STIX 2 Domain Objects

Modified on: Wed, 5 May, 2021 at 1:57 AM

STIX2 Grouping

Entity Meta

InformationValue
Display NameSTIX2 Grouping
Entity Namemaltego.STIX2.grouping
Short DescriptionA Grouping object explicitly asserts that the referenced STIX Objects have a shared content.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal grouping.grouping
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringA name used to identify the Grouping. 
descriptiondescriptionstringA description which provides more details and context about the Grouping, potentially including the purpose and key chara cteristics. 
contextcontextstringA short description of the particular context shared by the content referenced by the Grouping. 
object_refsobject_refsstring[]The STIX Objects (SDOs and SROs) that are referred to by this Grouping. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

A Grouping object explicitly asserts that the referenced STIX Objects have a shared content.


STIX2 Note

Entity Meta

InformationValue
Display NameSTIX2 Note
Entity Namemaltego.STIX2.note
Short DescriptionA Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.Phrase, maltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal note.note
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
texttextstringThe content of the note. 
abstractabstractstringA brief summary of the note. 
authorsauthorsstring[]The name of the author(s) of this note (e.g., the analyst(s) that created it). 
object_refsobject_refsstring[]The STIX Objects (SDOs and SROs) that the note is being applied to. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{"text": "content"}


Entity Description

A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.


Entity Meta

InformationValue
Display NameSTIX2 Incident
Entity Namemaltego.STIX2.incident
Short DescriptionAn incident is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal incident.x-openc ti-incident
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Incident. 
descriptiondescriptionstringA description that provides more details and context about the Incident, potentially including its purpose and its key chara cteristics. 
aliasesaliasesstring[]Alternative names used to identify this incident. 
first_seenfirst_seenstringThe time that this Incident was first seen. 
last_seenlast_seenstringThe time that this Incident was last seen. 
objectiveobjectivestringThis field defines the Incident’s primary goal, objective, desired outcome, or intended effect. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

An incident is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.


STIX2 Location

Entity Meta

InformationValue
Display NameSTIX2 Location
Entity Namemaltego.STIX2.location
Short DescriptionA Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.Location, maltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal location.location
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
lo cation.namelo cation.namestringA name used to identify the Location. 
latitudelatitudestringThe latitude of the Location in decimal degrees. 
longitudelongitudestringThe longitude of the Location in decimal degrees. 
countrycountrystringThe country that this Location describes. 
lo cation.arealo cation.areastringThe state, province, or other s ub-national adm inistrative area that this Location describes. 
citycitystringThe city that this Location describes. 
st reetaddressst reetaddressstringThe street address that this Location describes. 
locati on.areacodelocati on.areacodestringThe postal code for this Location. 
descriptiondescriptionstringA textual description of the Location. 
precisionprecisionstringDefines the precision of the coordinates specified by the latitude and longitude properties, measured in meters. 
regionregionstringThe region that this Location describes. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{"loca tion.name": "name", "latitude": "latitude", " longitude": " longitude", "country": "country", "city": "city", "stre etaddress": "stree t_address", "loca tion.area": "administra tive_area", "location .areacode": "po stal_code"}


Entity Description

A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude.


STIX2 Opinion

Entity Meta

InformationValue
Display NameSTIX2 Opinion
Entity Namemaltego.STIX2.opinion
Short DescriptionAn Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity and captures the level of agreement or disagreement using a fixed scale.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal  `opinion`.opinion
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
explanationexplanationstringAn explanation of why the producer has this Opinion. 
authorsauthorsstring[]The name of the author(s) of this opinion (e.g., the analyst(s) that created it). 
object_refsobject_refsstring[]The STIX Objects (SDOs and SROs) that the opinion is being applied to. 
opinionopinionstringThe opinion that the producer has about about all of the STIX Object(s) listed in the object_refs property. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity and captures the level of agreement or disagreement using a fixed scale.


STIX2 Vulnerability

Entity Meta

InformationValue
Display NameSTIX2 Vulnerability
Entity Namemaltego.STIX2.vulnerability
Short DescriptionA Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal vulne rability.vu lnerability
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Vul nerability. 
descriptiondescriptionstringA description that provides more details and context about the Vul nerability. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.


STIX2 Malware

Entity Meta

InformationValue
Display NameSTIX2 Malware
Entity Namemaltego.STIX2.malware
Short DescriptionMalware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal  `malware`.malware
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
aliasesaliasesstring[]Alternative names used to identify this Malware or Malware family. 
first_seenfirst_seenstringThe time that the malware instance or family was first seen. 
last_seenlast_seenstringThe time that the malware family or malware instance was last seen. 
operating system_refsoperating system_refsstring[]The operating systems that the malware family or malware instance is executable on. 
archi tecture_exe cution_envsarchi tecture_exe cution_envsstring[]The processor ar chitectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. Open Vocab -proc essor-archi tecture-os. 
im plementatio n_languagesim plementatio n_languagesstring[]The programming language(s) used to implement the malware instance or family. Open Vocab -imple mentation-l anguage-ov. 
c apabilitiesc apabilitiesstring[]Specifies any c apabilities identified for the malware instance or family. Open Vocab -ma lware-capab ilities-ov. 
sample_refssample_refsstring[]The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. 
ma lware_typesma lware_typesstring[]The type of malware being described. Open Vocab -malw are-type-ov 
namenamestringThe name used to identify the Malware. 
descriptiondescriptionstringProvides more context and details about the Malware object. 
kill_c hain_phaseskill_c hain_phasesstring[]The list of kill chain phases for which this Malware instance can be used. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}
is_familyis_familystringWhether the object represents a malware family (if true) or a malware instance (if false).True


Entity Description

Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.


STIX2 Malware Analysis

Entity Meta

InformationValue
Display NameSTIX2 Malware Analysis
Entity Namemaltego.STIX2.malware-analysis
Short DescriptionMalware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal malware- analysis.malwa re-analysis
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
productproductstringThe name of the analysis engine or product that was used for this analysis. 
versionversionstringThe version of the analysis product that was used to perform this analysis. 
configurat ion_versionconfigurat ion_versionstringThe version of the analysis product co nfiguration that was used to perform this analysis. 
modulesmodulesstring[]The particular analysis product modules that were used to perform the analysis. 
a nalysis_eng ine_versiona nalysis_eng ine_versionstringThe version of the analysis engine or product that was used to perform this analysis. 
analy sis_definit ion_versionanaly sis_definit ion_versionstringThe version of the analysis definitions used by the analysis tool. 
submittedsubmittedstringThe date and time that this malware was first submitted for scanning or analysis. 
analy sis_startedanaly sis_startedstringThe date and time that the malware analysis was initiated. 
ana lysis_endedana lysis_endedstringThe date and time that the malware analysis ended. 
result_nameresult_namestringThe cla ssification result or name assigned to the malware instance by the scanner tool. 
resultresultstringThe cla ssification result as determined by the scanner or tool analysis process. 
host_vm_refhost_vm_refstringA description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. 
operating _system_refoperating _system_refstringThe operating system that was used to perform the dynamic analysis. 
i nstalled_so ftware_refsi nstalled_so ftware_refsstring[]Any n on-standard software installed on the operating system used for the dynamic analysis of the malware instance or family. 
analys is_sco_refsanalys is_sco_refsstring[]The list of STIX objects that were captured during the analysis process. 
sample_refsample_refstringRefers to the object this analysis was performed against. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Malware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family.


STIX2 Report

Entity Meta

InformationValue
Display NameSTIX2 Report
Entity Namemaltego.STIX2.report
Short DescriptionReports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal report.report
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
r eport_typesr eport_typesstring[]This field is an Open Vocabulary that specifies the primary subject of this report. The suggested values for this field are in repo rt-type-ov. 
namenamestringThe name used to identify the Report. 
descriptiondescriptionstringA description that provides more details and context about Report. 
publishedpublishedstringThe date that this report object was officially published by the creator of this report. 
object_refsobject_refsstring[]Specifies the STIX Objects that are referred to by this Report. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.


STIX2 Attack Pattern

Entity Meta

InformationValue
Display NameSTIX2 Attack Pattern
Entity Namemaltego.STIX2.attack-pattern
Short DescriptionAttack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal identity.identity
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
rolesrolesstring[]The list of roles that this Identity performs (e.g., CEO, Domain Admi nistrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. 
namenamestringThe name of this Identity. 
descriptiondescriptionstringA description that provides more details and context about the Identity. 
ide ntity_classide ntity_classstringThe type of entity that this Identity describes, e.g., an individual or or ganization. Open Vocab -identi ty-class-ov 
sectorssectorsstring[]The list of sectors that this Identity belongs to. Open Vocab -industr y-sector-ov 
contact informationcontact informationstringThe contact information (e-mail, phone number, etc.) for this Identity. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}
x_mitre_idx_mitre_idstringID of the attack pattern in MITRE frameworks 
x_mitr e_platformsx_mitr e_platformsstring[]OS concerned by this attack pattern in MITRE frameworks 
x_mitr e_permissio ns_requiredx_mitr e_permissio ns_requiredstring[]Permissions required to do this attack pattern in MITRE frameworks 
x_mitr e_detectionx_mitr e_detectionstringDetections methods for this attack pattern in MITRE frameworks 


Entity Description

Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.


STIX2 Core

Entity Meta

InformationValue
Display NameSTIX2 Core
Entity Namemaltego.STIX2.core
Short DescriptionAbstract entity from which all STIX entities inherit common properties
Entity CategorySTIX 2 domain objects
Base Entities(none)


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
ididstring  
ma rking_colorma rking_colorstringA color to be used in graphic display to show a marking sign (eg TLP) 
m arking_textm arking_textstringA text to be used in graphic display to show a marking sign (eg TLP) 


Entity Description

Abstract entity from which all STIX entities inherit common properties.


STIX2 Threat Actor

Entity Meta

InformationValue
Display NameSTIX2 Threat Actor
Entity Namemaltego.STIX2.threat-actor
Short DescriptionThreat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.Organization, maltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal thre at-actor.t hreat-actor
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
titletitlestringA name used to identify this Threat Actor or Threat Actor group. 
threat actor_typesthreat actor_typesstring[]This field specifies the type of threat actor. Open Vocab -threat-ac tor-type-ov 
descriptiondescriptionstringA description that provides more details and context about the Threat Actor. 
aliasesaliasesstring[]A list of other names that this Threat Actor is believed to use. 
rolesrolesstring[]This is a list of roles the Threat Actor plays. Open Vocab -threat-ac tor-role-ov 
goalsgoalsstring[]The high level goals of this Threat Actor, namely, what are they trying to do. 
first_seenfirst_seenstringThe time that this Threat Actor was first seen. 
last_seenlast_seenstringThe time that this Threat Actor was last seen. 
sop histicationsop histicationstringThe skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab -threat-a ctor-sophis tication-ov 
res ource_levelres ource_levelstringThis defines the org anizational level at which this Threat Actor typically works. Open Vocab -at tack-resour ce-level-ov 
primary _motivationprimary _motivationstringThe primary reason, motivation, or purpose behind this Threat Actor. Open Vocab -attack-mo tivation-ov 
secondary motivationssecondary motivationsstring[]The secondary reasons, m otivations, or purposes behind this Threat Actor. Open Vocab -attack-mo tivation-ov 
personal motivationspersonal motivationsstring[]The personal reasons, m otivations, or purposes of the Threat Actor regardless of org anizational goals. Open Vocab -attack-mo tivation-ov 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{"title": "name"}


Entity Description

Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.


STIX2 Identity

Entity Meta

InformationValue
Display NameSTIX2 Identity
Entity Namemaltego.STIX2.identity
Short DescriptionIdentities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.Company, maltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal identity.identity
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
titletitlestringThe name of this Identity. 
rolesrolesstring[]The list of roles that this Identity performs (e.g., CEO, Domain Admi nistrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. 
descriptiondescriptionstringA description that provides more details and context about the Identity. 
ide ntity_classide ntity_classstringThe type of entity that this Identity describes, e.g., an individual or or ganization. Open Vocab -identi ty-class-ov 
sectorssectorsstring[]The list of sectors that this Identity belongs to. Open Vocab -industr y-sector-ov 
contact informationcontact informationstringThe contact information (e-mail, phone number, etc.) for this Identity. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{"title": "name"}
x_open cti_aliasesx_open cti_aliasesstring[]Alternative names used to identify this identity. 


Entity Description

Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups.


STIX2 Intrusion Set

Entity Meta

InformationValue
Display NameSTIX2 Intrusion Set
Entity Namemaltego.STIX2.intrusion-set
Short DescriptionAn Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal intru sion-set.in trusion-set
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Intrusion Set. 
descriptiondescriptionstringProvides more context and details about the Intrusion Set object. 
aliasesaliasesstring[]Alternative names used to identify this Intrusion Set. 
first_seenfirst_seenstringThe time that this Intrusion Set was first seen. 
last_seenlast_seenstringThe time that this Intrusion Set was last seen. 
goalsgoalsstring[]The high level goals of this Intrusion Set, namely, what are they trying to do. 
res ource_levelres ource_levelstringThis defines the org anizational level at which this Intrusion Set typically works. Open Vocab -at tack-resour ce-level-ov 
primary _motivationprimary _motivationstringThe primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab -attack-mo tivation-ov 
secondary motivationssecondary motivationsstring[]The secondary reasons, m otivations, or purposes behind this Intrusion Set. Open Vocab -attack-mo tivation-ov 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.


STIX2 Indicator

Entity Meta

InformationValue
Display NameSTIX2 Indicator
Entity Namemaltego.STIX2.indicator
Short DescriptionIndicators contain a pattern that can be used to detect suspicious or malicious cyber activity.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal i ndicator.indicator
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
indi cator_typesindi cator_typesstring[]This field is an Open Vocabulary that specifies the type of indicator. Open vocab -indica tor-type-ov 
namenamestringThe name used to identify the Indicator. 
descriptiondescriptionstringA description that provides the recipient with context about this Indicator potentially including its purpose and its key chara cteristics. 
patternpatternstringThe detection pattern for this indicator. 
p attern_typep attern_typestringThe type of pattern used in this indicator. 
patt ern_versionpatt ern_versionstringThe version of the pattern that is used. 
valid_fromvalid_fromstringThe time from which this indicator should be considered valuable in telligence. 
valid_untilvalid_untilstringThe time at which this indicator should no longer be considered valuable in telligence. 
kill_c hain_phaseskill_c hain_phasesstring[]The phases of the kill chain that this indicator detects. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.


STIX2 Infrastructure

Entity Meta

InformationValue
Display NameSTIX2 Infrastructure
Entity Namemaltego.STIX2.infrastructure
Short DescriptionInfrastructure objects describe systems, software services, and associated physical or virtual resources.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal infras tructure.inf rastructure
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Infr astructure. 
descriptiondescriptionstringA description that provides more details and context about this Inf rastructure potentially including its purpose and its key chara cteristics. 
infrastru cture_typesinfrastru cture_typesstring[]This field is an Open Vocabulary that specifies the type of infr astructure. Open vocab -infrastruct ure-type-ov 
aliasesaliasesstring[]Alternative names used to identify this Infr astructure. 
kill_c hain_phaseskill_c hain_phasesstring[]The list of kill chain phases for which this inf rastructure is used. 
first_seenfirst_seenstringThe time that this inf rastructure was first seen performing malicious activities. 
last_seenlast_seenstringThe time that this inf rastructure was last seen performing malicious activities. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Infrastructure objects describe systems, software services, and associated physical or virtual resources.


STIX2 Course Of Action

Entity Meta

InformationValue
Display NameSTIX2 Course Of Action
Entity Namemaltego.STIX2.course-of-action
Short DescriptionA Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal course-o f-action.cours e-of-action
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Course of Action. 
descriptiondescriptionstringA description that provides more details and context about this object, potentially including its purpose and its key chara cteristics. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.


STIX2 Observed Data

Entity Meta

InformationValue
Display NameSTIX2 Observed Data
Entity Namemaltego.STIX2.observed-data
Short DescriptionObserved data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal obser ved-data.ob served-data
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
fir st_observedfir st_observedstringThe beginning of the time window that the data was observed during. 
la st_observedla st_observedstringThe end of the time window that the data was observed during. 
numb er_observednumb er_observedstringThe number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. 
objectsobjectsstringA dictionary of Cyber Observable Objects that describes the single 'fact' that was observed. 
object_refsobject_refsstring[]A list of SCOs and SROs r epresenting the o bservation. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.


STIX2 Tool

Entity Meta

InformationValue
Display NameSTIX2 Tool
Entity Namemaltego.STIX2.tool
Short DescriptionTools are legitimate software that can be used by threat actors to perform attacks.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal tool.tool
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
aliasesaliasesstring[]Alternative names used to identify this Tool. 
tool_typestool_typesstring[]The kind(s) of tool(s) being described. Open Vocab -t ool-type-ov 
namenamestringThe name used to identify the Tool. 
descriptiondescriptionstringProvides more context and details about the Tool object. 
t ool_versiont ool_versionstringThe version identifier associated with the tool. 
kill_c hain_phaseskill_c hain_phasesstring[]The list of kill chain phases for which this Tool instance can be used. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}


Entity Description

Tools are legitimate software that can be used by threat actors to perform attacks.


STIX2 Campaign

Entity Meta

InformationValue
Display NameSTIX2 Campaign
Entity Namemaltego.STIX2.campaign
Short DescriptionA Campaign is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
Entity CategorySTIX 2 domain objects
Base Entitiesmaltego.STIX2.core


Entity Properties

Display NameProperty NameData TypeShort DescriptionSample Value
typetypestringThe type of this object, which MUST be the literal campaign.campaign
s pec_versions pec_versionstringThe version of the STIX sp ecification used to represent this object. 
ididstring  
cre ated_by_refcre ated_by_refstringThe ID of the Source object that describes who created this object. 
labelslabelsstring[]The labels property specifies a set of terms used to describe this object. 
createdcreatedstringThe created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. 
modifiedmodifiedstringThe modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. 
revokedrevokedstringThe revoked property indicates whether the object has been revoked. 
confidenceconfidencestringIdentifies the confidence that the creator has in the correctness of their data. 
langlangstringIdentifies the language of the text content in this object. 
external _referencesexternal _referencesstring[]A list of external references which refers to non-STIX i nformation. 
object_m arking_refsobject_m arking_refsstring[]The list of marking -definition objects to be applied to this object. 
granul ar_markingsgranul ar_markingsstring[]The set of granular markings that apply to this object. 
namenamestringThe name used to identify the Campaign. 
descriptiondescriptionstringA description that provides more details and context about the Campaign, potentially including its purpose and its key chara cteristics. 
aliasesaliasesstring[]Alternative names used to identify this campaign. 
first_seenfirst_seenstringThe time that this Campaign was first seen. 
last_seenlast_seenstringThe time that this Campaign was last seen. 
objectiveobjectivestringThis field defines the Campaign’s primary goal, objective, desired outcome, or intended effect. 
rec overy_prope rty_mappingrec overy_prope rty_mappingstringThe mapping of Maltego internal property names to STIX property names used for this entity.{}

Entity Description

A Campaign is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.

 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.