Liking cljdoc? Tell your friends :D

Casebook Object

Casebook Describes a CTIM Casebook which works like a structured gist

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	CasebookTypeIdentifierString		✓
bundle	Bundle Object
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
observables	Observable Object List
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
texts	Text Object List
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: #

Property bundle ∷ Bundle Object

This entry is optional

Bundle Object Value
- Details: Bundle Object

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property observables ∷ Observable Object List

This entry is optional
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property texts ∷ Text Object List

This entry is optional
This entry's type is sequential (allows zero or more values)

Text Object Value
- Details: Text Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ CasebookTypeIdentifierString

This entry is required
- Must equal: "casebook"

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

Bundle Object

Bundle Describes a Bundle of any set of CTIM entities

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedStringString		✓
type	BundleTypeIdentifierString		✓
valid_time	ValidTime Object		✓
actor_refs	#{String}
actors	#{Actor Object}	a list of `Actor`
asset_mapping_refs	#{String}
asset_mappings	#{AssetMapping Object}	a list of `AssetMapping`
asset_properties	#{AssetProperties Object}	a list of `AssetProperties`
asset_properties_refs	#{String}
asset_refs	#{String}
assets	#{Asset Object}	a list of `Asset`
attack_pattern_refs	#{String}
attack_patterns	#{AttackPattern Object}	a list of `AttackPattern`
campaign_refs	#{String}
campaigns	#{Campaign Object}	a list of `Campaign`
coa_refs	#{String}
coas	#{COA Object}	a list of `COA`
data_table_refs	#{String}
data_tables	#{DataTable Object}	a list of `DataTable`
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
feedback_refs	#{String}
feedbacks	#{Feedback Object}	a list of `Feedback`
identity_assertion_refs	#{String}
identity_assertions	#{IdentityAssertion Object}	a list of `IdentityAssertion`
incident_refs	#{String}
incidents	#{Incident Object}	a list of `Incident`
indicator_refs	#{String}
indicators	#{Indicator Object}	a list of `Indicator`
judgement_refs	#{String}
judgements	#{Judgement Object}	a list of `Judgement`
language	ShortStringString	The human language this object is specified in.
malware_refs	#{String}
malwares	#{Malware Object}	a list of `Malware`
note_refs	#{String}
notes	#{Note Object}	a list of `Note`
relationship_refs	#{String}
relationships	#{Relationship Object}	a list of `Relationship`
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
sighting_refs	#{String}
sightings	#{Sighting Object}	a list of `Sighting`
source_uri	String
target_record_refs	#{String}
target_records	#{TargetRecord Object}	a list of `TargetRecord`
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.
tool_refs	#{String}
tools	#{Tool Object}	a list of `Tool`
verdict_refs	#{String}
verdicts	#{Verdict Object}	a list of `Verdict`
vulnerabilities	#{Vulnerability Object}	a list of `Vulnerability`
vulnerability_refs	#{String}
weakness_refs	#{String}
weaknesses	#{Weakness Object}	a list of `Weakness`

Reference: #

Property actor_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property actors ∷ #{Actor Object}

a list of Actor

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Actor Object Value
- Details: Actor Object

Property asset_mapping_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property asset_mappings ∷ #{AssetMapping Object}

a list of AssetMapping

This entry is optional
This entry's type is a set (allows zero or more distinct values)

AssetMapping Object Value
- Details: AssetMapping Object

Property asset_properties ∷ #{AssetProperties Object}

a list of AssetProperties

This entry is optional
This entry's type is a set (allows zero or more distinct values)

AssetProperties Object Value
- Details: AssetProperties Object

Property asset_properties_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property asset_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property assets ∷ #{Asset Object}

a list of Asset

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Asset Object Value
- Details: Asset Object

Property attack_pattern_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property attack_patterns ∷ #{AttackPattern Object}

a list of AttackPattern

This entry is optional
This entry's type is a set (allows zero or more distinct values)

AttackPattern Object Value
- Details: AttackPattern Object

Property campaign_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property campaigns ∷ #{Campaign Object}

a list of Campaign

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Campaign Object Value
- Details: Campaign Object

Property coa_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property coas ∷ #{COA Object}

a list of COA

This entry is optional
This entry's type is a set (allows zero or more distinct values)

COA Object Value
- Details: COA Object

Property data_table_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property data_tables ∷ #{DataTable Object}

a list of DataTable

This entry is optional
This entry's type is a set (allows zero or more distinct values)

DataTable Object Value
- Details: DataTable Object

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property feedback_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property feedbacks ∷ #{Feedback Object}

a list of Feedback

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Feedback Object Value
- Details: Feedback Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity_assertion_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property identity_assertions ∷ #{IdentityAssertion Object}

a list of IdentityAssertion

This entry is optional
This entry's type is a set (allows zero or more distinct values)

IdentityAssertion Object Value
- Details: IdentityAssertion Object

Property incident_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property incidents ∷ #{Incident Object}

a list of Incident

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Incident Object Value
- Details: Incident Object

Property indicator_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property indicators ∷ #{Indicator Object}

a list of Indicator

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Indicator Object Value
- Details: Indicator Object

Property judgement_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property judgements ∷ #{Judgement Object}

a list of Judgement

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Judgement Object Value
- Details: Judgement Object

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property malware_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property malwares ∷ #{Malware Object}

a list of Malware

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Malware Object Value
- Details: Malware Object

Property note_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property notes ∷ #{Note Object}

a list of Note

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Note Object Value
- Details: Note Object

Property relationship_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property relationships ∷ #{Relationship Object}

a list of Relationship

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Relationship Object Value
- Details: Relationship Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property sighting_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property sightings ∷ #{Sighting Object}

a list of Sighting

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Sighting Object Value
- Details: Sighting Object

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property target_record_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property target_records ∷ #{TargetRecord Object}

a list of TargetRecord

This entry is optional
This entry's type is a set (allows zero or more distinct values)

TargetRecord Object Value
- Details: TargetRecord Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property tool_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property tools ∷ #{Tool Object}

a list of Tool

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Tool Object Value
- Details: Tool Object

Property type ∷ BundleTypeIdentifierString

This entry is required
- Must equal: "bundle"

Property valid_time ∷ ValidTime Object

This entry is required

ValidTime Object Value
- Details: ValidTime Object

Property verdict_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property verdicts ∷ #{Verdict Object}

a list of Verdict

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Verdict Object Value
- Details: Verdict Object

Property vulnerabilities ∷ #{Vulnerability Object}

a list of Vulnerability

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Vulnerability Object Value
- Details: Vulnerability Object

Property vulnerability_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property weakness_refs ∷ #{String}

This entry is optional
This entry's type is a set (allows zero or more distinct values)
- A URI leading to an entity

Property weaknesses ∷ #{Weakness Object}

a list of Weakness

This entry is optional
This entry's type is a set (allows zero or more distinct values)

Weakness Object Value
- Details: Weakness Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Vulnerability Object

Vulnerability a mistake in software that can be directly used by a hacker to gain access to a system or network

Property	Type	Description	Required?
description	MarkdownString	A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	VulnerabilityTypeIdentifierString	The fixed value vulnerability	✓
configurations	Configurations Object
cve	CVE Object
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
impact	VulnerabilityImpact Object
language	ShortStringString	The human language this object is specified in.
last_modified_date	Inst (Date)
published_date	Inst (Date)
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: Vulnerability

Property configurations ∷ Configurations Object

This entry is optional

Configurations Object Value
- Details: Configurations Object

Property cve ∷ CVE Object

This entry is optional

CVE Object Value
- Details: CVE Object

Property description ∷ MarkdownString

A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ VulnerabilityImpact Object

This entry is optional

VulnerabilityImpact Object Value
- Details: VulnerabilityImpact Object

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property last_modified_date ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property published_date ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ VulnerabilityTypeIdentifierString

The fixed value vulnerability

This entry is required
- VulnerabilityTypeIdentifier The fixed value "vulnerability"
- Must equal: "vulnerability"

Configurations Object

Property	Type	Description	Required?
CVE_data_version	ShortStringString		✓
nodes	CPENode Object List		✓

Property CVE_data_version ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property nodes ∷ CPENode Object List

This entry is required
This entry's type is sequential (allows zero or more values)

CPENode Object Value
- Details: CPENode Object

CPENode Object

Property	Type	Description	Required?
operator	cpe-node-operator-stringString		✓
children	CPELeafNode Object List
cpe_match	CPEMatch Object List
negate	Boolean	Negates operator when true.

Property children ∷ CPELeafNode Object List

This entry is optional
This entry's type is sequential (allows zero or more values)

CPELeafNode Object Value
- Details: CPELeafNode Object

Property cpe_match ∷ CPEMatch Object List

This entry is optional
This entry's type is sequential (allows zero or more values)

CPEMatch Object Value
- Details: CPEMatch Object

Property negate ∷ Boolean

Negates operator when true.

This entry is optional

Property operator ∷ cpe-node-operator-stringString

This entry is required
- cpe-node-operator-string The operator string influences how seqs of cpe matches are related to one another.
- Allowed Values:
  - AND
  - OR

CPELeafNode Object

Property	Type	Description	Required?
cpe_match	CPEMatch Object List		✓
operator	cpe-node-operator-stringString		✓
negate	Boolean	Negates operator when true.

Property cpe_match ∷ CPEMatch Object List

This entry is required
This entry's type is sequential (allows zero or more values)

CPEMatch Object Value
- Details: CPEMatch Object

Property negate ∷ Boolean

Negates operator when true.

This entry is optional

Property operator ∷ cpe-node-operator-stringString

This entry is required
- cpe-node-operator-string The operator string influences how seqs of cpe matches are related to one another.
- Allowed Values:
  - AND
  - OR

CPEMatch Object

Property	Type	Description	Required?
cpe23Uri	String		✓
vulnerable	Boolean		✓
versionEndExcluding	String	A string representing the upper bound(exclusive) of version in the CPE.
versionEndIncluding	String	A string representing the upper bound(inclusive) of version in the CPE.
versionStartExcluding	String	A string representing the lower bound(exclusive) of version in the CPE.
versionStartIncluding	String	A string representing the lower bound(inclusive) of version in the CPE.

Property cpe23Uri ∷ String

This entry is required
- A text representation of a software or hardware platform.

Property versionEndExcluding ∷ String

A string representing the upper bound(exclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionEndIncluding ∷ String

A string representing the upper bound(inclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionStartExcluding ∷ String

A string representing the lower bound(exclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionStartIncluding ∷ String

A string representing the lower bound(inclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property vulnerable ∷ Boolean

This entry is required

CPEMatch Object

Property	Type	Description	Required?
cpe23Uri	String		✓
vulnerable	Boolean		✓
versionEndExcluding	String	A string representing the upper bound(exclusive) of version in the CPE.
versionEndIncluding	String	A string representing the upper bound(inclusive) of version in the CPE.
versionStartExcluding	String	A string representing the lower bound(exclusive) of version in the CPE.
versionStartIncluding	String	A string representing the lower bound(inclusive) of version in the CPE.

Property cpe23Uri ∷ String

This entry is required
- A text representation of a software or hardware platform.

Property versionEndExcluding ∷ String

A string representing the upper bound(exclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionEndIncluding ∷ String

A string representing the upper bound(inclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionStartExcluding ∷ String

A string representing the lower bound(exclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property versionStartIncluding ∷ String

A string representing the lower bound(inclusive) of version in the CPE.

This entry is optional
- A string representing a bound of a version in the CPE.

Property vulnerable ∷ Boolean

This entry is required

VulnerabilityImpact Object

Property	Type	Description	Required?
cvss_v2	CVSSv2 Object
cvss_v3	CVSSv3 Object

Property cvss_v2 ∷ CVSSv2 Object

This entry is optional

CVSSv2 Object Value
- Details: CVSSv2 Object

Property cvss_v3 ∷ CVSSv3 Object

This entry is optional

CVSSv3 Object Value
- Details: CVSSv3 Object

CVSSv3 Object

Property	Type	Description	Required?
base_score	Number		✓
base_severity	CVSSv3SeverityString		✓
vector_string	String		✓
attack_complexity	CVSSv3AttackComplexityString	describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability
attack_vector	CVSSv3AttackVectorString	Reflects the context by which vulnerability exploitation is possible
availability_impact	CVSSv3AvailabilityImpactString	measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability
availability_requirement	CVSSv3SecurityRequirementsString
confidentiality_impact	CVSSv3ConfidentialityImpactString	measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability
confidentiality_requirement	CVSSv3SecurityRequirementsString
environmental_score	Number
environmental_severity	CVSSv3SeverityString
exploit_code_maturity	CVSSv3ExploitCodeMaturityString	measures the likelihood of the vulnerability being attacked
exploitability_score	Number
impact_score	Number
integrity_impact	CVSSv3IntegrityImpactString	measures the impact to integrity of a successfully exploited vulnerability
integrity_requirement	CVSSv3SecurityRequirementsString
modified_attack_complexity	CVSSv3ModifiedAttackComplexityString	modified attack complexity
modified_attack_vector	CVSSv3ModifiedAttackVectorString	modified attack vector
modified_availability_impact	CVSSv3ModifiedAvailabilityImpactString	modified availability impact
modified_confidentiality_impact	CVSSv3ModifiedConfidentialityImpactString	modified confidentiality impact
modified_integrity_impact	CVSSv3ModifiedIntegrityImpactString	modified integrity impact
modified_privileges_required	CVSSv3ModifiedPrivilegesRequiredString	modified privileges required
modified_scope	CVSSv3ModifiedScopeString	modified scope
modified_user_interaction	CVSSv3ModifiedUserInteractionString	modified user interaction
privileges_required	CVSSv3PrivilegesRequiredString	describes the level of privileges an attacker must possess before successfully exploiting the vulnerability
remediation_level	CVSSv3RemediationLevelString	Remediation Level of a vulnerability is an important factor for prioritization
report_confidence	CVSSv3ReportConfidenceString	measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details
scope	CVSSv3ScopeString	the ability for a vulnerability in one software component to impact resources beyond its means, or privileges
temporal_score	Number	Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)
temporal_severity	CVSSv3SeverityString	temporal severity
user_interaction	CVSSv3UserInteractionString	captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

Property attack_complexity ∷ CVSSv3AttackComplexityString

describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability

This entry is optional
- CVSSv3AttackComplexity describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. high A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).
- Allowed Values:
  - high
  - low
- Reference: Attack Complexity

Property attack_vector ∷ CVSSv3AttackVectorString

Reflects the context by which vulnerability exploitation is possible

This entry is optional
- CVSSv3AttackVector This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: network A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed remotely exploitable and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).adjacent_network A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. local A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. physical A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.
- Allowed Values:
  - adjacent_network
  - local
  - network
  - physical
- Reference: Attack Vector

Property availability_impact ∷ CVSSv3AvailabilityImpactString

measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability

This entry is optional
- CVSSv3AvailabilityImpact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: high: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). low: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. none: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component.
- Allowed Values:
  - high
  - low
  - none
- Reference: [Availability Impact] (https://www.first.org/cvss/specification-document#2-3-3-Availability-Impact-A)

Property availability_requirement ∷ CVSSv3SecurityRequirementsString

This entry is optional
- CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property base_score ∷ Number

This entry is required
- a Score number from 0 to 10

Property base_severity ∷ CVSSv3SeverityString

This entry is required
- Allowed Values:
  - critical
  - high
  - low
  - medium
  - none

Property confidentiality_impact ∷ CVSSv3ConfidentialityImpactString

measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability

This entry is optional
- CVSSv3ConfidentialityImpact measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: high: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. low: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. none: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component.
- Allowed Values:
  - high
  - low
  - none
- Reference: [Confientiality Impact] (https://www.first.org/cvss/specification-document#2-3-1-Confidentiality-Impact-C)

Property confidentiality_requirement ∷ CVSSv3SecurityRequirementsString

This entry is optional
- CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property environmental_score ∷ Number

This entry is optional
- a Score number from 0 to 10

Property environmental_severity ∷ CVSSv3SeverityString

This entry is optional
- Allowed Values:
  - critical
  - high
  - low
  - medium
  - none

Property exploit_code_maturity ∷ CVSSv3ExploitCodeMaturityString

measures the likelihood of the vulnerability being attacked

This entry is optional
- CVSSv3ExploitCodeMaturity This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. high: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. functional: Functional exploit code is available. The code works in most situations where the vulnerability exists. proof_of_concept: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. unproven: No exploit code is available, or an exploit is theoretical.
- Allowed Values:
  - functional
  - high
  - not_defined
  - proof_of_concept
  - unproven
- Reference: [Exploit Code Maturity] (https://www.first.org/cvss/specification-document#3-1-Exploit-Code-Maturity-E)

Property exploitability_score ∷ Number

This entry is optional
- a Score number from 0 to 10

Property impact_score ∷ Number

This entry is optional
- a Score number from 0 to 10

Property integrity_impact ∷ CVSSv3IntegrityImpactString

measures the impact to integrity of a successfully exploited vulnerability

This entry is optional
- CVSSv3IntegrityImpact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: high: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. low: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.none: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component.
- Allowed Values:
  - high
  - low
  - none
- Reference: [Integrity Impact] (https://www.first.org/cvss/specification-document#2-3-2-Integrity-Impact-I)

Property integrity_requirement ∷ CVSSv3SecurityRequirementsString

This entry is optional
- CVSSv3SecurityRequirements These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Security Requirements] (https://www.first.org/cvss/specification-document#4-1-Security-Requirements-CR-IR-AR)

Property modified_attack_complexity ∷ CVSSv3ModifiedAttackComplexityString

modified attack complexity

This entry is optional
- CVSSv3ModifiedAttackComplexity The same values as Attack Complexity, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - high
  - low
  - not_defined
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_attack_vector ∷ CVSSv3ModifiedAttackVectorString

modified attack vector

This entry is optional
- CVSSv3ModifiedAttackVector The same values as Attack Vector, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - adjacent_network
  - local
  - network
  - not_defined
  - physical
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_availability_impact ∷ CVSSv3ModifiedAvailabilityImpactString

modified availability impact

This entry is optional
- CVSSv3ModifiedAvailabilityImpact The same values as Availability Impact, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_confidentiality_impact ∷ CVSSv3ModifiedConfidentialityImpactString

modified confidentiality impact

This entry is optional
- CVSSv3ModifiedConfidentialityImpact The same values as Confidentiality Impact, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_integrity_impact ∷ CVSSv3ModifiedIntegrityImpactString

modified integrity impact

This entry is optional
- CVSSv3ModifiedIntegrityImpact The same values as Integrity Impact, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_privileges_required ∷ CVSSv3ModifiedPrivilegesRequiredString

modified privileges required

This entry is optional
- CVSSv3ModifiedPrivilegesRequired The same values as Privileges Required, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - high
  - low
  - none
  - not_defined
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_scope ∷ CVSSv3ModifiedScopeString

modified scope

This entry is optional
- CVSSv3ModifiedScope The same values as Scope, as well as not_defined (the default)
- Default: not_defined
- Allowed Values:
  - changed
  - not_defined
  - unchanged
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property modified_user_interaction ∷ CVSSv3ModifiedUserInteractionString

modified user interaction

This entry is optional
- CVSSv3ModifiedUserInteraction The same values as User Interaction, as well as not_defined (the default)
- Allowed Values:
  - none
  - not_defined
  - required
- Reference: [Modified Base Metrics] (https://www.first.org/cvss/specification-document#4-2-Modified-Base-Metrics)

Property privileges_required ∷ CVSSv3PrivilegesRequiredString

describes the level of privileges an attacker must possess before successfully exploiting the vulnerability

This entry is optional
- CVSSv3PrivilegesRequired This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: none: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. low: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. high: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.
- Allowed Values:
  - high
  - low
  - none
- Reference: [Privileges Required] (https://www.first.org/cvss/specification-document#2-1-3-Privileges-Required-PR)

Property remediation_level ∷ CVSSv3RemediationLevelString

Remediation Level of a vulnerability is an important factor for prioritization

This entry is optional
- CVSSv3RemediationLevel The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. unavailable: There is either no solution available or it is impossible to apply. workaround: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. temporary_fix: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.official_fix: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score.
- Allowed Values:
  - high
  - not_defined
  - offical_fix
  - temporary_fix
  - unavailable
  - workaround
- Reference: [Remediation Level] (https://www.first.org/cvss/specification-document#3-2-Remediation-Level-RL)

Property report_confidence ∷ CVSSv3ReportConfidenceString

measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details

This entry is optional
- CVSSv3ReportConfidence measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: not_defined: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. confirmed: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. reasonable: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. unknown: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
- Allowed Values:
  - confirmed
  - reasonable
  - unknown
- Reference: [Report Confidence] (https://www.first.org/cvss/specification-document#3-3-Report-Confidence-RC)

Property scope ∷ CVSSv3ScopeString

the ability for a vulnerability in one software component to impact resources beyond its means, or privileges

This entry is optional
- CVSSv3Scope An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: unchanged: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. changed: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.
- Allowed Values:
  - changed
  - unchanged
- Reference: [Scope] (https://www.first.org/cvss/specification-document#2-2-Scope-S)

Property temporal_score ∷ Number

Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)

This entry is optional
- a Score number from 0 to 10

Property temporal_severity ∷ CVSSv3SeverityString

temporal severity

This entry is optional
- Allowed Values:
  - critical
  - high
  - low
  - medium
  - none

Property user_interaction ∷ CVSSv3UserInteractionString

captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component

This entry is optional
- CVSSv3UserInteraction captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: none: The vulnerable system can be exploited without interaction from any user. required: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.
- Allowed Values:
  - none
  - required
- Reference: [User Interaction] (https://www.first.org/cvss/specification-document#2-1-4-User-Interaction-UI)

Property vector_string ∷ String

This entry is required
- a text representation of a set of CVSSv3 metrics. It is commonly used to record or transfer CVSSv3 metric information in a concise form

CVSSv2 Object

Property	Type	Required?
base_score	Number	✓
base_severity	HighMedLowString	✓
vector_string	String	✓
access_complexity	CVSSv2AccessComplexityString
access_vector	CVSSv2AccessVectorString
authentication	CVSSv2AuthenticationString
availability_impact	CVSSv2AvailabilityImpactString
availability_requirement	CVSSv2SecurityRequirementString
collateral_damage_potential	CVSSv2CollateralDamagePotentialString
confidentiality_impact	CVSSv2ConfidentialityImpactString
confidentiality_requirement	CVSSv2SecurityRequirementString
environmental_vector_string	String
exploitability	CVSSv2ExploitabilityString
exploitability_score	Number
impact_score	Number
integrity_impact	CVSSv2IntegrityImpactString
integrity_requirement	CVSSv2SecurityRequirementString
obtain_all_privilege	Boolean
obtain_other_privilege	Boolean
obtain_user_privilege	Boolean
remediation_level	CVSSv2RemediationLevelString
report_confidence	CVSSv2ReportConfidenceString
target_distribution	CVSSv2TargetDistributionString
temporal_vector_string	String
user_interaction_required	Boolean

Property access_complexity ∷ CVSSv2AccessComplexityString

This entry is optional
- CVSSv2AccessComplexity This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.
- Default: low
- Allowed Values:
  - high
  - low
  - medium
- Reference: https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC

Property access_vector ∷ CVSSv2AccessVectorString

This entry is optional
- CVSSv2AccessVector This metric reflects how the vulnerability is exploited.The more remote an attacker can be to attack a host, the greater the vulnerability score.
- Default: network
- Allowed Values:
  - adjacent network
  - local
  - network
- Reference: https://www.first.org/cvss/v2/guide#2-1-1-Access-Vector-AV

Property authentication ∷ CVSSv2AuthenticationString

This entry is optional
- CVSSv2Authentication This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The fewer authentication instances that are required, the higher the vulnerability score.
- Default: none
- Allowed Values:
  - multiple
  - none
  - single
- Reference: https://www.first.org/cvss/v2/guide#2-1-3-Authentication-Au

Property availability_impact ∷ CVSSv2AvailabilityImpactString

This entry is optional
- CVSSv2AvailabilityImpact This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. Increased availability impact increases the vulnerability score.
- Default: complete
- Allowed Values:
  - complete
  - none
  - partial
- Reference: https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A

Property availability_requirement ∷ CVSSv2SecurityRequirementString

This entry is optional
- CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
- Default: not_defined
- Allowed Values:
  - high
  - low
  - medium
  - not_defined
- Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property base_score ∷ Number

This entry is required
- a Score number from 0 to 10

Property base_severity ∷ HighMedLowString

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property collateral_damage_potential ∷ CVSSv2CollateralDamagePotentialString

This entry is optional
- CVSSv2CollateralDamagePotential This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. Naturally, the greater the damage potential, the higher the vulnerability score.
- Default: not_defined
- Allowed Values:
  - high
  - low
  - low_medium
  - medium_high
  - none
  - not_defined
- Reference: https://www.first.org/cvss/v2/guide#2-3-1-Collateral-Damage-Potential-CDP

Property confidentiality_impact ∷ CVSSv2ConfidentialityImpactString

This entry is optional
- CVSSv2ConfidentialityImpact This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. Increasedconfidentiality impact increases the vulnerability score.
- Default: complete
- Allowed Values:
  - complete
  - none
  - partial
- Reference: https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C

Property confidentiality_requirement ∷ CVSSv2SecurityRequirementString

This entry is optional
- CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
- Default: not_defined
- Allowed Values:
  - high
  - low
  - medium
  - not_defined
- Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property environmental_vector_string ∷ String

This entry is optional
- A text representation of a set of CVSSv2 environmental metrics. Environmental metrics allow analysists to calculate threat scores in relation to environmental security requirements, collateral damage potential, and target availability. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property exploitability ∷ CVSSv2ExploitabilityString

This entry is optional
- CVSSv2Exploitability This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled thereby increasing the severity of the vulnerability.
- Default: not_defined
- Allowed Values:
  - functional
  - high
  - not_defined
  - proof_of_concept
  - unproven
- Reference: https://www.first.org/cvss/v2/guide#2-2-1-Exploitability-E

Property exploitability_score ∷ Number

This entry is optional
- a Score number from 0 to 10

Property impact_score ∷ Number

This entry is optional
- a Score number from 0 to 10

Property integrity_impact ∷ CVSSv2IntegrityImpactString

This entry is optional
- CVSSv2IntegrityImpact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the vulnerability score.
- Default: complete
- Allowed Values:
  - complete
  - none
  - partial
- Reference: https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I

Property integrity_requirement ∷ CVSSv2SecurityRequirementString

This entry is optional
- CVSSv2SecurityRequirement These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.
- Default: not_defined
- Allowed Values:
  - high
  - low
  - medium
  - not_defined
- Reference: https://www.first.org/cvss/v2/guide#2-3-3-Security-Requirements-CR-IR-AR

Property obtain_all_privilege ∷ Boolean

This entry is optional

Property obtain_other_privilege ∷ Boolean

This entry is optional

Property obtain_user_privilege ∷ Boolean

This entry is optional

Property remediation_level ∷ CVSSv2RemediationLevelString

This entry is optional
- CVSSv2RemediationLevel The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The less official and permanent a fix, the higher the vulnerability score is.
- Default: not_defined
- Allowed Values:
  - not_defined
  - official_fix
  - temporary_fix
  - unavailable
  - workaround
- Reference: https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL

Property report_confidence ∷ CVSSv2ReportConfidenceString

This entry is optional
- CVSSv2ReportConfidence This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
- Default: not_defined
- Allowed Values:
  - confirmed
  - not_defined
  - unconfirmed
  - uncorroborated
- Reference: https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC

Property target_distribution ∷ CVSSv2TargetDistributionString

This entry is optional
- CVSSv2TargetDistribution This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. The greater the proportion of vulnerable systems, the higher the score.
- Default: not_defined
- Allowed Values:
  - high
  - low
  - medium
  - none
  - not_defined
- Reference: https://www.first.org/cvss/v2/guide#2-3-2-Target-Distribution-TD

Property temporal_vector_string ∷ String

This entry is optional
- A text representation of a set of CVSSv2 temporal metrics. Temporal metrics allow analysists to calculate threat severity based on temporal factors such as reliability of vulnerability reports, availability of mitigations, and the ease or difficulty of conducting the exploit. It is commonly used to record or transfer CVSSv2 metric information in a concise form

Property user_interaction_required ∷ Boolean

This entry is optional

Property vector_string ∷ String

This entry is required
- a text representation of a set of CVSSv2 metrics. It is commonly used to record or transfer CVSSv2 metric information in a concise form

CVE Object

Property	Type	Description	Required?
cve_data_meta	CVEDataMeta Object		✓

Property cve_data_meta ∷ CVEDataMeta Object

This entry is required

CVEDataMeta Object Value
- Details: CVEDataMeta Object

CVEDataMeta Object

Property	Type	Description	Required?
assigner	ShortStringString
id	ShortStringString

Property assigner ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property id ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Weakness Object

Weakness a mistake or condition that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being vulnerable to attack, allowing an adversary to make items function in unintended ways.

Property	Type	Description	Required?
description	MarkdownString	should be short and limited to the key points that define this weakness	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	WeaknessTypeIdentifierString	The fixed value weakness	✓
abstraction_level	WeaknessAbstractionLevelString	defines the abstraction level for this weakness
affected_resources	SystemResourceString List	identify system resources that can be affected by an exploit of this weakness
alternate_terms	AlternateTerm Object List	indicates one or more other names used to describe this weakness
architectures	Architecture Object List	Applicable architectures
background_details	MarkdownString	information that is relevant but not related to the nature of the weakness itself
common_consequences	Consequence Object List	specify individual consequences associated with a weakness
detection_methods	DetectionMethod Object List	identify methods that may be employed to detect this weakness, including their strengths and limitations
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
functional_areas	FunctionalAreaString List	identifies the functional area of the software in which the weakness is most likely to occur
language	ShortStringString	The human language this object is specified in.
languages	Language Object List	Applicable Languages
likelihood	HighMedLowString	Likelihood of exploit
modes_of_introduction	ModeOfIntroduction Object List	information about how and when a given weakness may be introduced
notes	Note Object List	provide any additional comments about the weakness
operating_systems	OperatingSystem Object List	Applicable operating systems
paradigms	Paradigm Object List	Applicable paradigms
potential_mitigations	Mitigation Object List	describe potential mitigations associated with a weakness
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
structure	WeaknessStructureString	defines the structural nature of the weakness
technologies	Technology Object List	Applicable technologies
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: WeaknessType

Property abstraction_level ∷ WeaknessAbstractionLevelString

defines the abstraction level for this weakness

This entry is optional
- WeaknessAbstractionLevel defines the different abstraction levels that apply to a weakness. A Class is the most abstract type of weakness, typically described independent of any specific language or technology. A Base is a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A Variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A Compound weakness is a meaningful aggregation of several weaknesses, currently known as either a Chain or Composite.
- Allowed Values:
  - Base
  - Class
  - Compound
  - Variant
- Reference: AbstractionEnumeration

Property affected_resources ∷ SystemResourceString List

identify system resources that can be affected by an exploit of this weakness

This entry is optional
This entry's type is sequential (allows zero or more values)
- SystemResource defines a resource of a system
- Allowed Values:
  - CPU
  - File or Directory
  - Memory
  - System Process
- Reference: ResourceEnumeration

Property alternate_terms ∷ AlternateTerm Object List

indicates one or more other names used to describe this weakness

This entry is optional
This entry's type is sequential (allows zero or more values)

AlternateTerm Object Value
- Details: AlternateTerm Object

Property architectures ∷ Architecture Object List

Applicable architectures

This entry is optional
This entry's type is sequential (allows zero or more values)

Architecture Object Value
- Details: Architecture Object

Property background_details ∷ MarkdownString

information that is relevant but not related to the nature of the weakness itself

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property common_consequences ∷ Consequence Object List

specify individual consequences associated with a weakness

This entry is optional
This entry's type is sequential (allows zero or more values)

Consequence Object Value
- Details: Consequence Object

Property description ∷ MarkdownString

should be short and limited to the key points that define this weakness

This entry is required
- Markdown Markdown string with at most 5000 characters

Property detection_methods ∷ DetectionMethod Object List

identify methods that may be employed to detect this weakness, including their strengths and limitations

This entry is optional
This entry's type is sequential (allows zero or more values)

DetectionMethod Object Value
- Details: DetectionMethod Object

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property functional_areas ∷ FunctionalAreaString List

identifies the functional area of the software in which the weakness is most likely to occur

This entry is optional
This entry's type is sequential (allows zero or more values)
- FunctionalArea Defines the different functional areas of software in which the weakness may appear
- Allowed Values:
  - Authentication
  - Authorization
  - Code Libraries
  - Counters
  - Cryptography
  - Error Handling
  - File Processing
  - Functional-Area-Independent
  - Interprocess Communication
  - Logging
  - Memory Management
  - Networking
  - Number Processing
  - Program Invocation
  - Protection Mechanism
  - Session Management
  - Signals
  - String Processing
- Reference: FunctionalAreaEnumeration

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property languages ∷ Language Object List

Applicable Languages

This entry is optional
This entry's type is sequential (allows zero or more values)

Language Object Value
- Details: Language Object

Property likelihood ∷ HighMedLowString

Likelihood of exploit

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property modes_of_introduction ∷ ModeOfIntroduction Object List

information about how and when a given weakness may be introduced

This entry is optional
This entry's type is sequential (allows zero or more values)

ModeOfIntroduction Object Value
- Details: ModeOfIntroduction Object

Property notes ∷ Note Object List

provide any additional comments about the weakness

This entry is optional
This entry's type is sequential (allows zero or more values)

Note Object Value
- Details: Note Object

Property operating_systems ∷ OperatingSystem Object List

Applicable operating systems

This entry is optional
This entry's type is sequential (allows zero or more values)

OperatingSystem Object Value
- Details: OperatingSystem Object

Property paradigms ∷ Paradigm Object List

Applicable paradigms

This entry is optional
This entry's type is sequential (allows zero or more values)

Paradigm Object Value
- Details: Paradigm Object

Property potential_mitigations ∷ Mitigation Object List

describe potential mitigations associated with a weakness

This entry is optional
This entry's type is sequential (allows zero or more values)

Mitigation Object Value
- Details: Mitigation Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property structure ∷ WeaknessStructureString

defines the structural nature of the weakness

This entry is optional
- WeaknessStructure structural natures of a weakness. A Simple structure represents a single weakness whose exploitation is not dependent on the presence of another weakness. A Composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability, while a Chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability.
- Allowed Values:
  - Chain
  - Composite
  - Simple
- Reference: StructureEnumeration)

Property technologies ∷ Technology Object List

Applicable technologies

This entry is optional
This entry's type is sequential (allows zero or more values)

Technology Object Value
- Details: Technology Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ WeaknessTypeIdentifierString

The fixed value weakness

This entry is required
- WeaknessTypeIdentifier The fixed value "weakness"
- Must equal: "weakness"

Note Object

Property	Type	Description	Required?
note	MarkdownString		✓
type	NoteTypeString		✓

Property note ∷ MarkdownString

This entry is required
- Markdown Markdown string with at most 5000 characters

Property type ∷ NoteTypeString

This entry is required
- NoteType defines the different types of notes that can be associated with a weakness
- Allowed Values:
  - Applicable Platform
  - Maintenance
  - Relationship
  - Research Gap
  - Terminology
  - Theoretical
- Reference: [NoteTypeEnumeration] (https://cwe.mitre.org/documents/schema/#NoteTypeEnumeration)

Mitigation Object

Property	Type	Description	Required?
description	MarkdownString	a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness	✓
effectiveness	EffectivenessString	summarizes how effective the mitigation may be in preventing the weakness
effectiveness_notes	MarkdownString
phases	SoftwarePhaseString List	indicates the development life cycle phase during which this particular mitigation may be applied
strategy	MitigationStrategyString	a general strategy for protecting a system to which this mitigation contributes

Reference: PotentialMitigationsType

Property description ∷ MarkdownString

a description of this individual mitigation including any strengths and shortcomings of this mitigation for the weakness

This entry is required
- Markdown Markdown string with at most 5000 characters

Property effectiveness ∷ EffectivenessString

summarizes how effective the mitigation may be in preventing the weakness

This entry is optional
- Effectiveness related to how effective a mitigation may be in preventing the weakness
- Allowed Values:
  - Defense in Depth
  - High
  - Incidental
  - Limited
  - Moderate
  - None
- Reference: EffectivenessEnumeration

Property effectiveness_notes ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property phases ∷ SoftwarePhaseString List

indicates the development life cycle phase during which this particular mitigation may be applied

This entry is optional
This entry's type is sequential (allows zero or more values)
- SoftwarePhase defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Architecture and Design
  - Build and Compilation
  - Bundling
  - Distribution
  - Documentation
  - Implementation
  - Installation
  - Operation
  - Patching and Maintenance
  - Policy
  - Porting
  - Requirements
  - System Configuration
  - Testing
- Reference: PhaseEnumeration

Property strategy ∷ MitigationStrategyString

a general strategy for protecting a system to which this mitigation contributes

This entry is optional
- MitigationStrategy strategy for protecting a system to which a mitigation contributes
- Allowed Values:
  - Attack Surface Reduction
  - Compilation or Build Hardening
  - Enforcement by Conversion
  - Environment Hardening
  - Firewall
  - Input Validation
  - Language Selection
  - Libraries or Frameworks
  - Output Encoding
  - Parameterization
  - Refactoring
  - Resource Limitation
  - Sandbox or Jail
  - Separation of Privilege
- Reference: MitigationStrategyEnumeration

DetectionMethod Object

Property	Type	Description	Required?
description	MarkdownString	provide some context of how this method can be applied to a specific weakness	✓
method	DetectionMethodString	identifies the particular detection method being described	✓
effectiveness	DetectionEffectivenessString	how effective the detection method may be in detecting the associated weakness
effectiveness_notes	MarkdownString	provides additional discussion of the strengths and shortcomings of this detection method

Reference: DetectionMethodsType

Property description ∷ MarkdownString

provide some context of how this method can be applied to a specific weakness

This entry is required
- Markdown Markdown string with at most 5000 characters

Property effectiveness ∷ DetectionEffectivenessString

how effective the detection method may be in detecting the associated weakness

This entry is optional
- DetectionEffectiveness level of effectiveness that a detection method may have in detecting an associated weakness
- Allowed Values:
  - High
  - Limited
  - Moderate
  - None
  - Opportunistic
  - SOAR Partial
- Reference: DetectionEffectivenessEnumeration

Property effectiveness_notes ∷ MarkdownString

provides additional discussion of the strengths and shortcomings of this detection method

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property method ∷ DetectionMethodString

identifies the particular detection method being described

This entry is required
- DetectionMethod method used to detect a weakness
- Allowed Values:
  - Architecture or Design Review
  - Automated Analysis
  - Automated Dynamic Analysis
  - Automated Static Analysis
  - Automated Static Analysis - Binary or Bytecode
  - Automated Static Analysis - Source Code
  - Black Box
  - Dynamic Analysis with Automated Results Interpretation
  - Dynamic Analysis with Manual Results Interpretation
  - Fuzzing
  - Manual Analysis
  - Manual Dynamic Analysis
  - Manual Static Analysis
  - Manual Static Analysis - Binary or Bytecode
  - Manual Static Analysis - Source Code
  - Other
  - White Box
- Reference: DetectionMethodEnumeration

Consequence Object

Property	Type	Description	Required?
scopes	ConsequenceScopeString List	identifies the security property that is violated	✓
impacts	TechnicalImpactString List	describes the technical impact that arises if an adversary succeeds in exploiting this weakness
likelihood	HighMedLowString	how likely the specific consequence is expected to be seen relative to the other consequences
note	MarkdownString	additional commentary about a consequence

Reference: CommonConsequencesType

Property impacts ∷ TechnicalImpactString List

describes the technical impact that arises if an adversary succeeds in exploiting this weakness

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Alter Execution Logic
  - Bypass Protection Mechanism
  - DoS: Amplification
  - DoS: Crash, Exit, or Restart
  - DoS: Instability
  - DoS: Resource Consumption (CPU)
  - DoS: Resource Consumption (Memory)
  - DoS: Resource Consumption (Other)
  - Execute Unauthorized Code or Commands
  - Gain Privileges or Assume Identity
  - Hide Activities
  - Modify Application Data
  - Modify Files or Directories
  - Modify Memory
  - Quality Degradation
  - Read Application Data
  - Read Files or Directories
  - Read Memory
  - Unexpected State
  - Varies by Context
- Reference: TechnicalImpactEnumeration

Property likelihood ∷ HighMedLowString

how likely the specific consequence is expected to be seen relative to the other consequences

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property note ∷ MarkdownString

additional commentary about a consequence

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property scopes ∷ ConsequenceScopeString List

identifies the security property that is violated

This entry is required
This entry's type is sequential (allows zero or more values)
- ConsequenceScope defines the different areas of software security that can be affected by exploiting a weakness.
- Allowed Values:
  - Access Control
  - Accountability
  - Authentication
  - Authorization
  - Availability
  - Confidentiality
  - Integrity
  - Non-Repudiation
- Reference: ScopeEnumeration

ModeOfIntroduction Object

Property	Type	Description	Required?
phase	SoftwarePhaseString	identifies the point in the software life cycle at which the weakness may be introduced	✓
note	MarkdownString	provides a typical scenario related to introduction during the given phase

Reference: ModesOfIntroductionType

Property note ∷ MarkdownString

provides a typical scenario related to introduction during the given phase

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property phase ∷ SoftwarePhaseString

identifies the point in the software life cycle at which the weakness may be introduced

This entry is required
- SoftwarePhase defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Architecture and Design
  - Build and Compilation
  - Bundling
  - Distribution
  - Documentation
  - Implementation
  - Installation
  - Operation
  - Patching and Maintenance
  - Policy
  - Porting
  - Requirements
  - System Configuration
  - Testing
- Reference: PhaseEnumeration

AlternateTerm Object

Property	Type	Description	Required?
term	ShortStringString	the actual alternate term	✓
description	MarkdownString	provides context for the alternate term by which this weakness may be known.

Property description ∷ MarkdownString

provides context for the alternate term by which this weakness may be known.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property term ∷ ShortStringString

the actual alternate term

This entry is required
- ShortString String with at most 1024 characters

Technology Object

Property	Type	Description	Required?
prevalence	PrevalenceString	defines the different regularities that guide the applicability of platforms	✓
name	ShortStringString	technology name (Web Server, Web Client)

Property name ∷ ShortStringString

technology name (Web Server, Web Client)

This entry is optional
- ShortString String with at most 1024 characters

Property prevalence ∷ PrevalenceString

defines the different regularities that guide the applicability of platforms

This entry is required
- Prevalence defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Often
  - Rarely
  - Sometimes
  - Undetermined
- Reference: PrevalenceEnumeration

Paradigm Object

Property	Type	Description	Required?
prevalence	PrevalenceString	defines the different regularities that guide the applicability of platforms	✓
name	ShortStringString	paradigm name (Client Server, Mainframe)

Property name ∷ ShortStringString

paradigm name (Client Server, Mainframe)

This entry is optional
- ShortString String with at most 1024 characters

Property prevalence ∷ PrevalenceString

defines the different regularities that guide the applicability of platforms

This entry is required
- Prevalence defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Often
  - Rarely
  - Sometimes
  - Undetermined
- Reference: PrevalenceEnumeration

Architecture Object

Property	Type	Description	Required?
prevalence	PrevalenceString	defines the different regularities that guide the applicability of platforms	✓
class	ArchitectureClassString	class of architecture
name	ShortStringString	architecture name (ARM, x86, ...)

Property class ∷ ArchitectureClassString

class of architecture

This entry is optional
- Allowed Values:
  - Embedded
  - Microcomputer
  - Workstation
- Reference: ArchitectureClassEnumeration

Property name ∷ ShortStringString

architecture name (ARM, x86, ...)

This entry is optional
- ShortString String with at most 1024 characters

Property prevalence ∷ PrevalenceString

defines the different regularities that guide the applicability of platforms

This entry is required
- Prevalence defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Often
  - Rarely
  - Sometimes
  - Undetermined
- Reference: PrevalenceEnumeration

OperatingSystem Object

Property	Type	Description	Required?
prevalence	PrevalenceString	defines the different regularities that guide the applicability of platforms	✓
class	OperatingSystemClassString
cpe_id	ShortStringString
name	ShortStringString
version	ShortStringString

Property class ∷ OperatingSystemClassString

This entry is optional
- OperatingSystemClass class of operating systems
- Allowed Values:
  - Android
  - Apple iOS
  - Cisco IOS
  - Linux
  - Unix
  - Windows
  - macOs
- Reference: OperatingSystemClassEnumeration

Property cpe_id ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property name ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property prevalence ∷ PrevalenceString

defines the different regularities that guide the applicability of platforms

This entry is required
- Prevalence defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Often
  - Rarely
  - Sometimes
  - Undetermined
- Reference: PrevalenceEnumeration

Property version ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Language Object

Property	Type	Description	Required?
prevalence	PrevalenceString	defines the different regularities that guide the applicability of platforms	✓
class	LanguageClassString	class of language
name	ShortStringString	Language name (Clojure, Java, ...)

Property class ∷ LanguageClassString

class of language

This entry is optional
- LanguageClass class of source code language
- Allowed Values:
  - Assembly
  - Compiled
  - Interpreted
- Reference: LanguageClassEnumeration

Property name ∷ ShortStringString

Language name (Clojure, Java, ...)

This entry is optional
- ShortString String with at most 1024 characters

Property prevalence ∷ PrevalenceString

defines the different regularities that guide the applicability of platforms

This entry is required
- Prevalence defines the different regularities that guide the applicability of platforms
- Allowed Values:
  - Often
  - Rarely
  - Sometimes
  - Undetermined
- Reference: PrevalenceEnumeration

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

DataTable Object

DataTable A generic table of data, consisting of types and documented columns, and 1 or more rows of data.

Property	Type	Description	Required?
columns	ColumnDefinition Object List	an ordered list of column definitions	✓
id	String	Globally unique URI identifying this object.	✓
rows	Anything List	an ordered list of rows	✓
schema_version	String	CTIM schema version for this entity	✓
type	DataTableTypeIdentifierString		✓
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
row_count	Integer	The number of rows in the data table.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.
valid_time	ValidTime Object

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

This entry is required
This entry's type is sequential (allows zero or more values)

ColumnDefinition Object Value
- Details: ColumnDefinition Object

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property row_count ∷ Integer

The number of rows in the data table.

This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

This entry is required
This entry's type is sequential (allows zero or more values)

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ DataTableTypeIdentifierString

This entry is required
- Must equal: "data-table"

Property valid_time ∷ ValidTime Object

This entry is optional

ValidTime Object Value
- Details: ValidTime Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ColumnDefinition Object

Property	Type	Description	Required?
name	String		✓
type	ColumnTypeString		✓
description	MarkdownString
required	Boolean	If true, the row entries for this column cannot contain nulls. Defaults to true
short_description	String

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property name ∷ String

This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true

This entry is optional

Property short_description ∷ String

This entry is optional

Property type ∷ ColumnTypeString

This entry is required
- Allowed Values:
  - integer
  - markdown
  - number
  - observable
  - string
  - url

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Verdict Object

Verdict A Verdict is chosen from all of the Judgements on that Observable which have not yet expired. The highest priority Judgement becomes the active verdict. If there is more than one Judgement with that priority, then Clean disposition has priority over all others, then Malicious disposition, and so on down to Unknown.

The ID of a verdict is a a str of the form "observable.type:observable.value" for example, "ip:1.1.1.1"

Property	Type	Description	Required?
disposition	DispositionNumberInteger		✓
observable	Observable Object		✓
type	VerdictTypeIdentifierString		✓
valid_time	ValidTime Object		✓
disposition_name	DispositionNameString	The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}
judgement_id	String

Property disposition ∷ DispositionNumberInteger

This entry is required
- DispositionNumber Numeric verdict identifiers
- Allowed Values:
  - 1
  - 2
  - 3
  - 4
  - 5

Property disposition_name ∷ DispositionNameString

The disposition_name field is optional, but is intended to be shown to a user. Applications must therefore remember the mapping of numbers to human words, as in: {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

This entry is optional
- DispositionName String verdict identifiers
- Allowed Values:
  - Clean
  - Common
  - Malicious
  - Suspicious
  - Unknown

Property judgement_id ∷ String

This entry is optional
- A URI leading to a judgement

Property observable ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Property type ∷ VerdictTypeIdentifierString

This entry is required
- Must equal: "verdict"

Property valid_time ∷ ValidTime Object

This entry is required

ValidTime Object Value
- Details: ValidTime Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

Tool Object

Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

Property	Type	Description	Required?
description	MarkdownString	A description of object, which may be detailed.	✓
id	String	Globally unique URI identifying this object.	✓
labels	ToolLabelString List	The kind(s) of tool(s) being described.	✓
schema_version	String	CTIM schema version for this entity	✓
short_description	MedStringString	A single line, short summary of the object.	✓
title	ShortStringString	A short title for this object, used as primary display and reference value	✓
type	ToolTypeIdentifierString		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phases	KillChainPhase Object List	The list of kill chain phases for which this Tool can be used.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.
tool_version	ShortStringString	The version identifier associated with the Tool.
x_mitre_aliases	ShortStringString List	ATT&CK Software.aliases

Reference: Tool

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of kill chain phases for which this Tool can be used.

This entry is optional
This entry's type is sequential (allows zero or more values)

KillChainPhase Object Value
- Details: KillChainPhase Object

Property labels ∷ ToolLabelString List

The kind(s) of tool(s) being described.

This entry is required
This entry's type is sequential (allows zero or more values)
- ToolLabel Tool labels describe the categories of tools that can be used to perform attacks.
- Allowed Values:
  - credential-exploitation
  - denial-of-service
  - exploitation
  - information-gathering
  - network-capture
  - remote-access
  - vulnerability-scanning
- Reference: Tool Label

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is required
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is required
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property tool_version ∷ ShortStringString

The version identifier associated with the Tool.

This entry is optional
- ShortString String with at most 1024 characters

Property type ∷ ToolTypeIdentifierString

This entry is required
- Must equal: "tool"

Property x_mitre_aliases ∷ ShortStringString List

ATT&CK Software.aliases

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Must equal: "lockheed-martin-cyber-kill-chain"
- Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Allowed Values:
  - actions-on-objective
  - command-and-control
  - delivery
  - exploitation
  - installation
  - reconnaissance
  - weaponization
- Reference: Open Vocabulary

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

TargetRecord Object

TargetRecord A TargetRecord is a Sighting that has no threat or observables associated with it, it's a way of saying they saw a set of observables together as a Target.

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedStringString		✓
targets	Target Object List		✓
type	TargetRecordTypeIdentifierString		✓
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: TargetRecord

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property targets ∷ Target Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Target Object Value
- Details: Target Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ TargetRecordTypeIdentifierString

This entry is required
- Must equal: "target-record"

Target Object

Target Schema for TargetRecord Targets

Property	Type	Description	Required?
observables	Observable Object List		✓
observed_time	ObservedTime Object		✓
type	SensorString		✓
internal	Boolean	Is it internal to our network?
os	String	Source Operating System where TargetRecord was originated.
sensor	String	The OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.)
source_uri	String

Property internal ∷ Boolean

Is it internal to our network?

This entry is optional

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property observed_time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property os ∷ String

Source Operating System where TargetRecord was originated.

This entry is optional

Property sensor ∷ String

The OpenC2 Actuator name that best fits the device that is creating this TargetRecord (e.g.: network.firewall, etc.)

This entry is optional

Property source_uri ∷ String

This entry is optional
- A URI

Property type ∷ SensorString

This entry is required
- Sensor The sensor/actuator name that best fits a device
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

IdentityAssertion Object

IdentityAssertion Context attributes about the target or any of its observables. Providers could provide different types of assertions regarding a target depending on their own capabilities

Property	Type	Description	Required?
assertions	Assertion Object List	Any known context about the identity attributes	✓
id	String	Globally unique URI identifying this object.	✓
identity	IdentityCoordinates Object	attributes for which the assertion is being made	✓
schema_version	String	CTIM schema version for this entity	✓
type	IdentityAssertionTypeIdentifierString		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.
valid_time	ValidTime Object

Property assertions ∷ Assertion Object List

Any known context about the identity attributes

This entry is required
This entry's type is sequential (allows zero or more values)

Assertion Object Value
- Details: Assertion Object

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ IdentityCoordinates Object

attributes for which the assertion is being made

This entry is required

IdentityCoordinates Object Value
- Details: IdentityCoordinates Object

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ IdentityAssertionTypeIdentifierString

This entry is required
- Must equal: "identity-assertion"

Property valid_time ∷ ValidTime Object

This entry is optional

ValidTime Object Value
- Details: ValidTime Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Assertion Object

Property	Type	Description	Required?
name	AssertionTypeString		✓
value	String		✓

Property name ∷ AssertionTypeString

This entry is required
- AssertionType an open vocabulary containing well known assertion types
- Allowed Values:
  - cisco:ctr:ad:host_domain_name
  - cisco:ctr:ad:host_resolved_dns
  - cisco:ctr:ad:host_resolved_identities
  - cisco:ctr:ad:normalized_user
  - cisco:ctr:ad:user_domain_name
  - cisco:ctr:ad:user_net_bios_name
  - cisco:ctr:ad:user_resolved_dns
  - cisco:ctr:ad:user_resolved_identities
  - cisco:ctr:common:business_value
  - cisco:ctr:common:ir_attributes
  - cisco:ctr:common:node_label
  - cisco:ctr:device:administrators
  - cisco:ctr:device:connector_version
  - cisco:ctr:device:endpoint_profile
  - cisco:ctr:device:hardware_version
  - cisco:ctr:device:has_ip_blocking
  - cisco:ctr:device:id
  - cisco:ctr:device:last_sync_status
  - cisco:ctr:device:last_sync_time
  - cisco:ctr:device:location
  - cisco:ctr:device:manufacturer
  - cisco:ctr:device:mdm_compliant
  - cisco:ctr:device:mdm_imei
  - cisco:ctr:device:mdm_jail_broken
  - cisco:ctr:device:mdm_registered
  - cisco:ctr:device:model
  - cisco:ctr:device:name
  - cisco:ctr:device:os_version
  - cisco:ctr:device:os_version_name
  - cisco:ctr:device:owner
  - cisco:ctr:device:posture
  - cisco:ctr:device:security_group
  - cisco:ctr:device:serial_number
  - cisco:ctr:device:software_version
  - cisco:ctr:device:status
  - cisco:ctr:device:type
  - cisco:ctr:device:vendor
  - cisco:ctr:user:building
  - cisco:ctr:user:department
  - cisco:ctr:user:emails
  - cisco:ctr:user:entitlements
  - cisco:ctr:user:first_name
  - cisco:ctr:user:groups
  - cisco:ctr:user:last_name
  - cisco:ctr:user:manager
  - cisco:ctr:user:phone_numbers
  - cisco:ctr:user:roles
  - cisco:ctr:user:status
  - cisco:ctr:user:timezone
  - cisco:ctr:user:title
  - cisco:ctr:user:two_factor_enable

Property value ∷ String

This entry is required

IdentityCoordinates Object

Property	Type	Description	Required?
observables	Observable Object List		✓

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Sighting Object

Sighting A single sighting of an indicator

Property	Type	Description	Required?
confidence	HighMedLowString		✓
count	Integer	The number of times the sighting was seen	✓
id	String	Globally unique URI identifying this object.	✓
observed_time	ObservedTime Object		✓
schema_version	String	CTIM schema version for this entity	✓
type	SightingTypeIdentifierString		✓
context	Context Object	Context including the event type that best fits the type of the sighting
data	SightingDataTable Object	An embedded data table for the Sighting.
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
internal	Boolean	Is it internal to our network
language	ShortStringString	The human language this object is specified in.
observables	Observable Object List	The object(s) of interest
relations	ObservedRelation Object List	Provide any context we can about where the observable came from
resolution	ResolutionString
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
sensor	SensorString	The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
sensor_coordinates	SensorCoordinates Object
severity	SeverityString
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
targets	IdentitySpecification Object List	The target device. Where the sighting came from.
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: SightingType

Property confidence ∷ HighMedLowString

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property context ∷ Context Object

Context including the event type that best fits the type of the sighting

This entry is optional

Context Object Value
- Details: Context Object

Property count ∷ Integer

The number of times the sighting was seen

This entry is required
- Zero, or a positive integer

Property data ∷ SightingDataTable Object

An embedded data table for the Sighting.

This entry is optional

SightingDataTable Object Value
- Details: SightingDataTable Object

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

Is it internal to our network

This entry is optional

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property observables ∷ Observable Object List

The object(s) of interest

This entry is optional
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property observed_time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from

This entry is optional
This entry's type is sequential (allows zero or more values)

ObservedRelation Object Value
- Details: ObservedRelation Object

Property resolution ∷ ResolutionString

This entry is optional
- Resolution indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP
- Default: detected
- Allowed Values:
  - allowed
  - blocked
  - contained
  - detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ SensorString

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

This entry is optional
- Sensor The sensor/actuator name that best fits a device
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

Property sensor_coordinates ∷ SensorCoordinates Object

This entry is optional

SensorCoordinates Object Value
- Details: SensorCoordinates Object

Property severity ∷ SeverityString

This entry is optional
- Allowed Values:
  - Critical
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property targets ∷ IdentitySpecification Object List

The target device. Where the sighting came from.

This entry is optional
This entry's type is sequential (allows zero or more values)

IdentitySpecification Object Value
- Details: IdentitySpecification Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ SightingTypeIdentifierString

This entry is required
- Must equal: "sighting"

Context Object

Property	Type	Description
file_create_events	FileCreateType Object List	a list of `FileCreateType`
file_delete_events	FileDeleteType Object List	a list of `FileDeleteType`
file_modify_events	FileModifyType Object List	a list of `FileModifyType`
file_move_events	FileMoveType Object List	a list of `FileMoveType`
http_events	HTTPType Object List	a list of `HTTPType`
library_load_events	LibraryLoadType Object List	a list of `LibraryLoadType`
netflow_events	NetflowType Object List	a list of `NetflowType`
process_create_events	ProcessCreateType Object List	a list of `ProcessCreate`
registry_create_events	RegistryCreateType Object List	a list of `RegistryCreateType`
registry_delete_events	RegistryDeleteType Object List	a list of `RegistryDeleteType`
registry_rename_events	RegistryRenameType Object List	a list of `RegistryRenameType`
registry_set_events	RegistrySetType Object List	a list of `RegistrySetType`

Property file_create_events ∷ FileCreateType Object List

a list of FileCreateType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileCreateType Object Value
- Details: FileCreateType Object

Property file_delete_events ∷ FileDeleteType Object List

a list of FileDeleteType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileDeleteType Object Value
- Details: FileDeleteType Object

Property file_modify_events ∷ FileModifyType Object List

a list of FileModifyType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileModifyType Object Value
- Details: FileModifyType Object

Property file_move_events ∷ FileMoveType Object List

a list of FileMoveType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileMoveType Object Value
- Details: FileMoveType Object

Property http_events ∷ HTTPType Object List

a list of HTTPType

This entry is optional
This entry's type is sequential (allows zero or more values)

HTTPType Object Value
- Details: HTTPType Object

Property library_load_events ∷ LibraryLoadType Object List

a list of LibraryLoadType

This entry is optional
This entry's type is sequential (allows zero or more values)

LibraryLoadType Object Value
- Details: LibraryLoadType Object

Property netflow_events ∷ NetflowType Object List

a list of NetflowType

This entry is optional
This entry's type is sequential (allows zero or more values)

NetflowType Object Value
- Details: NetflowType Object

Property process_create_events ∷ ProcessCreateType Object List

a list of ProcessCreate

This entry is optional
This entry's type is sequential (allows zero or more values)

ProcessCreateType Object Value
- Details: ProcessCreateType Object

Property registry_create_events ∷ RegistryCreateType Object List

a list of RegistryCreateType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryCreateType Object Value
- Details: RegistryCreateType Object

Property registry_delete_events ∷ RegistryDeleteType Object List

a list of RegistryDeleteType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryDeleteType Object Value
- Details: RegistryDeleteType Object

Property registry_rename_events ∷ RegistryRenameType Object List

a list of RegistryRenameType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryRenameType Object Value
- Details: RegistryRenameType Object

Property registry_set_events ∷ RegistrySetType Object List

a list of RegistrySetType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistrySetType Object Value
- Details: RegistrySetType Object

RegistryRenameType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
registry_old_key	ShortStringString	✓
time	ObservedTime Object	✓
type	RegistryRenameTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property registry_old_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryRenameTypeIdentifierString

This entry is required
- Must equal: "RegistryRenameEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryDeleteType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
registry_value	MedStringString	✓
time	ObservedTime Object	✓
type	RegistryDeleteTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property registry_value ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryDeleteTypeIdentifierString

This entry is required
- Must equal: "RegistryDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistrySetType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_data	LongStringString	✓
registry_key	ShortStringString	✓
registry_value	MedStringString	✓
time	ObservedTime Object	✓
type	RegistrySetTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString
registry_data_length	Integer

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property registry_data ∷ LongStringString

This entry is required
- LongString String with at most 5000 characters

Property registry_data_length ∷ Integer

This entry is optional

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property registry_value ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistrySetTypeIdentifierString

This entry is required
- Must equal: "RegistrySetEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryCreateType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
time	ObservedTime Object	✓
type	RegistryCreateTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryCreateTypeIdentifierString

This entry is required
- Must equal: "RegistryCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

HTTPType Object

Property	Type	Required?
host	ShortStringString	✓
method	HTTPMethodString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
traffic	Traffic Object	✓
type	HTTPTypeIdentifierString	✓
url_port	Integer	✓
encrypted	Boolean
process_guid	Integer
process_username	ShortStringString
query	LongStringString

Property encrypted ∷ Boolean

This entry is optional

Property host ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property method ∷ HTTPMethodString

This entry is required
- Allowed Values:
  - CONNECT
  - GET
  - HEAD
  - OPTIONS
  - PATCH
  - POST
  - PUT
  - TRACE

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property query ∷ LongStringString

This entry is optional
- LongString String with at most 5000 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property traffic ∷ Traffic Object

This entry is required

Traffic Object Value
- Details: Traffic Object

Property type ∷ HTTPTypeIdentifierString

This entry is required
- Must equal: "HTTPEvent"

Property url_port ∷ Integer

This entry is required

Traffic Object

Property	Type	Required?
destination_ip	String	✓
destination_port	Integer	✓
direction	TrafficDirectionString	✓
protocol	String	✓
source_ip	String	✓
source_port	Integer	✓
destination_host_name	String
destination_subnet	String
source_subnet	String

Property destination_host_name ∷ String

This entry is optional

Property destination_ip ∷ String

This entry is required

Property destination_port ∷ Integer

This entry is required

Property destination_subnet ∷ String

This entry is optional

Property direction ∷ TrafficDirectionString

This entry is required
- Allowed Values:
  - incoming
  - outgoing

Property protocol ∷ String

This entry is required

Property source_ip ∷ String

This entry is required

Property source_port ∷ Integer

This entry is required

Property source_subnet ∷ String

This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

NetflowType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
traffic	Traffic Object	✓
type	NetflowTypeIdentifierString	✓
byte_count_in	Integer
byte_count_out	Integer
flow_time	Inst (Date)
parent_process_account	ShortStringString
parent_process_account_type	ShortStringString
parent_process_args	ShortStringString
parent_process_hash	ShortStringString
parent_process_id	Integer
parent_process_name	ShortStringString
parent_process_path	ShortStringString
process_account	ShortStringString
process_account_type	ShortStringString
process_args	ShortStringString
process_guid	Integer
process_hash	ShortStringString
process_path	ShortStringString
process_username	ShortStringString

Property byte_count_in ∷ Integer

This entry is optional

Property byte_count_out ∷ Integer

This entry is optional

Property flow_time ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_account ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_account_type ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_args ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_hash ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_id ∷ Integer

This entry is optional

Property parent_process_name ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_path ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_account ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_account_type ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_args ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_guid ∷ Integer

This entry is optional

Property process_hash ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_path ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property traffic ∷ Traffic Object

This entry is required

Traffic Object Value
- Details: Traffic Object

Property type ∷ NetflowTypeIdentifierString

This entry is required
- Must equal: "NetflowEvent"

Traffic Object

Property	Type	Required?
destination_ip	String	✓
destination_port	Integer	✓
direction	TrafficDirectionString	✓
protocol	String	✓
source_ip	String	✓
source_port	Integer	✓
destination_host_name	String
destination_subnet	String
source_subnet	String

Property destination_host_name ∷ String

This entry is optional

Property destination_ip ∷ String

This entry is required

Property destination_port ∷ Integer

This entry is required

Property destination_subnet ∷ String

This entry is optional

Property direction ∷ TrafficDirectionString

This entry is required
- Allowed Values:
  - incoming
  - outgoing

Property protocol ∷ String

This entry is required

Property source_ip ∷ String

This entry is required

Property source_port ∷ Integer

This entry is required

Property source_subnet ∷ String

This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileMoveType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
new_name	ShortStringString	✓
old_name	ShortStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileMoveTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property new_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property old_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileMoveTypeIdentifierString

This entry is required
- Must equal: "FileMoveEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileModifyType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileModifyTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileModifyTypeIdentifierString

This entry is required
- Must equal: "FileModifyEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileDeleteType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileDeleteTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileDeleteTypeIdentifierString

This entry is required
- Must equal: "FileDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileCreateType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileCreateTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileCreateTypeIdentifierString

This entry is required
- Must equal: "FileCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

LibraryLoadType Object

Property	Type	Required?
dll_library_name	ShortStringString	✓
dll_library_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	LibraryLoadTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property dll_library_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property dll_library_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ LibraryLoadTypeIdentifierString

This entry is required
- Must equal: "LibraryLoadEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ProcessCreateType Object

Property	Type	Required?
creation_time	Inst (Date)	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	ProcessCreateTypeIdentifierString	✓
parent_creation_time	Inst (Date)
parent_process_args	MedStringString
parent_process_disposition	ShortStringString
parent_process_guid	Integer
parent_process_hash	MedStringString
parent_process_id	Integer
parent_process_name	ShortStringString
parent_process_size	Integer
parent_process_username	ShortStringString
process_args	MedStringString
process_disposition	ShortStringString
process_guid	Integer
process_hash	MedStringString
process_size	Integer
process_username	ShortStringString

Property creation_time ∷ Inst (Date)

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_creation_time ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_args ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property parent_process_disposition ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_guid ∷ Integer

This entry is optional

Property parent_process_hash ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property parent_process_id ∷ Integer

This entry is optional

Property parent_process_name ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property parent_process_size ∷ Integer

This entry is optional

Property parent_process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_args ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property process_disposition ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property process_guid ∷ Integer

This entry is optional

Property process_hash ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

Property process_size ∷ Integer

This entry is optional

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ ProcessCreateTypeIdentifierString

This entry is required
- Must equal: "ProcessCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ObservedRelation Object

ObservedRelation A relation inside a Sighting.

Property	Type	Required?
origin	String	✓
related	Observable Object	✓
relation	ObservableRelationTypeString	✓
source	Observable Object	✓
origin_uri	String
relation_info	Object

Property origin ∷ String

This entry is required

Property origin_uri ∷ String

This entry is optional
- A URI

Property related ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Property relation ∷ ObservableRelationTypeString

This entry is required
- Allowed Values:
  - Allocated
  - Allocated_By
  - Attached_To
  - Bound
  - Bound_By
  - Characterized_By
  - Characterizes
  - Child_Of
  - Closed
  - Closed_By
  - Compressed
  - Compressed_By
  - Compressed_From
  - Compressed_Into
  - Connected_From
  - Connected_To
  - Contained_Within
  - Contains
  - Copied
  - Copied_By
  - Copied_From
  - Copied_To
  - Created
  - Created_By
  - Decoded
  - Decoded_By
  - Decompressed
  - Decompressed_By
  - Decrypted
  - Decrypted_By
  - Deleted
  - Deleted_By
  - Deleted_From
  - Downloaded
  - Downloaded_By
  - Downloaded_From
  - Downloaded_To
  - Dropped
  - Dropped_By
  - Encoded
  - Encoded_By
  - Encrypted
  - Encrypted_By
  - Encrypted_From
  - Encrypted_To
  - Extracted_From
  - FQDN_Of
  - Freed
  - Freed_By
  - Hooked
  - Hooked_By
  - Initialized_By
  - Initialized_To
  - Injected
  - Injected_As
  - Injected_By
  - Injected_Into
  - Installed
  - Installed_By
  - Joined
  - Joined_By
  - Killed
  - Killed_By
  - Listened_On
  - Listened_On_By
  - Loaded_From
  - Loaded_Into
  - Locked
  - Locked_By
  - Mapped_By
  - Mapped_Into
  - Merged
  - Merged_By
  - Modified_Properties_Of
  - Monitored
  - Monitored_By
  - Moved
  - Moved_By
  - Moved_From
  - Moved_To
  - Opened
  - Opened_By
  - Packed
  - Packed_By
  - Packed_From
  - Packed_Into
  - Parent_Of
  - Paused
  - Paused_By
  - Previously_Contained
  - Properties_Modified_By
  - Properties_Queried
  - Properties_Queried_By
  - Read_From
  - Read_From_By
  - Received
  - Received_By
  - Received_From
  - Received_Via_Upload
  - Redirects_To
  - Refers_To
  - Related_To
  - Renamed
  - Renamed_By
  - Renamed_From
  - Renamed_To
  - Resolved_To
  - Resumed
  - Resumed_By
  - Root_Domain_Of
  - Searched_For
  - Searched_For_By
  - Sent
  - Sent_By
  - Sent_To
  - Sent_Via_Upload
  - Set_From
  - Set_To
  - Sub-domain_Of
  - Supra-domain_Of
  - Suspended
  - Suspended_By
  - Unhooked
  - Unhooked_By
  - Unlocked
  - Unlocked_By
  - Unpacked
  - Unpacked_By
  - Uploaded
  - Uploaded_By
  - Uploaded_From
  - Uploaded_To
  - Used
  - Used_By
  - Values_Enumerated
  - Values_Enumerated_By
  - Written_To_By
  - Wrote_To

Property relation_info ∷ Object

This entry is optional

Object Value
- Details: Object

Property source ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

Object

Property	Type	Description	Required?
Keyword	Anything		✓

Property Keyword ∷ Anything

This entry is required

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

IdentitySpecification Object

IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.

Property	Type	Required?
observables	Observable Object List	✓
observed_time	ObservedTime Object	✓
type	SensorString	✓
os	String

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property observed_time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property os ∷ String

This entry is optional

Property type ∷ SensorString

This entry is required
- Sensor The sensor/actuator name that best fits a device
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

SensorCoordinates Object

SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.

Property	Type	Required?
observables	Observable Object List	✓
type	SensorString	✓
os	String

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property os ∷ String

This entry is optional

Property type ∷ SensorString

This entry is required
- Sensor The sensor/actuator name that best fits a device
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

SightingDataTable Object

SightingDataTable An embedded data table for sightings data.

Property	Type	Description	Required?
columns	ColumnDefinition Object List	an ordered list of column definitions	✓
rows	Anything List	an ordered list of rows	✓
row_count	Integer	The number of rows in the data table.

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

This entry is required
This entry's type is sequential (allows zero or more values)

ColumnDefinition Object Value
- Details: ColumnDefinition Object

Property row_count ∷ Integer

The number of rows in the data table.

This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

This entry is required
This entry's type is sequential (allows zero or more values)

ColumnDefinition Object

Property	Type	Description	Required?
name	String		✓
type	ColumnTypeString		✓
description	MarkdownString
required	Boolean	If true, the row entries for this column cannot contain nulls. Defaults to true
short_description	String

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property name ∷ String

This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true

This entry is optional

Property short_description ∷ String

This entry is optional

Property type ∷ ColumnTypeString

This entry is required
- Allowed Values:
  - integer
  - markdown
  - number
  - observable
  - string
  - url

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Relationship Object

Relationship Represents a relationship between two entities

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
relationship_type	RelationshipTypeString		✓
schema_version	String	CTIM schema version for this entity	✓
source_ref	String		✓
target_ref	String		✓
type	RelationshipTypeIdentifierString		✓
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property relationship_type ∷ RelationshipTypeString

This entry is required
- Allowed Values:
  - attributed-to
  - based-on
  - derived-from
  - detects
  - duplicate-of
  - element-of
  - exploits
  - indicates
  - member-of
  - mitigates
  - related-to
  - sighting-of
  - subtechnique-of
  - targets
  - technique-of
  - uses
  - variant-of

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_ref ∷ String

This entry is required
- A URI leading to an entity

Property source_uri ∷ String

This entry is optional
- A URI

Property target_ref ∷ String

This entry is required
- A URI leading to an entity

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ RelationshipTypeIdentifierString

This entry is required
- Must equal: "relationship"

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Note Object

Note A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the Objects, assigning Text/content to the Object the Note relates to Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum.

Property	Type	Description	Required?
content	MarkdownString		✓
id	String	Globally unique URI identifying this object.	✓
note_class	Keyword		✓
related_entities	NoteRelatedEntity Object List		✓
schema_version	String	CTIM schema version for this entity	✓
type	NoteTypeIdentifierString		✓
author	String
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Property author ∷ String

This entry is optional

Property content ∷ MarkdownString

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property note_class ∷ Keyword

This entry is required

Property related_entities ∷ NoteRelatedEntity Object List

This entry is required
This entry's type is sequential (allows zero or more values)

NoteRelatedEntity Object Value
- Details: NoteRelatedEntity Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ NoteTypeIdentifierString

This entry is required
- Must equal: "note"

NoteRelatedEntity Object

Property	Type	Description	Required?
entity_id	String		✓
entity_type	String		✓

Property entity_id ∷ String

This entry is required
- A URI leading to an entity

Property entity_type ∷ String

This entry is required

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Malware Object

Malware Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.

Property	Type	Description	Required?
description	MarkdownString	A description of object, which may be detailed.	✓
id	String	Globally unique URI identifying this object.	✓
labels	MalwareLabelString List	The type of malware being described.	✓
schema_version	String	CTIM schema version for this entity	✓
short_description	MedStringString	A single line, short summary of the object.	✓
title	ShortStringString	A short title for this object, used as primary display and reference value	✓
type	MalwareTypeIdentifierString		✓
abstraction_level	MalwareAbstractionsString	Malware abstraction level
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
kill_chain_phases	KillChainPhase Object List	The list of Kill Chain Phases for which this Malware can be used.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.
x_mitre_aliases	ShortStringString List	ATT&CK Software.aliases

Reference: Malware

Property abstraction_level ∷ MalwareAbstractionsString

Malware abstraction level

This entry is optional
- MalwareAbstractions Malware Abstraction level
- Allowed Values:
  - family
  - variant
  - version

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Malware can be used.

This entry is optional
This entry's type is sequential (allows zero or more values)

KillChainPhase Object Value
- Details: KillChainPhase Object

Property labels ∷ MalwareLabelString List

The type of malware being described.

This entry is required
This entry's type is sequential (allows zero or more values)
- MalwareLabel Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool.
- Allowed Values:
  - adware
  - backdoor
  - bot
  - ddos
  - dropper
  - exploit-kit
  - keylogger
  - ransomware
  - remote-access-trojan
  - resource-exploitation
  - rogue-security-software
  - rootkit
  - screen-capture
  - spyware
  - trojan
  - virus
  - worm
- Reference: Malware Label

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is required
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is required
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ MalwareTypeIdentifierString

This entry is required
- Must equal: "malware"

Property x_mitre_aliases ∷ ShortStringString List

ATT&CK Software.aliases

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Must equal: "lockheed-martin-cyber-kill-chain"
- Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Allowed Values:
  - actions-on-objective
  - command-and-control
  - delivery
  - exploitation
  - installation
  - reconnaissance
  - weaponization
- Reference: Open Vocabulary

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Judgement Object

Judgement A judgement about the intent or nature of an observable. For example, is it malicious, meaning is is malware and subverts system operations? It could also be clean and be from a known benign, or trusted source. It could also be common, something so widespread that it's not likely to be malicious.

Since a core goal of the CTIA is to provide a simple verdict service, these judgements are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.

Property	Type	Description	Required?
confidence	HighMedLowString		✓
disposition	DispositionNumberInteger	Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}	✓
disposition_name	DispositionNameString		✓
id	String	Globally unique URI identifying this object.	✓
observable	Observable Object		✓
priority	Integer		✓
schema_version	String	CTIM schema version for this entity	✓
severity	SeverityString		✓
source	MedStringString		✓
type	JudgementTypeIdentifierString		✓
valid_time	ValidTime Object		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
reason	ShortStringString
reason_uri	String
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Property confidence ∷ HighMedLowString

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property disposition ∷ DispositionNumberInteger

Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Common", 5 "Unknown"}

This entry is required
- DispositionNumber Numeric verdict identifiers
- Allowed Values:
  - 1
  - 2
  - 3
  - 4
  - 5

Property disposition_name ∷ DispositionNameString

This entry is required
- DispositionName String verdict identifiers
- Allowed Values:
  - Clean
  - Common
  - Malicious
  - Suspicious
  - Unknown

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property observable ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Property priority ∷ Integer

This entry is required
- A value 0-100 that determine the priority of a judgement. Curated feeds of black/white lists, for example known good products within your organizations, should use a 95. All automated systems should use a priority of 90, or less. Human judgements should have a priority of 100, so that humans can always override machines.

Property reason ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property reason_uri ∷ String

This entry is optional
- A URI

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ SeverityString

This entry is required
- Allowed Values:
  - Critical
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ JudgementTypeIdentifierString

This entry is required
- Must equal: "judgement"

Property valid_time ∷ ValidTime Object

This entry is required

ValidTime Object Value
- Details: ValidTime Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Indicator Object

Indicator An indicator is a test, or a collection of judgements that define criteria for identifying the activity, or presence of malware, or other unwanted software.

We follow the STiX IndicatorType closely, with the exception of not including observables within the indicator, and preferring a specification object encoded in JSON as opposed to an opaque implementation block.

Additional, you will want to either define judgements against Observables that are linked to this indicator, with the ID in the indicators field of those Judgements, or you can provide a specification value.

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
producer	ShortStringString		✓
schema_version	String	CTIM schema version for this entity	✓
type	IndicatorTypeIdentifierString	The fixed value indicator	✓
valid_time	ValidTime Object	The time range during which this Indicator is considered valid.	✓
composite_indicator_expression	CompositeIndicatorExpression Object
confidence	HighMedLowString	level of confidence held in the accuracy of this Indicator
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
indicator_type	IndicatorTypeString List	Specifies the type or types for this Indicator
kill_chain_phases	KillChainPhase Object List	relevant kill chain phases indicated by this Indicator
language	ShortStringString	The human language this object is specified in.
likely_impact	LongStringString	likely potential impact within the relevant context if this Indicator were to occur
negate	Boolean	specifies the absence of the pattern
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
severity	SeverityString
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
specification	JudgementSpecification Object
tags	ShortStringString List	Descriptors for this indicator
test_mechanisms	MedStringString List	Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: IndicatorType

Property composite_indicator_expression ∷ CompositeIndicatorExpression Object

This entry is optional

CompositeIndicatorExpression Object Value
- Details: CompositeIndicatorExpression Object

Property confidence ∷ HighMedLowString

level of confidence held in the accuracy of this Indicator

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property indicator_type ∷ IndicatorTypeString List

Specifies the type or types for this Indicator

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Anonymization
  - C2
  - Compromised PKI Certificate
  - Domain Watchlist
  - Exfiltration
  - File Hash Watchlist
  - Host Characteristics
  - IMEI Watchlist
  - IMSI Watchlist
  - IP Watchlist
  - Login Name
  - Malicious E-mail
  - Malware Artifacts
  - Private Threat Feed
  - URL Watchlist
- Reference: IndicatorTypeVocab

Property kill_chain_phases ∷ KillChainPhase Object List

relevant kill chain phases indicated by this Indicator

This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: simplified

KillChainPhase Object Value
- Details: KillChainPhase Object

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property likely_impact ∷ LongStringString

likely potential impact within the relevant context if this Indicator were to occur

This entry is optional
- LongString String with at most 5000 characters

Property negate ∷ Boolean

specifies the absence of the pattern

This entry is optional

Property producer ∷ ShortStringString

This entry is required
Dev Notes: TODO - Document what is supposed to be in this field!
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property severity ∷ SeverityString

This entry is optional
- Allowed Values:
  - Critical
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property specification ∷ Either

This entry is optional
- Only one of the following schemas will match

JudgementSpecification Object Value
- Details: JudgementSpecification Object

ThreatBrainSpecification Object Value
- Details: ThreatBrainSpecification Object

SnortSpecification Object Value
- Details: SnortSpecification Object

SIOCSpecification Object Value
- Details: SIOCSpecification Object

OpenIOCSpecification Object Value
- Details: OpenIOCSpecification Object

Property tags ∷ ShortStringString List

Descriptors for this indicator

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property test_mechanisms ∷ MedStringString List

Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator

This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: simplified
- MedString String with at most 2048 characters

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ IndicatorTypeIdentifierString

The fixed value indicator

This entry is required
- IndicatorTypeIdentifier The fixed value "indicator"
- Must equal: "indicator"

Property valid_time ∷ ValidTime Object

The time range during which this Indicator is considered valid.

This entry is required

ValidTime Object Value
- Details: ValidTime Object

OpenIOCSpecification Object

OpenIOCSpecification An indicator which contains an XML blob of an openIOC indicator..

Property	Type	Description	Required?
open_IOC	String		✓
type	OpenIOCSpecificationTypeString		✓

Property open_IOC ∷ String

This entry is required

Property type ∷ OpenIOCSpecificationTypeString

This entry is required
- Must equal: "OpenIOC"

SIOCSpecification Object

SIOCSpecification An indicator which runs in snort...

Property	Type	Description	Required?
SIOC	String		✓
type	SIOCSpecificationTypeString		✓

Property SIOC ∷ String

This entry is required

Property type ∷ SIOCSpecificationTypeString

This entry is required
- Must equal: "SIOC"

SnortSpecification Object

SnortSpecification An indicator which runs in snort...

Property	Type	Description	Required?
snort_sig	String		✓
type	SnortSpecificationTypeString		✓

Property snort_sig ∷ String

This entry is required

Property type ∷ SnortSpecificationTypeString

This entry is required
- Must equal: "Snort"

ThreatBrainSpecification Object

ThreatBrainSpecification An indicator which runs in threatbrain...

Property	Type	Required?
type	ThreatBrainSpecificationTypeString	✓
variables	String List	✓
query	String

Property query ∷ String

This entry is optional

Property type ∷ ThreatBrainSpecificationTypeString

This entry is required
- Must equal: "ThreatBrain"

Property variables ∷ String List

This entry is required
This entry's type is sequential (allows zero or more values)

JudgementSpecification Object

JudgementSpecification An indicator based on a list of judgements. If any of the Observables in it's judgements are encountered, than it may be matches against. If there are any required judgements, they all must be matched in order for the indicator to be considered a match.

Property	Type	Required?
judgements	String List	✓
required_judgements	RelatedJudgement Object List	✓
type	JudgementSpecificationTypeString	✓

Property judgements ∷ String List

This entry is required
This entry's type is sequential (allows zero or more values)
- A URI leading to a judgement

Property required_judgements ∷ RelatedJudgement Object List

This entry is required
This entry's type is sequential (allows zero or more values)

RelatedJudgement Object Value
- Details: RelatedJudgement Object

Property type ∷ JudgementSpecificationTypeString

This entry is required
- Must equal: "Judgement"

RelatedJudgement Object

Property	Type	Required?
judgement_id	String	✓
confidence	HighMedLowString
relationship	String
source	String

Property confidence ∷ HighMedLowString

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property judgement_id ∷ String

This entry is required
- A URI leading to a judgement

Property relationship ∷ String

This entry is optional

Property source ∷ String

This entry is optional

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Must equal: "lockheed-martin-cyber-kill-chain"
- Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Allowed Values:
  - actions-on-objective
  - command-and-control
  - delivery
  - exploitation
  - installation
  - reconnaissance
  - weaponization
- Reference: Open Vocabulary

CompositeIndicatorExpression Object

Property	Type	Description	Required?
indicator_ids	String List		✓
operator	BooleanOperatorString		✓

Reference: CompositeIndicatorExpressionType

Property indicator_ids ∷ String List

This entry is required
This entry's type is sequential (allows zero or more values)
- A URI leading to an indicator

Property operator ∷ BooleanOperatorString

This entry is required
- Allowed Values:
  - and
  - not
  - or

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Incident Object

Incident Information about computer security incident response. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents pertain to one or more adverse events, each of which is modeled as a sighting.

Property	Type	Description	Required?
confidence	HighMedLowString	level of confidence held in the characterization of this Incident	✓
id	String	Globally unique URI identifying this object.	✓
incident_time	IncidentTime Object	relevant time values associated with this Incident	✓
schema_version	String	CTIM schema version for this entity	✓
status	StatusString	current status of the incident	✓
type	IncidentTypeIdentifierString		✓
assignees	ShortStringString List	a set of owners assigned to this incident
categories	IncidentCategoryString List	a set of categories for this incident
description	MarkdownString	A description of object, which may be detailed.
discovery_method	DiscoveryMethodString	identifies how the incident was discovered
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effect	IntendedEffectString	specifies the suspected intended effect of this incident
language	ShortStringString	The human language this object is specified in.
promotion_method	PromotionMethodString	identifies how the incident was promoted
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
scores	IncidentScores Object	the scores associated to the incident
severity	SeverityString	specifies the severity level of an Incident
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
tactics	ShortStringString List	specifies the list of tactic ids (ex: mitre tactic id) of an Incident
techniques	ShortStringString List	specifies the list of technique ids (ex: mitre technique id) of an Incident
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Property assignees ∷ ShortStringString List

a set of owners assigned to this incident

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property categories ∷ IncidentCategoryString List

a set of categories for this incident

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Denial of Service
  - Exercise/Network Defense Testing
  - Improper Usage
  - Investigation
  - Malicious Code
  - Scans/Probes/Attempted Access
  - Unauthorized Access

Property confidence ∷ HighMedLowString

level of confidence held in the characterization of this Incident

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property discovery_method ∷ DiscoveryMethodString

identifies how the incident was discovered

This entry is optional
- Allowed Values:
  - Agent Disclosure
  - Antivirus
  - Audit
  - Customer
  - External - Fraud Detection
  - Financial Audit
  - HIPS
  - IT Audit
  - Incident Response
  - Internal - Fraud Detection
  - Law Enforcement
  - Log Review
  - Monitoring Service
  - NIDS
  - Security Alarm
  - Unknown
  - Unrelated Party
  - User

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property incident_time ∷ IncidentTime Object

relevant time values associated with this Incident

This entry is required
Dev Notes: Was 'time'; renamed for clarity

IncidentTime Object Value
- Details: IncidentTime Object

Property intended_effect ∷ IntendedEffectString

specifies the suspected intended effect of this incident

This entry is optional
- Allowed Values:
  - Account Takeover
  - Advantage
  - Advantage - Economic
  - Advantage - Military
  - Advantage - Political
  - Brand Damage
  - Competitive Advantage
  - Degradation of Service
  - Denial and Deception
  - Destruction
  - Disruption
  - Embarrassment
  - Exposure
  - Extortion
  - Fraud
  - Harassment
  - ICS Control
  - Theft
  - Theft - Credential Theft
  - Theft - Identity Theft
  - Theft - Intellectual Property
  - Theft - Theft of Proprietary Information
  - Traffic Diversion
  - Unauthorized Access

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property promotion_method ∷ PromotionMethodString

identifies how the incident was promoted

This entry is optional
- Allowed Values:
  - Automated
  - Manual

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property scores ∷ IncidentScores Object

the scores associated to the incident

This entry is optional

IncidentScores Object Value
- Details: IncidentScores Object

Property severity ∷ SeverityString

specifies the severity level of an Incident

This entry is optional
- Allowed Values:
  - Critical
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property status ∷ StatusString

current status of the incident

This entry is required
- Allowed Values:
  - Closed
  - Containment Achieved
  - Incident Reported
  - New
  - Open
  - Rejected
  - Restoration Achieved
  - Stalled

Property tactics ∷ ShortStringString List

specifies the list of tactic ids (ex: mitre tactic id) of an Incident

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property techniques ∷ ShortStringString List

specifies the list of technique ids (ex: mitre technique id) of an Incident

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ IncidentTypeIdentifierString

This entry is required
- Must equal: "incident"

IncidentScores Object

Property	Type	Description	Required?
Keyword	Number	A map of scores.

Property Keyword ∷ Number

A map of scores.

This entry is optional
- Allowed Values:
  - :asset
  - :global
  - :ttp
- a non-negative score number

IncidentTime Object

Property	Type	Description	Required?
opened	Inst (Date)	Time the incident was first opened.	✓
closed	Inst (Date)	Time that the incident was last closed.
discovered	Inst (Date)	Time the incident was first discovered.
rejected	Inst (Date)	Time that the incident was first rejected.
remediated	Inst (Date)	Time that the remediation of the damage from the incident was completed.
reported	Inst (Date)	Time the incident was first reported.

Property closed ∷ Inst (Date)

Time that the incident was last closed.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property discovered ∷ Inst (Date)

Time the incident was first discovered.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property opened ∷ Inst (Date)

Time the incident was first opened.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property rejected ∷ Inst (Date)

Time that the incident was first rejected.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property remediated ∷ Inst (Date)

Time that the remediation of the damage from the incident was completed.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property reported ∷ Inst (Date)

Time the incident was first reported.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Feedback Object

Feedback Feedback on any entity. Is it wrong? If so why? Was it right-on, and worthy of confirmation?

Property	Type	Description	Required?
entity_id	String		✓
feedback	Integer		✓
id	String	Globally unique URI identifying this object.	✓
reason	String		✓
schema_version	String	CTIM schema version for this entity	✓
type	FeedbackTypeIdentifierString		✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Property entity_id ∷ String

This entry is required
- A URI leading to an entity

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property feedback ∷ Integer

This entry is required
- Allowed Values:
  - -1
  - 0
  - 1

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property reason ∷ String

This entry is required

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ FeedbackTypeIdentifierString

This entry is required
- Must equal: "feedback"

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

COA Object

COA Course of Action. A corrective or preventative action to be taken in response to a threat

Property	Type	Description	Required?
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
type	COATypeIdentifierString		✓
valid_time	ValidTime Object		✓
coa_type	COATypeString	The type of this COA
cost	HighMedLowString	Characterizes the estimated cost for applying this course of action
description	MarkdownString	A description of object, which may be detailed.
efficacy	HighMedLowString	Effectiveness of this course of action in achieving its targeted objective
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
impact	ShortStringString	Characterizes the estimated impact of applying this course of action
language	ShortStringString	The human language this object is specified in.
objective	ShortStringString List	Characterizes the objective of this course of action
open_c2_coa	OpenC2COA Object
related_COAs	RelatedCOA Object List	Identifies or characterizes relationships to one or more related courses of action
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString
source_uri	String
stage	COAStageString	Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to
structured_coa_type	OpenC2StructuredCOATypeString
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: CourseOfActionType

Property coa_type ∷ COATypeString

The type of this COA

This entry is optional
- Allowed Values:
  - Diplomatic Actions
  - Eradication
  - Hardening
  - Internal Blocking
  - Logical Access Restrictions
  - Monitoring
  - Other
  - Patching
  - Perimeter Blocking
  - Physical Access Restrictions
  - Policy Actions
  - Public Disclosure
  - Rebuilding
  - Redirection
  - Redirection (Honey Pot)
  - Training
- Reference: CourseOfActionTypeVocab

Property cost ∷ HighMedLowString

Characterizes the estimated cost for applying this course of action

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property efficacy ∷ HighMedLowString

Effectiveness of this course of action in achieving its targeted objective

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property impact ∷ ShortStringString

Characterizes the estimated impact of applying this course of action

This entry is optional
- ShortString String with at most 1024 characters

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property objective ∷ ShortStringString List

Characterizes the objective of this course of action

This entry is optional
This entry's type is sequential (allows zero or more values)
Dev Notes: Squashed / simplified
- ShortString String with at most 1024 characters

Property open_c2_coa ∷ OpenC2COA Object

This entry is optional

OpenC2COA Object Value
- Details: OpenC2COA Object

Property related_COAs ∷ RelatedCOA Object List

Identifies or characterizes relationships to one or more related courses of action

This entry is optional
This entry's type is sequential (allows zero or more values)

RelatedCOA Object Value
- Details: RelatedCOA Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property stage ∷ COAStageString

Specifies what stage in the cyber threat management lifecycle this Course Of Action is relevant to

This entry is optional
- Allowed Values:
  - Remedy
  - Response
- Reference: COAStageVocab

Property structured_coa_type ∷ OpenC2StructuredCOATypeString

This entry is optional
- Must equal: "openc2"

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ COATypeIdentifierString

This entry is required
- Must equal: "coa"

Property valid_time ∷ ValidTime Object

This entry is required

ValidTime Object Value
- Details: ValidTime Object

OpenC2COA Object

Property	Type	Required?
action	ActionType Object	✓
type	StructuredCOATypeString	✓
actuator	ActuatorType Object
id	ShortStringString
modifiers	ModifierType Object
target	TargetType Object

Property action ∷ ActionType Object

This entry is required

ActionType Object Value
- Details: ActionType Object

Property actuator ∷ ActuatorType Object

This entry is optional

ActuatorType Object Value
- Details: ActuatorType Object

Property id ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property modifiers ∷ ModifierType Object

This entry is optional

ModifierType Object Value
- Details: ModifierType Object

Property target ∷ TargetType Object

This entry is optional

TargetType Object Value
- Details: TargetType Object

Property type ∷ StructuredCOATypeString

This entry is required
- Must equal: "structured_coa"

ModifierType Object

Property	Type	Description	Required?
additional_properties	AdditionalProperties Object
delay	Inst (Date)
destination	String
duration	Inst (Date)
frequency	ShortStringString
id	ShortStringString
location	String
method	String List
option	ShortStringString
response	String
search	String
source	ShortStringString
time	ValidTime Object

Property additional_properties ∷ AdditionalProperties Object

This entry is optional

AdditionalProperties Object Value
- Details: AdditionalProperties Object

Property delay ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property destination ∷ String

This entry is optional
- Allowed Values:
  - copy-to
  - modify-to
  - move-to
  - report-to
  - restore-point
  - save-to
  - set-to

Property duration ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property frequency ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property id ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property location ∷ String

This entry is optional
- Allowed Values:
  - internal
  - perimeter

Property method ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - acl
  - authenticated
  - blackhole
  - blacklist
  - graceful
  - hibernate
  - honeypot
  - immediate
  - segmentation
  - spawn
  - suspend
  - unauthenticated
  - whitelist

Property option ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property response ∷ String

This entry is optional
- Allowed Values:
  - acknowledge
  - command-ref
  - query
  - status

Property search ∷ String

This entry is optional
- Allowed Values:
  - cve
  - patch
  - signature
  - vendor_bulletin

Property source ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters

Property time ∷ ValidTime Object

This entry is optional

ValidTime Object Value
- Details: ValidTime Object

AdditionalProperties Object

Property	Type	Description	Required?
context	ShortStringString		✓

Property context ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ActuatorType Object

Property	Type	Description	Required?
type	ActuatorTypeString		✓
specifiers	ShortStringString List	list of additional properties describing the actuator

Property specifiers ∷ ShortStringString List

list of additional properties describing the actuator

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property type ∷ ActuatorTypeString

This entry is required
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - other
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

TargetType Object

Property	Type	Description	Required?
type	ShortStringString		✓
specifiers	ShortStringString	Cybox object representing the target

Property specifiers ∷ ShortStringString

Cybox object representing the target

This entry is optional
- ShortString String with at most 1024 characters

Property type ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters

ActionType Object

Property	Type	Description	Required?
type	COATypeString		✓

Property type ∷ COATypeString

This entry is required
- Allowed Values:
  - alert
  - allow
  - augment
  - contain
  - delete
  - deny
  - detonate
  - distill
  - get
  - investigate
  - locate
  - mitigate
  - modify
  - move
  - notify
  - other
  - pause
  - query
  - redirect
  - remediate
  - report
  - response
  - restart
  - restore
  - resume
  - save
  - scan
  - set
  - snapshot
  - start
  - stop
  - substitute
  - sync
  - throttle
  - update
- Reference: OpenC2/STIX COA XML schema

RelatedCOA Object

Property	Type	Required?
COA_id	String	✓
confidence	HighMedLowString
relationship	String
source	String

Property COA_id ∷ String

This entry is required
- A URI leading to a COA

Property confidence ∷ HighMedLowString

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property relationship ∷ String

This entry is optional

Property source ∷ String

This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Campaign Object

Campaign Represents a campaign by an actor pursing an intent

Property	Type	Description	Required?
campaign_type	ShortStringString		✓
description	MarkdownString	A description of object, which may be detailed.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
short_description	MedStringString	A single line, short summary of the object.	✓
title	ShortStringString	A short title for this object, used as primary display and reference value	✓
type	CampaignTypeIdentifierString		✓
valid_time	ValidTime Object	Timestamp for the definition of a specific version of a campaign	✓
activity	Activity Object List	Actions taken in regards to this Campaign
confidence	HighMedLowString	Level of confidence held in the characterization of this Campaign
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
intended_effect	IntendedEffectString List	Characterizes the intended effect of this cyber threat campaign
language	ShortStringString	The human language this object is specified in.
names	ShortStringString List	Names used to identify this campaign
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
status	CampaignStatusString	Status of this Campaign
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: CampaignType

Property activity ∷ Activity Object List

Actions taken in regards to this Campaign

This entry is optional
This entry's type is sequential (allows zero or more values)

Activity Object Value
- Details: Activity Object

Property campaign_type ∷ ShortStringString

This entry is required
Dev Notes: Should we define a vocabulary for this?
- ShortString String with at most 1024 characters

Property confidence ∷ HighMedLowString

Level of confidence held in the characterization of this Campaign

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property intended_effect ∷ IntendedEffectString List

Characterizes the intended effect of this cyber threat campaign

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Account Takeover
  - Advantage
  - Advantage - Economic
  - Advantage - Military
  - Advantage - Political
  - Brand Damage
  - Competitive Advantage
  - Degradation of Service
  - Denial and Deception
  - Destruction
  - Disruption
  - Embarrassment
  - Exposure
  - Extortion
  - Fraud
  - Harassment
  - ICS Control
  - Theft
  - Theft - Credential Theft
  - Theft - Identity Theft
  - Theft - Intellectual Property
  - Theft - Theft of Proprietary Information
  - Traffic Diversion
  - Unauthorized Access

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property names ∷ ShortStringString List

Names used to identify this campaign

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is required
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property status ∷ CampaignStatusString

Status of this Campaign

This entry is optional
- Allowed Values:
  - Future
  - Historic
  - Ongoing

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is required
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ CampaignTypeIdentifierString

This entry is required
- Must equal: "campaign"

Property valid_time ∷ ValidTime Object

Timestamp for the definition of a specific version of a campaign

This entry is required

ValidTime Object Value
- Details: ValidTime Object

Activity Object

Activity What happend, when?

Property	Type	Description	Required?
date_time	Inst (Date)	Specifies the date and time at which the activity occured	✓
description	MarkdownString	A description of the activity	✓

Reference: ActivityType

Property date_time ∷ Inst (Date)

Specifies the date and time at which the activity occured

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property description ∷ MarkdownString

A description of the activity

This entry is required
- Markdown Markdown string with at most 5000 characters

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

AttackPattern Object

AttackPattern Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.

Property	Type	Description	Required?
description	MarkdownString	A description of object, which may be detailed.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
short_description	MedStringString	A single line, short summary of the object.	✓
title	ShortStringString	A short title for this object, used as primary display and reference value	✓
type	AttackPatternTypeIdentifierString		✓
abstraction_level	AttackPatternAbstractionsString	The CAPEC abstraction level for patterns describing techniques to attack a system.
external_ids	String List
external_references	ExternalReference Object List	A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
kill_chain_phases	KillChainPhase Object List	The list of Kill Chain Phases for which this Attack Pattern is used.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source	MedStringString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.
x_mitre_contributors	ShortStringString List	ATT&CK Technique.Contributors
x_mitre_data_sources	ShortStringString List	ATT&CK Technique.Data Sources
x_mitre_platforms	ShortStringString List	ATT&CK Technique.Platforms

Reference: Attack Pattern

Property abstraction_level ∷ AttackPatternAbstractionsString

The CAPEC abstraction level for patterns describing techniques to attack a system.

This entry is optional
- AttackPatternAbstractions Abstraction levels corresponding to CAPEC data describing attack-pattern objects.
- Allowed Values:
  - aggregate
  - category
  - detailed
  - meta
  - standard
- Reference: Common Attack Pattern Enumeration and Classification

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property kill_chain_phases ∷ KillChainPhase Object List

The list of Kill Chain Phases for which this Attack Pattern is used.

This entry is optional
This entry's type is sequential (allows zero or more values)

KillChainPhase Object Value
- Details: KillChainPhase Object

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is required
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is required
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ AttackPatternTypeIdentifierString

This entry is required
- Must equal: "attack-pattern"

Property x_mitre_contributors ∷ ShortStringString List

ATT&CK Technique.Contributors

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property x_mitre_data_sources ∷ ShortStringString List

ATT&CK Technique.Data Sources

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property x_mitre_platforms ∷ ShortStringString List

ATT&CK Technique.Platforms

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

KillChainPhase Object

KillChainPhase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Property	Type	Description	Required?
kill_chain_name	String	The name of the kill chain.	✓
phase_name	String	The name of the phase in the kill chain.	✓

Reference: Kill Chain Phase

Property kill_chain_name ∷ String

The name of the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Must equal: "lockheed-martin-cyber-kill-chain"
- Reference: Open Vocabulary

Property phase_name ∷ String

The name of the phase in the kill chain.

This entry is required
- SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- Allowed Values:
  - actions-on-objective
  - command-and-control
  - delivery
  - exploitation
  - installation
  - reconnaissance
  - weaponization
- Reference: Open Vocabulary

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

AssetProperties Object

AssetProperties Assets do not have any product specific properties, those are represented in AssetProperties - which is a record that asserts one or more properties of an Asset for a specific time.

Property	Type	Description	Required?
asset_ref	String	URI that points to the associated Asset.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedStringString		✓
type	AssetPropertiesTypeIdentifierString		✓
valid_time	ValidTime Object	The time range during which the AssetProperties is considered valid.	✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
properties	AssetProperty Object List
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: AssetProperties

Property asset_ref ∷ String

URI that points to the associated Asset.

This entry is required
- A URI leading to an entity

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property properties ∷ AssetProperty Object List

This entry is optional
This entry's type is sequential (allows zero or more values)

AssetProperty Object Value
- Details: AssetProperty Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ AssetPropertiesTypeIdentifierString

This entry is required
- Must equal: "asset-properties"

Property valid_time ∷ ValidTime Object

The time range during which the AssetProperties is considered valid.

This entry is required

ValidTime Object Value
- Details: ValidTime Object

AssetProperty Object

Property	Type	Description	Required?
name	String	The properties are an open vocabulary.	✓
value	String		✓

Property name ∷ String

The properties are an open vocabulary.

This entry is required
Dev Notes: The properties are an open vocabulary, meaning that there is a defined set of values, but users may add their own values.See: https://github.com/threatgrid/ctim/blob/master/src/ctim/schemas/identity_assertion.cljc#L11

Property value ∷ String

This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

AssetMapping Object

AssetMapping a record that a specific Observable maps to an Asset for a specific time period.

Property	Type	Description	Required?
asset_ref	String	URI that points to the mapped Asset.	✓
asset_type	AssetTypeString	Type of the mapped Asset: Device, Person, Application, etc.	✓
confidence	HighMedLowString	Level of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation?	✓
id	String	Globally unique URI identifying this object.	✓
observable	Observable Object	An AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedStringString		✓
specificity	SpecificityString	Denotes the level of how many assets potentially could have this same identifier.	✓
stability	StabilityString	Do we manage when it changes, or is it always a time bound assignment?	✓
type	AssetMappingTypeIdentifierString		✓
valid_time	ValidTime Object	For each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history.	✓
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: AssetMapping

Property asset_ref ∷ String

URI that points to the mapped Asset.

This entry is required
- A URI leading to an entity

Property asset_type ∷ AssetTypeString

Type of the mapped Asset: Device, Person, Application, etc.

This entry is required
- Allowed Values:
  - application
  - data
  - device
  - network
  - person

Property confidence ∷ HighMedLowString

Level of confidence held in the characterization of this AssetMapping e.g.: is it susceptible to manipulation or translation?

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property observable ∷ Observable Object

An AssetMapping is a record that a specific Observable maps to an Asset for an indicated period of time.

This entry is required

Observable Object Value
- Details: Observable Object

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property specificity ∷ SpecificityString

Denotes the level of how many assets potentially could have this same identifier.

This entry is required
- Allowed Values:
  - Low
  - Medium
  - Unique

Property stability ∷ StabilityString

Do we manage when it changes, or is it always a time bound assignment?

This entry is required
- Allowed Values:
  - Managed
  - Physical
  - Temporary

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ AssetMappingTypeIdentifierString

This entry is required
- Must equal: "asset-mapping"

Property valid_time ∷ ValidTime Object

For each asset, we allow for the assertion of time bound properties.This gives us both a record of the current state of the asset,as well as history.

This entry is required

ValidTime Object Value
- Details: ValidTime Object

Observable Object

Property	Type	Description	Required?
type	ObservableTypeIdentifierString		✓
value	String		✓

Property type ∷ ObservableTypeIdentifierString

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - crowdstrike_id
  - cybereason_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_username
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

This entry is required

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Asset Object

Asset Describes a protected resource. It could be a device, user, network, application or data

Property	Type	Description	Required?
asset_type	AssetTypeString	Type of the Asset: Device, Person, Application, etc.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
source	MedStringString		✓
type	AssetTypeIdentifierString		✓
valid_time	ValidTime Object	The time range during which the Asset is considered valid.	✓
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
language	ShortStringString	The human language this object is specified in.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
short_description	MedStringString	A single line, short summary of the object.
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: Assets

Property asset_type ∷ AssetTypeString

Type of the Asset: Device, Person, Application, etc.

This entry is required
- Allowed Values:
  - application
  - data
  - device
  - network
  - person

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is optional
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ AssetTypeIdentifierString

This entry is required
- Must equal: "asset"

Property valid_time ∷ ValidTime Object

The time range during which the Asset is considered valid.

This entry is required

ValidTime Object Value
- Details: ValidTime Object

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Actor Object

Actor Describes malicious actors (or adversaries) related to a cyber attack

Property	Type	Description	Required?
description	MarkdownString	A description of object, which may be detailed.	✓
id	String	Globally unique URI identifying this object.	✓
schema_version	String	CTIM schema version for this entity	✓
short_description	MedStringString	A single line, short summary of the object.	✓
source	MedStringString		✓
title	ShortStringString	A short title for this object, used as primary display and reference value	✓
type	ActorTypeIdentifierString		✓
valid_time	ValidTime Object		✓
actor_types	ThreatActorTypeString List
aliases	ShortStringString List	A list of other names that this Threat Actor is believed to use.
confidence	HighMedLowString
external_ids	String List
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
identity	Identity Object
intended_effect	IntendedEffectString
language	ShortStringString	The human language this object is specified in.
motivation	MotivationString
planning_and_operational_support	LongStringString
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
sophistication	SophisticationString
source_uri	String
timestamp	Inst (Date)	The time this object was created at, or last modified.
tlp	TLPString	Specification for how, and to whom, this object can be shared.

Reference: ThreatActorType

Property actor_types ∷ ThreatActorTypeString List

This entry is optional
This entry's type is sequential (allows zero or more values)
- Allowed Values:
  - Cyber Espionage Operations
  - Disgruntled Customer / User
  - Hacker
  - Hacker - Black hat
  - Hacker - Gray hat
  - Hacker - White hat
  - Hacktivist
  - Insider Threat
  - State Actor / Agency
  - eCrime Actor - Credential Theft Botnet Operator
  - eCrime Actor - Credential Theft Botnet Service
  - eCrime Actor - Malware Developer
  - eCrime Actor - Money Laundering Network
  - eCrime Actor - Organized Crime Actor
  - eCrime Actor - Spam Service
  - eCrime Actor - Traffic Service
  - eCrime Actor - Underground Call Service

Property aliases ∷ ShortStringString List

A list of other names that this Threat Actor is believed to use.

This entry is optional
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters

Property confidence ∷ HighMedLowString

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is required
- Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property identity ∷ Identity Object

This entry is optional

Identity Object Value
- Details: Identity Object

Property intended_effect ∷ IntendedEffectString

This entry is optional
- Allowed Values:
  - Account Takeover
  - Advantage
  - Advantage - Economic
  - Advantage - Military
  - Advantage - Political
  - Brand Damage
  - Competitive Advantage
  - Degradation of Service
  - Denial and Deception
  - Destruction
  - Disruption
  - Embarrassment
  - Exposure
  - Extortion
  - Fraud
  - Harassment
  - ICS Control
  - Theft
  - Theft - Credential Theft
  - Theft - Identity Theft
  - Theft - Intellectual Property
  - Theft - Theft of Proprietary Information
  - Traffic Diversion
  - Unauthorized Access

Property language ∷ ShortStringString

The human language this object is specified in.

This entry is optional
- ShortString String with at most 1024 characters

Property motivation ∷ MotivationString

This entry is optional
- Allowed Values:
  - Ego
  - Financial or Economic
  - Ideological
  - Ideological - Anti-Corruption
  - Ideological - Anti-Establishment
  - Ideological - Environmental
  - Ideological - Ethnic / Nationalist
  - Ideological - Human Rights
  - Ideological - Information Freedom
  - Ideological - Religious
  - Ideological - Security Awareness
  - Military
  - Opportunistic
  - Political

Property planning_and_operational_support ∷ LongStringString

This entry is optional
- LongString String with at most 5000 characters

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is required
- MedString String with at most 2048 characters

Property sophistication ∷ SophisticationString

This entry is optional
- Allowed Values:
  - Aspirant
  - Expert
  - Innovator
  - Novice
  - Practitioner

Property source ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters

Property source_uri ∷ String

This entry is optional
- A URI

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

This entry is required
- ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ ActorTypeIdentifierString

This entry is required
- Must equal: "actor"

Property valid_time ∷ ValidTime Object

This entry is required

ValidTime Object Value
- Details: ValidTime Object

Identity Object

Identity Describes a person or an organization

Property	Type	Description	Required?
description	MarkdownString		✓
related_identities	RelatedIdentity Object List	Identifies other entity Identities related to this Identity	✓

Reference: IdentityType

Property description ∷ MarkdownString

This entry is required
- Markdown Markdown string with at most 5000 characters

Property related_identities ∷ RelatedIdentity Object List

Identifies other entity Identities related to this Identity

This entry is required
This entry's type is sequential (allows zero or more values)

RelatedIdentity Object Value
- Details: RelatedIdentity Object

RelatedIdentity Object

RelatedIdentity Describes a related Identity

Property	Type	Description	Required?
identity	String	The reference (URI) of the related Identity object	✓
confidence	HighMedLowString	Specifies the level of confidence in the assertion of the relationship between the two objects
information_source	String	Specifies the source of the information about the relationship between the two components
relationship	String

Reference: RelatedIdentityType

Property confidence ∷ HighMedLowString

Specifies the level of confidence in the assertion of the relationship between the two objects

This entry is optional
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property identity ∷ String

The reference (URI) of the related Identity object

This entry is required
- A URI

Property information_source ∷ String

Specifies the source of the information about the relationship between the two components

This entry is optional

Property relationship ∷ String

This entry is optional

ValidTime Object

ValidTime Period of time when a cyber observation is valid.

Property	Type	Description	Required?
end_time	Inst (Date)	If end_time is not present, then the valid time position of the object does not have an upper bound.
start_time	Inst (Date)	If not present, the valid time position of the indicator does not have an upper bound

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If end_time is not present, then the valid time position of the object does not have an upper bound.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

If not present, the valid time position of the indicator does not have an upper bound

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

ExternalReference Object

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

This entry is optional
- A URI

Text Object

Property	Type	Description	Required?
text	String		✓
type	String		✓

Property text ∷ String

This entry is required

Property type ∷ String

This entry is required

❮*Campaign* Object *COA* Object❯

Can you improve this documentation? These fine people already did:
Guillaume Buisson, Guillaume Erétéo, Matthieu Sprunck, Ambrose Bonnaire-Sergeant, jyoverma, Scott McLeod, Sam Waggoner, Ag Ibragimov, Craig Brozefsky, Mario Aquino, Mason Costa, mcosta85 & Alexander R. Saint CroixEdit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcuts Report a problem cljdoc on GitHub

× close