As mentioned in a previous article, efficient automation of cyber security requires a standard to describe and a mean to exchange information. The Cyber Threat Intelligence Technical Committee [CTI TC] of the Organization for the Advancement of Structured Information Standards [OASIS] proposes the STIX and TAXII standards to meet both needs. Before joining OASIS in 2015, these two standards [as well as CybOX] were developed at MITRE under the supervision, once again, of the US Department of Homeland Security [DHS], specifically the Office of Cybersecurity and Communications, the National Cybersecurity and Communications Integration Center, and the US-CERT.
STIXSTIX is the acronym for Structured Threat Information eXpression. The name is explicit: it is a standard for expressing information about computer threats in a structured and unambiguous way. Based on JSON, it has the potential to allow automatic information exchange between the many tools used to ensure the security of an organization.
, standardized in July 2017, defines two categories of STIX objects: STIX Domain Objects [SDO] and STIX Relationship Objects [SRO].
For simplicity, SDOs can be seen as the nodes of a graph interconnected by SROs. For example, the following collection, taken from the standard, represents an indicator
SDO as well as a malware
SDO linked together by a relationship
SRO whose relationship_type
property is
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
0.[
{
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"labels": [
"malicious-activity"
],
"name": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
"valid_from": "2016-01-01T00:00:00Z"
},
{
"type": "relationship",
"id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:06:37.000Z",
"modified": "2016-04-06T20:06:37.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
},
{
"type": "malware",
"id": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"created": "2016-04-06T20:07:09.000Z",
"modified": "2016-04-06T20:07:09.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "Poison Ivy"
}
]
Or as a graph generated by OASIS’ STIX Visualizer:
SDOs: STIX Domain Objects
The STIX 2.0 standard defines twelve :
[
1: An approach taken by one [or more] malicious actor to compromise a target;
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
2: A collection of hostile behaviors describing a set of malicious activities or attacks targeting a given set of victims over a determined period of time;
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
3: An action taken to avoid or respond to an attack;
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
4: Individuals, organizations, or groups, as well as classes of individuals, organizations, or groups;
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]indicator
: Encapsulates a to detect a malicious or suspicious activity;[
6: A set of resources and hostile behaviors suspected to be characteristic of a particular
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
7. Unlike a
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
2, it is not specific to a set of targets or a period of time.
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]malware
: Malicious software, also known as malicious code, or malware, which purpose is to compromise the confidentiality, integrity, and/or availability of the victim’s data/systems;
0: Represents information observed on a system or network [e.g., IP address, file, …] as a set of STIX Cyber Observables. Initially the object of a different standard [CybOX], Cyber Observables’ core concepts and objects are now part of STIX.
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
1: threat intelligence collection in the form of STIX, SDO, and SRO objects that revolves around one or more topics such as description of a malicious actor, malware, or intrusion technique including contextual information. It can reference a report in the classic sense of the term through the
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
2 property, but it is not an obligation.
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
[
7: Individuals, groups, or organizations suspected of acting maliciously. Unlike
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
4 which designates clearly identified actors,
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
7 usually refers to malicious actors under a pseudonym. If identified, the SDO
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
7 will be attached to an SDO
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
][
4 by a
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]relationship
SRO with therelationship_type
:curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
0. Above all, it allows the specification of certain elements such as the level of resources [
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
1], competences [
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
2] or motivations [
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
3,
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
4, and
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
5];
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
6: Legitimate software that may have malicious use [e.g., RDP, Nmap, …];
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
7: An error in software whose exploitation may allow illegitimate access to a system or network.
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
Some SDO properties take the form of unstructured textual data. Others can take their value in one of the defined by the standard to facilitate interoperability and automated use of intelligence.
For example, the skill level of a
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
7 can take these values: curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{9,
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{0,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{1,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{2,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{3,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{4, or
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{5. The meaning of these values is defined in the .
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
Another example: a malware
must be characterized via the property
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{7 by taking at least one of:
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{8,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{9,
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{0,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{1,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{2,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{3,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{4,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{5,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{6,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{7,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{8,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{9,
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
indicator
0, indicator
1, indicator
2, indicator
3, indicator
4. Of course, one can choose another value but there are no guarantees that it is going to be understood by third party tools.SROs: STIX Relationship ObjectsThe standard also defines two : relationship
and indicator
6. The relationship
SRO is used to link two SDOs and describe their relationship via the relationship_type
property as already discussed with the
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
0 and curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{0 types for example. Let us pause for a second and note that STIX defines a STIX Relationship Objects [SRO] class that contains object named
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
relationship
having one property named relationship_type
.The other SRO, indicator
6, expresses the suspicion that a CTI [Cyber Threat Intelligence] element has been seen [e.g., indicator
, malware
]. Unlike the relationship
SRO, it can be linked to one or more SDOs. In its minimal form it indicates the sighted SDO, but can also specify the concretely observed-data on which the suspicion is based [
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
0] as well as the victims [[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
4] having seen the SDO. In the form of a graph, this SRO is generally represented by a node like an SDO for instance. However the value of a indicator
6 does not rest in the indicator
6 itself but in the relationship between the sighted SDO, the observed data and the victims. Its classification as an SRO is therefore well justified.The following collection, also from the standard, completes the previous example with
indicator
6 and
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
0.[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
Comparison with version 1.x
Consider the equivalent of our first example in the STIX 1.2 documentation:
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
The first obvious difference is the use of XML in this version while version 2 uses JSON. We note then that the relationship between the hash and the malware is not an object in itself in version 1, but included in the indicator. This indicator is also not a top-level object since it is encapsulated in a relationship
3. As for the malware, it is located even more deeply in the hierarchy. Moreover, the pattern is expressed here in XML, while the pattern in version 2 uses a specific language.
All this contributes to the OASIS CTI TC simplification and rationalization effort, sometimes to the detriment of the accuracy and expressiveness of the language. However this expressiveness was not really exploited and only a subset of STIX 1.x was actually used with a common understanding.
In addition to the lack of SRO equivalents in STIX 1, there are similarities in STIX 2.0 SDOs and STIX 1 components. Report, campaign, course of action, indicator, and threat actor are present in both standards. Exploit target in STIX 1.x is close to
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{7 in STIX 2.0, and TTP [Tactics, Techniques, and Procedures] includes, among others,
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
1 and malware
. STIX 2.0 also defines [
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
4,
File hash for Poison Ivy variant
File Hash Watchlist
SHA256
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Poison Ivy
Remote Access Trojan
Poison Ivy
0, and curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{6 that have equivalents in STIX 1.x but not as first-level components, as well as
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
6 that has no direct equivalent. On the other hand, the incident component in STIX 1.x has no real equivalent in STIX 2.0.Both standards remain sufficiently similar and it is usually possible to convert documents from one to the other:
- stix2-elevator converts STIX 1.x XML into STIX 2.0 JSON;
- stix-slider performs the reverse operation.
However the CTI TC warns that the conversion is not perfect and that difficulties may arise, especially for the conversion 1.x to 2.0.
TAXIITAXII, or Trusted Automated Exchange of Intelligence Information, is an intelligence exchange protocol over HTTPS. The standard defines a set of requirements for clients/servers and a REST API to interact with two types of services:
- Collection: An interface to a server-provided repository of objects that allows a producer to serve consumers in a request-response template;
- Channel: allows the exchange of information according to a publish-subscribe model.
In reality, the channel service is not yet standardized and the term is only reserved for the moment.
The search for information on a TAXII server can proceed as follows:
- A GET request on the
relationship_type
1 resource to obtain a list of URLs identifying API roots,relationship_type
2; - A GET request on the resource
relationship_type
3 to obtain the identifiers of the collections served by anrelationship_type
4; - A GET request on the resource
relationship_type
5 to obtain the objects respecting a certain filter.
It is possible to restrict this last request to objects published after a certain date and filter them by identifier, type, or version. Indeed, STIX has a rudimentary version management system via the relationship_type
6 property.
As an example, let us interact with one of :
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/taxii/{
"title": "CTI TAXII server",
"description": "This TAXII server contains a listing of ATT&CK
domain collections expressed as STIX, including
PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK
Mobile.",
"contact": "attack@mitre.org",
"default": "//cti-taxii.mitre.org/stix/",
"api_roots": [
"//cti-taxii.mitre.org/stix/"
]
}
In this case, there is only one api root, we can retrieve the collections it serves:
curl -H "Accept: application/vnd.oasis.taxii+json" //cti-taxii.mitre.org/stix/collections/{
"collections": [
{
"id": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
"title": "Enterprise ATT&CK",
"description": "This data collection holds STIX objects from
Enterprise ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "062767bd-02d2-4b72-84ba-56caef0f8658",
"title": "PRE-ATT&CK",
"description": "This data collection holds STIX objects from
PRE-ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
},
{
"id": "2f669986-b40b-4423-b720-4396ca6a462b",
"title": "Mobile ATT&CK",
"description": "This data collection holds STIX objects from
Mobile ATT&CK",
"can_read": true,
"can_write": false,
"media_types": [
"application/vnd.oasis.stix+json; version=2.0"
]
}
]
}
We can now request objects from any of those collections. As an example, the following command retrieves one malware
SDO from the first collection [we updated the media type for this one and are not requesting taxii anymore]:
curl -H "Accept: application/vnd.oasis.stix+json; version=2.0" -H "Range: items=0-0" //cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/objects/?match[type]=malware{
"type": "bundle",
"id": "bundle--1dc92c96-cf6b-4ba0-bf92-a3208cc265de",
"spec_version": "2.0",
"objects": [
{
"external_references": [
{
"external_id": "S0369",
"source_name": "mitre-attack",
"url": "//attack.mitre.org/software/S0369"
},
{
"url": "//blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/",
"source_name": "CoinTicker 2019",
"description": "Thomas Reed. [2018, October 29]. Mac
cryptocurrency ticker app installs
backdoors. Retrieved April 23, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-04-29T21:19:34.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--d1531eaa-9e17-473e-a680-3298469662c3",
"name": "CoinTicker",
"created": "2019-04-23T18:41:36.914Z",
"labels": [
"malware"
],
"type": "malware",
"description": "[CoinTicker][//attack.mitre.org/software/S0369] is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[Citation: CoinTicker 2019]",
"x_mitre_contributors": [
"Richie Cyrus, SpecterOps"
],
"x_mitre_aliases": [
"CoinTicker"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
}
]
}
Note that if STIX and TAXII are the result of a common effort, and although a TAXII server must be able to handle STIX, these two standards remain independent. It is possible to exchange STIX information without TAXII, and a TAXII server can also handle other intelligence formats.
ConclusionTo be more effective, information sharing on cyber threats must be done within a large community according to a clear standard to facilitate automation. STIX/TAXII focus on the essentials and build on existing technologies to accelerate their adoption. Aware of the limitations of its standards, OASIS CTI TC is already working on version 2.1 which introduces three new SDOs: relationship_type
8, relationship_type
9, and
[
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
},
{
"type": "observed-data",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-collectionaa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"start": "2015-12-21T19:00:00Z",
"stop": "2016-04-06T19:58:16Z",
"count": 50,
"objects": {
"0": {
"type": "file",
...
}
}
}
]
00. Meanwhile, it remains possible to introduce custom objects and properties.