- 12 Dec 2022
- 2 Minutes to read
-
Print
-
DarkLight
STIX 2.1 Parser Job App Data Mappings
- Updated on 12 Dec 2022
- 2 Minutes to read
-
Print
-
DarkLight
The STIX 2.1 Parser Job App has been replaced by the ThreatConnect TAXII Ingest App. Please see ThreatConnect TAXII Ingest User Guide for more information.
Overview
The data mappings outlined in this article apply to data created in ThreatConnect® from a Structured Threat Information eXpression (STIX™) file using the STIX 2.1 Parser Job App.
The STIX 2.1 Parser Job App creates the following object types based on STIX patterns:
- Indicators: Address, ASN, CIDR, Email Address, Email Subject, File, Host, and URL.
- Groups: Adversary, Campaign, Intrusion Set, Report, and Threat.
STIX Domain Objects
STIX Domain Object Type | ThreatConnect Object Mapping |
---|---|
campaign | Campaign |
indicator | Indicator |
intrusion-set | Intrusion Set |
report | Report |
threat-actor | Adversary |
tool | Threat |
STIX Vocabularies
Name | ThreatConnect Mapping |
---|---|
attack-motivation-ov | Attribute: "Adversary Motivation" |
malware-av-result-ov | Attribute: "AV Scanner Results" |
windows-pebinary-type-ov | Attribute: "File Type" |
windows-registry-datatype-enum | Registry Key Indicator: Value Type |
Campaign Properties
Property | ThreatConnect Mapping |
---|---|
aliases | Campaign: Attribute: "Aliases" |
created | Campaign: Creation Date |
description | Campaign: Attribute: "Description" |
labels | Campaign: Tags |
last_seen | Campaign: Attribute: "Last Seen" |
modified | Campaign: Last Modified Date |
name | Campaign: Name |
object_marking_refs | Campaign: Security Labels |
objective | Campaign: Attribute: "Campaign Objective" |
source | Campaign: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Campaign: Attribute: "External Date Created" |
valid_until | Campaign: Attribute: "External Date Expires" |
Indicator Properties
Property | ThreatConnect Mapping |
---|---|
created | Indicator: Creation Date |
description | Indicator: Attribute: "Description" |
indicator_types | Indicator: Attribute: "STIX Indicator Type" |
labels | Indicator: Tags |
modified | Indicator: Last Modified Date |
name | Indicator: Attribute: "STIX Title" |
object_marking_refs | Indicator: Security Labels |
source | Indicator: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Indicator: Attribute: "External Date Created" |
valid_until | Indicator: Attribute: "External Date Expires" |
Indicator Pattern Mappings
Pattern | ThreatConnect Indicator Type |
---|---|
url:value | URL |
email-addr:value | Email Address |
domain-name:value | Host |
autonomous-system:name | ASN |
email-message:subject | Email Subject |
ipv4-addr:value | Address/CIDR (depending on the value) |
ipv6-addr:value | Address/CIDR (depending on the value) |
file:hashes | File |
Intrusion Set Properties
Property | ThreatConnect Mapping |
---|---|
aliases | Intrusion Set: Attribute: "Aliases" |
created | Intrusion Set: Creation Date |
description | Intrusion Set: Attribute: "Description" |
goals | Intrusion Set: Attribute: "Goals" |
labels | Intrusion Set: Tags |
last_seen | Intrusion Set: Attribute: "Last Seen" |
modified | Intrusion Set: Last Modified Date |
name | Intrusion Set: Name |
object_marking_refs | Intrusion Set: Security Labels |
primary_motivation | Intrusion Set: Attribute: "Adversary Motivation Type" |
resource_level | Intrusion Set: Attribute: "Resource Level" |
secondary_motivations | Intrusion Set: Attribute: "Secondary Motivation" |
source | Intrusion Set: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Intrusion Set: Attribute: "External Date Created" |
valid_until | Intrusion Set: Attribute: "External Date Expires" |
Report Properties
Property | ThreatConnect Mapping |
---|---|
created | Report: Creation Date |
description | Report: Attribute: "Description" |
labels | Report: Tags |
modified | Report: Last Modified Date |
name | Report: Name |
object_marking_refs | Report: Security Labels |
published | Report: Publish Date |
report_types | Report: Attribute: "Report Type" |
source | Report: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
valid_from | Report: Attribute: "External Date Created" |
valid_until | Report: Attribute: "External Date Expires" |
Threat Actor Properties
Property | ThreatConnect Mapping |
---|---|
aliases | Adversary: Attribute: "Aliases" |
created | Adversary: Creation Date |
description | Adversary: Attribute: "Description" |
goals | Adversary: Attribute: "Secondary Motivation" |
labels | Adversary: Tags |
last_seen | Adversary: Attribute: "Last Seen" |
modified | Adversary: Last Modified Date |
name | Adversary: Name |
object_marking_refs | Adversary: Security Labels |
personal_motivations | Adversary: Attribute: "Secondary Motivation" |
primary_motivation | Adversary: Attribute: "Adversary Motivation Type" |
resource_level | Adversary: Attribute: "Resource Level" |
secondary_motivations | Adversary: Attribute: "Secondary Motivation" |
source | Adversary: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
threat_actor_types | Adversary: Attribute: "Adversary Type" |
valid_from | Adversary: Attribute: "External Date Created" |
valid_until | Adversary: Attribute: "External Date Expires" |
Tool Properties
Property | ThreatConnect Mapping |
---|---|
aliases | Threat: Attribute: "Aliases" |
created | Threat: Creation Date |
description | Threat: Attribute: "Description" |
labels | Threat: Tags |
modified | Threat: Last Modified Date |
name | Threat: Name |
object_marking_refs | Threat: Security Labels |
source | Threat: Attribute: "Source" (value contains the Object ID, Collection ID, Collection Name, Collection Path, and Object Path) |
tool_types | Threat: Attribute: "Malicious Tool Variety" |
tool_version | Threat: Attribute: "Malicious Tool Version" |
valid_from | Threat: Attribute: "External Date Created" |
valid_until | Threat: Attribute: "External Date Expires" |
Attack Motivation
STIX Value | ThreatConnect Value | ThreatConnect Attribute | Applicable ThreatConnect Data Model Objects |
---|---|---|---|
accidental | Accidental |
|
|
coercion | Coercion | ||
dominance | Dominance | ||
ideology | Ideological | ||
notoriety | Notoriety | ||
organizational-gain | Organizational Gain | ||
personal-gain | Personal Gain | ||
personal-satisfaction | Personal Satisfaction | ||
revenge | Revenge | ||
unpredictable | Unpredictable |
Attack Resource Level
STIX Value | ThreatConnect Value | ThreatConnect Attribute | Applicable ThreatConnect Data Model Objects |
---|---|---|---|
individual | individual | Attribute: "Resource Level" |
|
club | club | ||
contest | contest | ||
team | team | ||
organization | organization | ||
government | government |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
STIX™ is a trademark of The MITRE Corporation.
20142-01 v.01.A