ✓ |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
properties | AssetProperty Object List | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
URI that points to the associated Asset.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
The time range during which the AssetProperties is considered valid.
Property | Type | Description | Required? |
---|---|---|---|
name | String | The properties are an open vocabulary. | ✓ |
value | String | ✓ |
The properties are an open vocabulary.
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
AssetMapping A record that maps a specific Observable to an asset for a specified period of time.
Property | Type | Description | Required? |
---|---|---|---|
asset_ref | String | URI that points to the mapped Asset. | ✓ |
asset_type | AssetTypeString | Type of the mapped Asset: Device, Person, Application, etc. | ✓ |
confidence | HighMedLowString | Level of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation? | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
observable | Observable Object | An AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
specificity | SpecificityString | Denotes the level of how many assets potentially could have this same identifier. | ✓ |
stability | StabilityString | Do we manage when it changes, or is it always a time bound assignment? | ✓ |
type | AssetMappingTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | For each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history. | ✓ |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
URI that points to the mapped Asset.
This entry is required
Type of the mapped Asset: Device, Person, Application, etc.
This entry is required
Level of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation?
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
An AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time.
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
Denotes the level of how many assets potentially could have this same identifier.
This entry is required
Do we manage when it changes, or is it always a time bound assignment?
This entry is required
The time this object was created at, or last modified.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
For each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history.
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifierString | The type of observable. | ✓ |
value | String | The value of the observable. | ✓ |
The type of observable.
This entry is required
The value of the observable.
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Asset Describes a protected resource. It could be a Device, User, Network, Application or Data.
Property | Type | Description | Required? |
---|---|---|---|
asset_type | AssetTypeString | Type of the Asset: Device, Person, Application, etc. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
type | AssetTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | Specifies the time range during which the asset is considered valid or accurate. For example, if an asset entity represents a device, the valid_time field could be used to indicate the period during which the device's configuration information is deemed accurate. | ✓ |
description | MarkdownString | A description of object, which may be detailed. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedStringString | A single line, short summary of the object. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortStringString | A short title for this object, used as primary display and reference value. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
Type of the Asset: Device, Person, Application, etc.
This entry is required
A description of object, which may be detailed.
This entry is optional
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is optional
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Specifies the time range during which the asset is considered valid or accurate.
For example, if an asset entity represents a device, the valid_time
field could be used to indicate the period during which the device's configuration information is deemed accurate.
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Actor Describes malicious actors or adversaries related to a cyber attack.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | A description of object, which may be detailed. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity. | ✓ |
short_description | MedStringString | A single line, short summary of the object. | ✓ |
source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | ✓ |
title | ShortStringString | A short title for this object, used as primary display and reference value. | ✓ |
type | ActorTypeIdentifierString | ✓ | |
valid_time | ValidTime Object | Indicates the time span for which the information about the Actor is relevant, and after which it could become outdated. | ✓ |
actor_types | ThreatActorTypeString List | ||
aliases | ShortStringString List | A list of other names that this Threat Actor is believed to use. | |
confidence | HighMedLowString | This field can help analysts decide how much trust they can put in the information provided by the threat intelligence sources. For example, an Actor entity can have high confidence if the organization's security researchers have been tracking it for a long time and have gathered a significant amount of intelligence about it through various sources, such as analysis of malware, network traffic, and human intelligence. In contrast, low confidence may indicate the organization has only seen limited or circumstantial evidence. | |
external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
identity | Identity Object | Can contain information such as the name of the attacker, the group or organization they belong to, or any other identifier that can help in the attribution process. | |
intended_effect | IntendedEffectString | Represents the desired outcome or impact the threat actor is trying to achieve through their malicious activities. Helps security analysts to understand the attacker's goals beyond the immediate impact of the attack. By understanding the intended effect, analysts can draw connections between seemingly unrelated attacks and build a more complete understanding of an attacker's long-term goals and motivations. | |
language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
motivation | MotivationString | The reason or purpose behind the malicious activity attributed to this Actor. By understanding a threat actor's motivation, analysts can better predict the attacker's behavior and anticipate future malicious actions. | |
planning_and_operational_support | LongStringString | Provides information about the resources and capabilities of the attacker that could be used to assist in planning and operations related to the threat. It can be used to describe Infrastructure, Tools, Techniques, and Capabilities used by the threat actor. | |
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
sophistication | SophisticationString | Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems. | |
source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red , indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green , indicating that it can be shared more broadly within an organization. |
This entry is optional
This entry's type is sequential (allows zero or more values)
A list of other names that this Threat Actor is believed to use.
This entry is optional
This entry's type is sequential (allows zero or more values)
This field can help analysts decide how much trust they can put in the information provided by the threat intelligence sources.
For example, an Actor entity can have high confidence if the organization's security researchers have been tracking it for a long time and have gathered a significant amount of intelligence about it through various sources, such as analysis of malware, network traffic, and human intelligence. In contrast, low confidence may indicate the organization has only seen limited or circumstantial evidence.
This entry is optional
A description of object, which may be detailed.
This entry is required
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids
field with major differences:
external_ids
field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids
field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references
field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references
field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.Can contain information such as the name of the attacker, the group or organization they belong to, or any other identifier that can help in the attribution process.
Represents the desired outcome or impact the threat actor is trying to achieve through their malicious activities.
Helps security analysts to understand the attacker's goals beyond the immediate impact of the attack. By understanding the intended effect, analysts can draw connections between seemingly unrelated attacks and build a more complete understanding of an attacker's long-term goals and motivations.
This entry is optional
The language
field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language
field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language
field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
This entry is optional
The reason or purpose behind the malicious activity attributed to this Actor. By understanding a threat actor's motivation, analysts can better predict the attacker's behavior and anticipate future malicious actions.
This entry is optional
Provides information about the resources and capabilities of the attacker that could be used to assist in planning and operations related to the threat.
It can be used to describe Infrastructure, Tools, Techniques, and Capabilities used by the threat actor.
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity.
This entry is required
A single line, short summary of the object.
This entry is required
Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface.
For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware.
The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected.
If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.
This entry is optional
Represents the source of the intelligence that led to the creation of the entity.
This entry is required
URI of the source of the intelligence that led to the creation of the entity.
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value.
This entry is required
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red
, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber
or green
, indicating that it can be shared more broadly within an organization.
This entry is optional
This entry is required
Indicates the time span for which the information about the Actor is relevant, and after which it could become outdated.
Identity Describes a person or an organization.
Property | Type | Description | Required? |
---|---|---|---|
description | MarkdownString | ✓ | |
related_identities | RelatedIdentity Object List | Identifies other entity Identities related to this Identity. | ✓ |
This entry is required
Identifies other entity Identities related to this Identity.
RelatedIdentity Describes a related Identity
Property | Type | Description | Required? |
---|---|---|---|
identity | String | The reference (URI) of the related Identity object. | ✓ |
confidence | HighMedLowString | Specifies the level of confidence in the assertion of the relationship between the two objects. | |
information_source | String | Specifies the source of the information about the relationship between the two components. | |
relationship | String |
Specifies the level of confidence in the assertion of the relationship between the two objects.
This entry is optional
The reference (URI) of the related Identity object.
This entry is required
Specifies the source of the information about the relationship between the two components.
ValidTime Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound. |
If end_time is not present, then the valid time position of the object does not have an upper bound.
This entry is optional
If not present, the valid time position of the indicator does not have an upper bound.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | MarkdownString | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource. |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource.
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
text | String | ✓ | |
type | String | ✓ |
Can you improve this documentation? These fine people already did:
Ag Ibragimov, Guillaume Buisson, Guillaume Erétéo, Matthieu Sprunck, Ambrose Bonnaire-Sergeant, jyoverma, Scott McLeod, Sam Waggoner, Guillaume ERETEO, Craig Brozefsky, t2sw, bswanson, Mario Aquino, Mia, Kirill Chernyshov, Mark Herman, Mason Costa, mcosta85 & Alexander R. Saint CroixEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close