Show Menu
Cheatography
  1. Home >
  2. Programming >

STIX2 Cheat Sheet (DRAFT) by

Structured Threat Information Expression (STIX)

This is a draft cheat sheet. It is a work in progress and is not finished yet.

About

Structured Threat Inform­ation Expression (STIX™) is JSON schema and vocabulary for commun­icating cyber threat intell­igence (CTI), such as attacks, malware, threat actors, and mitiga­tions. The STIX specif­ication is managed by OASIS.
 

Example Attack Pattern

    {
      "type": "attack-pattern",
      "id": "attack-pattern--183dcab1-9bd1-4973-aede-0e2ab0183d11",
      "name": "Example Attack",
      "description": "An example 'technique' or attack.",
      "x_mitre_detection": "A short description of how the attack can be detected.",
      "created_by_ref": "identity--b9e8b9fd-6d27-472b-bfee-3f6501edf3e9",
      "created": "2017-12-14T16:46:06.044Z",
      "modified": "2019-06-13T14:49:56.024Z",
      "kill_chain_phases": [
        {
          "kill_chain_name": "example-kill-chain",
          "phase_name": "initial-access"
        }
      ],
      "x_mitre_version": "1.0",
      "external_references": [
        {
          "external_id": "ID123",
          "source_name": "example-attack",
          "url": "https://example.org/attack/ID123"
        }
      ]
    }
 

Object Types

Attack Pattern
A type of Tactics, Techni­ques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets.
Campaign
A grouping of advers­arial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
Course of Action
An action taken to either prevent an attack or respond to an attack.
Identity
Indivi­duals, organi­zat­ions, or groups, as well as classes of indivi­duals, organi­zat­ions, or groups.
Indicator
Contains a pattern that can be used to detect suspicious or malicious cyber activity.
Intrusion Set
A grouped set of advers­arial behaviors and resources with common properties believed to be orches­trated by a single threat actor.
Malware
A type of TTP, also known as malicious code and malicious software, used to compromise the confid­ent­iality, integrity, or availa­bility of a victim’s data or system.
Observed Data
Conveys inform­ation observed on a system or network (e.g., an IP address).
Report
Collec­tions of threat intell­igence focused on one or more topics, such as a descri­ption of a threat actor, malware, or attack technique, including contextual details.
Threat Actor
Indivi­duals, groups, or organi­zations believed to be operating with malicious intent.
Tool
Legitimate software that can be used by threat actors to perform attacks.
Vulner­ability
A mistake in software that can be directly used by a hacker to gain access to a system or network.
Relati­onship
Used to link two SDOs and to describe how they are related to each other.
Sighting
Denotes the belief that an element of CTI was seen (e.g., indicator, malware).