STIX 2.1 Parser Job App Data Mappings
- 12 Dec 2022
- 2 Minutes to read
-
Print
-
DarkLight
STIX 2.1 Parser Job App Data Mappings
- Updated on 12 Dec 2022
- 2 Minutes to read
-
Print
-
DarkLight
Article Summary
Overview
The data mappings outlined in this article apply to data created in ThreatConnect® from a Structured Threat Information eXpression (STIX™) file using the STIX 2.1 Parser Job App.
The STIX 2.1 Parser Job App creates the following object types based on STIX patterns:
- Indicators: Address, ASN, CIDR, Email Address, Email Subject, File, Host, and URL.
- Groups: Adversary, Campaign, Intrusion Set, Report, and Threat.
Important
Depending on how much data are available in the parsed STIX file for each object, some properties listed in the tables in this article may not be added to the corresponding object created in ThreatConnect.
Note
The STIX 2.1 Parser Job App does not support complex STIX patterns.
STIX Domain Objects
| STIX Domain Object Type | ThreatConnect Object Mapping |
|---|---|
campaign | Campaign |
indicator | Indicator |
intrusion-set | Intrusion Set |
report | Report |
threat-actor | Adversary |
tool | Threat |
STIX Vocabularies
| Name | ThreatConnect Mapping |
|---|---|
attack-motivation-ov | Attribute: "Adversary Motivation" |
malware-av-result-ov | Attribute: "AV Scanner Results" |
windows-pebinary-type-ov | Attribute: "File Type" |
windows-registry-datatype-enum | Registry Key Indicator: Value Type |
Campaign Properties
| Property | ThreatConnect Mapping |
|---|---|
aliases | Campaign: Attribute: "Aliases" |
created | Campaign: Creation Date |
description | Campaign: Attribute: "Description" |
labels | Campaign: Tags |
last_seen | Campaign: Attribute: "Last Seen" |
modified | Campaign: Last Modified Date |
name | Campaign: Name |
object_marking_refs | Campaign: Security Labels |
objective | Campaign: Attribute: "Campaign Objective" |
source | Campaign: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Campaign: Attribute: "External Date Created" |
valid_until | Campaign: Attribute: "External Date Expires" |
Indicator Properties
| Property | ThreatConnect Mapping |
|---|---|
created | Indicator: Creation Date |
description | Indicator: Attribute: "Description" |
indicator_types | Indicator: Attribute: "STIX Indicator Type" |
labels | Indicator: Tags |
modified | Indicator: Last Modified Date |
name | Indicator: Attribute: "STIX Title" |
object_marking_refs | Indicator: Security Labels |
source | Indicator: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Indicator: Attribute: "External Date Created" |
valid_until | Indicator: Attribute: "External Date Expires" |
Indicator Pattern Mappings
| Pattern | ThreatConnect Indicator Type |
|---|---|
url:value | URL |
email-addr:value | Email Address |
domain-name:value | Host |
autonomous-system:name | ASN |
email-message:subject | Email Subject |
ipv4-addr:value | Address/CIDR (depending on the value) |
ipv6-addr:value | Address/CIDR (depending on the value) |
file:hashes | File |
Intrusion Set Properties
| Property | ThreatConnect Mapping |
|---|---|
aliases | Intrusion Set: Attribute: "Aliases" |
created | Intrusion Set: Creation Date |
description | Intrusion Set: Attribute: "Description" |
goals | Intrusion Set: Attribute: "Goals" |
labels | Intrusion Set: Tags |
last_seen | Intrusion Set: Attribute: "Last Seen" |
modified | Intrusion Set: Last Modified Date |
name | Intrusion Set: Name |
object_marking_refs | Intrusion Set: Security Labels |
primary_motivation | Intrusion Set: Attribute: "Adversary Motivation Type" |
resource_level | Intrusion Set: Attribute: "Resource Level" |
secondary_motivations | Intrusion Set: Attribute: "Secondary Motivation" |
source | Intrusion Set: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Intrusion Set: Attribute: "External Date Created" |
valid_until | Intrusion Set: Attribute: "External Date Expires" |
Report Properties
| Property | ThreatConnect Mapping |
|---|---|
created | Report: Creation Date |
description | Report: Attribute: "Description" |
labels | Report: Tags |
modified | Report: Last Modified Date |
name | Report: Name |
object_marking_refs | Report: Security Labels |
published | Report: Publish Date |
report_types | Report: Attribute: "Report Type" |
source | Report: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Report: Attribute: "External Date Created" |
valid_until | Report: Attribute: "External Date Expires" |
Threat Actor Properties
| Property | ThreatConnect Mapping |
|---|---|
aliases | Adversary: Attribute: "Aliases" |
created | Adversary: Creation Date |
description | Adversary: Attribute: "Description" |
goals | Adversary: Attribute: "Secondary Motivation" |
labels | Adversary: Tags |
last_seen | Adversary: Attribute: "Last Seen" |
modified | Adversary: Last Modified Date |
name | Adversary: Name |
object_marking_refs | Adversary: Security Labels |
personal_motivations | Adversary: Attribute: "Secondary Motivation" |
primary_motivation | Adversary: Attribute: "Adversary Motivation Type" |
resource_level | Adversary: Attribute: "Resource Level" |
secondary_motivations | Adversary: Attribute: "Secondary Motivation" |
source | Adversary: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
threat_actor_types | Adversary: Attribute: "Adversary Type" |
valid_from | Adversary: Attribute: "External Date Created" |
valid_until | Adversary: Attribute: "External Date Expires" |
Tool Properties
Note
For Tools, the STIX 2.1 Parser Job App creates a corresponding Threat Group in ThreatConnect that contains a Threat Type Attribute with a value of Tool.
| Property | ThreatConnect Mapping |
|---|---|
aliases | Threat: Attribute: "Aliases" |
created | Threat: Creation Date |
description | Threat: Attribute: "Description" |
labels | Threat: Tags |
modified | Threat: Last Modified Date |
name | Threat: Name |
object_marking_refs | Threat: Security Labels |
source | Threat: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
tool_types | Threat: Attribute: "Malicious Tool Variety" |
tool_version | Threat: Attribute: "Malicious Tool Version" |
valid_from | Threat: Attribute: "External Date Created" |
valid_until | Threat: Attribute: "External Date Expires" |
Attack Motivation
| STIX Value | ThreatConnect Value | ThreatConnect Attribute | Applicable ThreatConnect Data Model Objects |
|---|---|---|---|
accidental | Accidental |
|
|
coercion | Coercion | ||
dominance | Dominance | ||
ideology | Ideological | ||
notoriety | Notoriety | ||
organizational-gain | Organizational Gain | ||
personal-gain | Personal Gain | ||
personal-satisfaction | Personal Satisfaction | ||
revenge | Revenge | ||
unpredictable | Unpredictable |
Attack Resource Level
| STIX Value | ThreatConnect Value | ThreatConnect Attribute | Applicable ThreatConnect Data Model Objects |
|---|---|---|---|
individual | individual | Attribute: "Resource Level" |
|
club | club | ||
contest | contest | ||
team | team | ||
organization | organization | ||
government | government |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
STIX™ is a trademark of The MITRE Corporation.
20142-01 v.01.A
Was this article helpful?
