STIX 2.1 Parser Job App Data Mappings
  • 12 Dec 2022
  • 2 Minutes to read
  • Dark
    Light

STIX 2.1 Parser Job App Data Mappings

  • Dark
    Light

Article summary

Overview

The data mappings outlined in this article apply to data created in ThreatConnect® from a Structured Threat Information eXpression (STIX™) file using the STIX 2.1 Parser Job App.

The STIX 2.1 Parser Job App creates the following object types based on STIX patterns:

  • Indicators: Address, ASN, CIDR, Email Address, Email Subject, File, Host, and URL.
  • Groups: Adversary, Campaign, Intrusion Set, Report, and Threat.
Important
Depending on how much data are available in the parsed STIX file for each object, some properties listed in the tables in this article may not be added to the corresponding object created in ThreatConnect.
Note
The STIX 2.1 Parser Job App does not support complex STIX patterns.

STIX Domain Objects

STIX Domain Object TypeThreatConnect Object Mapping

campaign

Campaign

indicator

Indicator

intrusion-set

Intrusion Set

report

Report

threat-actor

Adversary

tool

Threat

STIX Vocabularies

NameThreatConnect Mapping

attack-motivation-ov

Attribute: "Adversary Motivation"
Attribute: "Secondary Motivation"

malware-av-result-ov

Attribute: "AV Scanner Results"

windows-pebinary-type-ov

Attribute: "File Type"

windows-registry-datatype-enum

Registry Key Indicator: Value Type

Campaign Properties

PropertyThreatConnect Mapping

aliases

Campaign: Attribute: "Aliases"

created

Campaign: Creation Date

description

Campaign: Attribute: "Description"

labels

Campaign: Tags

last_seen

Campaign: Attribute: "Last Seen"

modified

Campaign: Last Modified Date

name

Campaign: Name

object_marking_refs

Campaign: Security Labels

objective

Campaign: Attribute: "Campaign Objective"

source

Campaign: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

valid_from

Campaign: Attribute: "External Date Created"

valid_until

Campaign: Attribute: "External Date Expires"

Indicator Properties

PropertyThreatConnect Mapping

created

Indicator: Creation Date

description

Indicator: Attribute: "Description"

indicator_types

Indicator: Attribute: "STIX Indicator Type"

labels

Indicator: Tags

modified

Indicator: Last Modified Date

name

Indicator: Attribute: "STIX Title"

object_marking_refs

Indicator: Security Labels

source

Indicator: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

valid_from

Indicator: Attribute: "External Date Created"

valid_until

Indicator: Attribute: "External Date Expires"

Indicator Pattern Mappings

PatternThreatConnect Indicator Type

url:value

URL

email-addr:value

Email Address

domain-name:value

Host

autonomous-system:name

ASN

email-message:subject

Email Subject

ipv4-addr:value

Address/CIDR (depending on the value)

ipv6-addr:value

Address/CIDR (depending on the value)

file:hashes

File

Intrusion Set Properties

PropertyThreatConnect Mapping

aliases

Intrusion Set: Attribute: "Aliases"

created

Intrusion Set: Creation Date

description

Intrusion Set: Attribute: "Description"

goals

Intrusion Set: Attribute: "Goals"

labels

Intrusion Set: Tags

last_seen

Intrusion Set: Attribute: "Last Seen"

modified

Intrusion Set: Last Modified Date

name

Intrusion Set: Name

object_marking_refs

Intrusion Set: Security Labels

primary_motivation

Intrusion Set: Attribute: "Adversary Motivation Type"

resource_level

Intrusion Set: Attribute: "Resource Level"

secondary_motivations

Intrusion Set: Attribute: "Secondary Motivation"

source

Intrusion Set: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

valid_from

Intrusion Set: Attribute: "External Date Created"

valid_until

Intrusion Set: Attribute: "External Date Expires"

Report Properties

PropertyThreatConnect Mapping

created

Report: Creation Date

description

Report: Attribute: "Description"

labels

Report: Tags

modified

Report: Last Modified Date

name

Report: Name

object_marking_refs

Report: Security Labels

published

Report: Publish Date

report_types

Report: Attribute: "Report Type"

source

Report: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

valid_from

Report: Attribute: "External Date Created"

valid_until

Report: Attribute: "External Date Expires"

Threat Actor Properties

PropertyThreatConnect Mapping

aliases

Adversary: Attribute: "Aliases"

created

Adversary: Creation Date

description

Adversary: Attribute: "Description"

goals

Adversary: Attribute: "Secondary Motivation"

labels

Adversary: Tags

last_seen

Adversary: Attribute: "Last Seen"

modified

Adversary: Last Modified Date

name

Adversary: Name

object_marking_refs

Adversary: Security Labels

personal_motivations

Adversary: Attribute: "Secondary Motivation"

primary_motivation

Adversary: Attribute: "Adversary Motivation Type"

resource_level

Adversary: Attribute: "Resource Level"

secondary_motivations

Adversary: Attribute: "Secondary Motivation"

source

Adversary: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

threat_actor_types

Adversary: Attribute: "Adversary Type"

valid_from

Adversary: Attribute: "External Date Created"

valid_until

Adversary: Attribute: "External Date Expires"

Tool Properties

Note
For Tools, the STIX 2.1 Parser Job App creates a corresponding Threat Group in ThreatConnect that contains a Threat Type Attribute with a value of Tool.
PropertyThreatConnect Mapping

aliases

Threat: Attribute: "Aliases"

created

Threat: Creation Date

description

Threat: Attribute: "Description"

labels

Threat: Tags

modified

Threat: Last Modified Date

name

Threat: Name

object_marking_refs

Threat: Security Labels

source

Threat: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path)

tool_types

Threat: Attribute: "Malicious Tool Variety"

tool_version

Threat: Attribute: "Malicious Tool Version"

valid_from

Threat: Attribute: "External Date Created"

valid_until

Threat: Attribute: "External Date Expires"

Attack Motivation

STIX ValueThreatConnect ValueThreatConnect AttributeApplicable ThreatConnect Data Model Objects

accidental

Accidental

  • Attribute: "Adversary Motivation"
  • Attribute: "Secondary Motivation"
  • Adversary
  • Intrusion Set

coercion

Coercion

dominance

Dominance

ideology

Ideological

notoriety

Notoriety

organizational-gain

Organizational Gain

personal-gain

Personal Gain

personal-satisfaction

Personal Satisfaction

revenge

Revenge

unpredictable

Unpredictable

Attack Resource Level

STIX ValueThreatConnect ValueThreatConnect AttributeApplicable ThreatConnect Data Model Objects

individual

individual

Attribute: "Resource Level"

  • Adversary
  • Campaign
  • Intrusion Set

club

club

contest

contest

team

team

organization

organization

government

government


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
STIX™ is a trademark of The MITRE Corporation.

20142-01 v.01.A


Was this article helpful?