STIX and CybOX Parser Data Mappings
  • 21 Oct 2022
  • 1 Minute to read
  • Dark
    Light

STIX and CybOX Parser Data Mappings

  • Dark
    Light

Article summary

Overview

The Structured Threat Information eXpression (STIX™) and CybOX™ parser data mappings apply to the STIX 1.1.1 parser when configuring an inbound TAXII feed, as well as to the STIX Parser Playbook App in ThreatConnect®.

STIX 1.1.1 Data Mapping

IndicatorType

KeyThreatConnect Mapping

@id

Indicator: Attribute: "STIX ID"
Indicator: Attribute: "Description" (append to bottom)

Title

Indicator: Attribute: "Title"

Type

Indicator: Attribute: "STIX Indicator Type"

Description

Indicator: Attribute: "Description"

Short_Description

Indicator: Attribute: "Description" (append)

Kill_Chain_Phases

Indicator: Attribute: "Phase of Intrusion"

Confidence

Indicator: Confidence

Producer

Indicator: Attribute: "Producer"

Observable:id

Indicator: Attribute: "STIX Observable ID"

Handling

Indicator: Security Label

IncidentType

KeyThreatConnect Mapping

Title

Incident: Name

External_ID

Incident: Attribute: "External ID"

Description

Incident: Attribute: "Description"

Related_Indicators

Incident: Association: Indicators

Related_Observables

Incident: Association: Indicators

Handling

Incident: Security Label

ThreatActorType

KeyThreatConnect Mapping

Title

Threat: Name

Description

Threat: Attribute: "Description"

CybOX 2.1 Data Mapping

DomainNameObjectType

KeyThreatConnect Mapping

Value

Host

DNSRecordObjectType

KeyThreatConnect Mapping

Domain_Name

Host

IP_Address

Address

Description

Incident: Attribute: "Description"

AddressObjectType

KeyThreatConnect Mapping

Address_Value (@category == cidr)

CIDR

Address_Value (@category == e-mail)

E-mail Address

Address_Value (@category == ipv4-addr)

Address

EmailMessageObjectType

KeyThreatConnect Mapping

Raw_Body

Email: Body

Raw_Header

Email: Header

Links

URL
Email: Association

EmailHeaderType:To

Email: To

EmailHeaderType:From

Email: From
Indicator: E-mail Address

EmailHeaderType:Subject

Email: Subject
Indicator: Email Subject

AttachmentsType:File

File
Email: Association

LinkObjectType

KeyThreatConnect Mapping

Link

URL

MutexObjectType

KeyThreatConnect Mapping

Mutex

Mutex

HostnameObjectType

KeyThreatConnect Mapping

@is_domain_name

if false, drop object.

Hostname_Value

Host

URLObjectType

KeyThreatConnect Mapping

@type

If URL, save URL Indicator. If domain name, save Host Indicator.

Value

URL or Host


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
 CybOX™ and STIX™ are trademarks of the MITRE Corporation.

20082-01 v.01.C


Was this article helpful?