| Attack mechanism [sn_ti_attack_mechanism] |
Organizes attack patterns hierarchically based on mechanisms that are
frequently employed when exploiting a vulnerability. The categories that are members
of this view represent the different techniques used to attack a system. |
|
|
| Attack mode/method [sn_ti_attack_mode] |
Attack modes and methods are representations of the behavior of cyber
adversaries. They characterize what an adversary does and how they do it in
increasing levels of detail. |
| Discovery method [sn_ti_discovery_method] |
An expression of how an incident was discovered. |
| Feed [sn_ti_feed] |
Used for configuring the Threat Feed (RSS) in the Threat Overview. |
| Indicator Attack mode/method [sn_ti_m2m_indicator_attack_mode] |
Used to map attack modes/methods to indicators. |
| Indicator of Compromise [sn_ti_indicator] |
Used to convey specific observable patterns combined with contextual
information intended to represent artifacts and/or behaviors of interest within a
cyber security context. |
| Indicator of Compromise Metadata [sn_ti_indicator_metadata] |
Used to populate TAXII records. |
| Indicator Source [sn_ti_m2m_indicator_source] |
Used to collect all the sources reporting the specific indicator. |
| Indicator Type [sn_ti_indicator_type] |
Characterizes a cyber threat indicator made up of a pattern identifying certain
observable conditions as well as contextual information about the patterns meaning,
how and when it is acted on, and so on. |
| Associated Indicator Type [sn_ti_m2m_indicator_indicator_type] |
Links indicators with their applicable types |
| Incident count [sn_ti_observable] |
Number of security incidents associated with an observable. |
| Intended effect [sn_ti_intended_effect] |
Used for expressing the intended effect of a threat actor. |
| IP Scan Result [sn_ti_ip_result] |
Used to show the results of an IP lookup. |
| Malware Rate limit [sn_ti_rate_limit] |
Defines a rate limit to be used on a lookup source. |
| Malware Scan [sn_ti_scan] |
A lookup. Contains what to look up, with what lookup source, and a summary of
the lookup results. |
| Malware Scan Queue Entry [sn_ti_scan_q_entry] |
A lookup record queued for lookup or processing. Facilitates the requests
within stated rate limits. |
| Malware Scan Result [sn_ti_scan_result] |
Displays the result of a lookup. |
| Malware Scanner [sn_ti_scanner] |
Defines third-party lookup sources to use in performing lookups. |
| Malware Scanner Rate Limit [sn_ti_scanner_rate_limit] |
Associates a lookup source with a rate limit. |
| Malware Type [sn_ti_malware_type] |
Used for expressing the types of malware instances. |
| Observable [sn_ti_observable] |
Observables in STIX represent stateful properties or measurable events
pertinent to the operation of computers and networks. |
| Observable Context Type [sn_ti_observable_context_type] |
Stores the context (source, destination of an IP address, and so forth) for an
observable. |
| Observable Indicator [sn_ti_m2m_observable_indicator] |
Used to relate observables to indicators. |
| Observable Source [sn_ti_observable_source] |
Used to relate observables to threat sources. |
| Observable Type [sn_ti_observable_type] |
Lists the various types of observables, such as IP addresses. |
| Observable Type Category [sn_ti_observable_type_category] |
Stores the first categorization of observables (for example, IP addresses and
URLs). It is used for more accurately determining observable types. |
| Related attack mode/method [sn_ti_m2m_attack_mode_attack_mode] |
Used to relate attack modes to each other. |
| Related Observables [sn_ti_m2m_observables] |
Used to relate observables to each other. |
| Scan type [sn_ti_scan_type] |
The definition of a lookup type, with initial records for File, URL, and IP.
|
| Security Case [sn_ti_case] |
Stores security case records created using Case Management. |
| Security Case IoC [sn_ti_case_ioc] |
Used to manage the relationship between observables and cases. |
| Security Case Related Task [sn_ti_m2m_case_task] |
Used to manage the relationship between tasks (security incidents, change
requests, and so forth) with security cases. |
| Security Case Relationship
Exclusion [sn_ti_case_relationship_exclusion] |
Provides the definition of inclusion and exclusion of related records in
security cases. |
| Sighting [sn_ti_sighting] |
The m2m link between the observable and the Sightings Search detail result used
in the execution of a Sighting Search request. |
| Sighting Configuration Items [sn_ti_m2m_sighting_ci] |
Maps configuration items to a Sightings Search. |
| Sighting Search Detail [sn_ti_sighting_search_detail] |
Details of a Sighting Search for example the number of internal external items
found. |
| Sighting Search Result [sn_ti_sighting_search] |
The header for a Sightings Search execution. |
| Supported Observable Types [sn_ti_m2m_ind_type_obs_type] |
Relates indicator types to valid observable types. |
| Supported Scan Type [sn_ti_supported_scan_type] |
Maps the lookup type to a lookup source/vendor-specific implementation.
Indicates that a specific lookup source supports the type. |
| Task Attack mode/method [sn_ti_m2m_task_attack_mode] |
Relates attack modes to tasks. |
| Task Indicator [sn_ti_m2m_task_indicator] |
Relates indicators to tasks. |
| Task Observable [sn_ti_m2m_task_observable] |
Relates observables to tasks. |
| Task Sighting [sn_ti_m2m_task_sighting] |
Stores task records (security incidents and cases) related to a sighting
record. |
| TAXII Collection [sn_ti_taxii_collection] |
Defines a cyber-risk intelligence feed that can be imported by a TAXII
server. |
| TAXII Profile [sn_ti_taxii_profile] |
Defines a repository for sharing cyber-risk intelligence. Contains TAXII
collections. |
| Threat Actor type [sn_ti_threat_actor_type] |
Provides characterizations of malicious actors (or adversaries) representing a
cyber attack threat, including presumed intent and historically observed behavior.
|
| Threat Intelligence Source [sn_ti_source] |
Defines a source for importing threat data. |
| Associated Attack Motivation
[sn_ti_stix2_m2m_object_attack_motivation] |
Collects all attack motivations associated with a STIX Object. |
| Associated Infrastructure Type [sn_ti_stix2_m2m_infra_type] |
Links infrastructure with their types. |
| Associated Kill Chain
Phase [sn_ti_stix2_m2m_indicator_kill_chain_phase] |
Links kill chain phases to indicators. |
| Associated Kill Chain Phase [sn_ti_stix2_m2m_object_kill_chain_phase]
|
Links kill chain phases to STIX objects. |
| Associated Malware
Capability [sn_ti_stix2_m2m_malware_capability] |
Links malware with their capabilities. |
| Associated Malware Type [sn_ti_stix2_m2m_malware_malware_type] |
Links malware with their types. |
| Associated Observable [sn_ti_stix2_m2m_malware_observable] |
Collects all observables associated with a malware. |
| Associated Observable [sn_ti_stix2_m2m_observed_data_observable] |
Collects all observables associated with an observed data. |
| Associated Report Type [sn_ti_stix2_m2m_report_report_type] |
Links threat reports with their types. |
| Associated Threat Actor
Role [sn_ti_stix2_m2m_threat_actor_threat_actor_role] |
Links threat actors with their roles. |
| Associated Threat Actor
Type [sn_ti_stix2_m2m_threat_actor_threat_actor_type] |
Links threat actors with their types. |
| Associated Tool Type [sn_ti_stix2_m2m_tool_tool_type] |
Links tools with their types. |
| Attack Motivation [sn_ti_stix2_attack_motivation] |
Attack Motivation shapes the intensity and the persistence of an attack. Threat
Actors and Intrusion Sets usually act in a manner that reflects their underlying
emotion or situation, and this informs defenders of the manner of attack. |
| Attack Pattern [sn_ti_stix2_attack_pattern] |
A TTP type that describes methods that adversaries use to attempt to compromise
targets. |
| Campaign [sn_ti_stix2_campaign] |
A grouping of adversarial behaviors that describe a set of malicious activities
or attacks (sometimes named as waves) that occur over a period against a specific
set of targets. |
| Course of Action [sn_ti_stix2_course_of_action] |
A recommendation from a producer of intelligence to a consumer on the actions
that they might take in response to intelligence. |
| External Reference [sn_ti_stix2_external_reference] |
Pointers to information represented outside of STIX. |
| Identity Sighting [sn_ti_stix2_m2m_sighting_identity] |
Collects all Identities associated with a Sighting. |
| Identity [sn_ti_stix2_identity] |
Actual individuals, organizations, or groups (example ACME, Inc.) as well as
classes of individuals, organizations, systems, or groups (example the finance
sector). |
| Indicator External
Reference [sn_ti_stix2_indicator_external_reference] |
Represents external references associated with indicators. |
| Indicator Sighting [sn_ti_stix2_indicator_sighting] |
Represents sightings of indicators. |
| Infrastructure Type [sn_ti_stix2_infrastructure_type] |
Represents the various infrastructure types. |
| Infrastructure [sn_ti_stix2_infrastructure] |
A TTP type that describes any systems, software services, and any associated
physical or virtual resources, intended to support some purpose (example C2 servers
used as part of an attack, device, or server that are part of defense, database
servers targeted by an attack, and the like). |
| Installed software [sn_ti_stix2_m2m_malware_analysis_sw] |
Collects all software (SCO software types) associated with a malware
analysis. |
| Intrusion Set [sn_ti_stix2_intrusion_set] |
A grouped set of adversarial behaviors and resources with common properties
that is believed to be orchestrated by a single organization. |
| Kill Chain Phase [sn_ti_stix2_kill_chain_phase] |
Represents kill chain phases associated with a kill chain. |
| Kill Chain [sn_ti_stix2_kill_chain] |
Represents various kill chains. |
| Location [sn_ti_stix2_location] |
Represents a geographic location provided through STIX. |
| Malware Analysis [sn_ti_stix2_malware_analysis] |
The metadata and results of a particular static or dynamic analysis performed
on a malware instance or family. |
| Malware Capability [sn_ti_stix2_malware_capability] |
Represents common capabilities that a malware family or instance
exhibits. |
| Malware Operating
System [sn_ti_stix2_m2m_malware_operating_system] |
Collects all Operating Systems (SCO software types) associated with
malware. |
| Malware [sn_ti_stix2_malware] |
A TTP type that represents malicious code. |
| Marking Definition [sn_ti_stix2_marking_definition] |
Represents handling or sharing requirements for STIX Objects. |
| Object Sighting [sn_ti_stix2_object_sighting] |
Represents sightings of STIX Objects. |
| Object-Indicator Relationship [sn_ti_stix2_m2m_object_indicator] |
Collects all relationships between STIX objects and STIX indicators. |
| Object-Object Relationship [sn_ti_stix2_m2m_object] |
Collects all relationships between STIX Objects and other STIX objects
excluding the indicators. |
| Object-Observable
Relationship [sn_ti_stix2_m2m_object_observable] |
Collects all relationships between STIX observables and STIX objects. |
| Observed Data Sighting [sn_ti_stix2_m2m_sighting_observed_data] |
Collects all the observed data objects associated to a sighting. |
| Observed Data [sn_ti_stix2_observed_data] |
Conveys information about cyber security-related entities such as files,
systems, and networks using the STIX Cyber-Observable Objects (SCOs). |
| Report Type [sn_ti_stix2_report_type] |
Represents primary purpose or subject of Threat Reports. |
| Reported Observable [sn_ti_stix2_m2m_malware_analysis_observable] |
Collects all observables associated to Malware Analysis. |
| STIX V2 Object [sn_ti_stix2_object] |
Common parent table for STIX Object. |
| STIX V2 Sighting [sn_ti_stix2_sighting] |
Common parent table for STIX sighting tables. |
| Threat Actor Role [sn_ti_stix2_threat_actor_role] |
Represents roles that can be played by threat actors. |
| Threat Actor [sn_ti_stix2_threat_actor] |
Threat Actors are actual individuals, groups, or organizations believed to be
operating with malicious intent. |
| Threat Grouping [sn_ti_stix2_threat_grouping] |
Groups all the STIX Objects that share some common context. |
| Threat Note [sn_ti_stix2_threat_note] |
Provides context and additional analysis not contained in the corresponding
STIX Object. |
| Threat Opinion [sn_ti_stix2_threat_opinion] |
Provides assessment of accuracy of information in a STIX object produced by a
different entity. |
| Threat Report [sn_ti_stix2_threat_report] |
Reports are collections of threat intelligence focused on one or more topics,
such as a description of a threat actor, malware, or attack technique, including
context and related details. They are used to group-related threat intelligence
together to publish as a comprehensive cyber threat story. |
| Tool Type [sn_ti_stix2_tool_type] |
The categories of tools that can be used to perform attacks. |
| Tool [sn_ti_stix2_tool] |
Tools are legitimate software that is used by threat actors to perform
attacks. |
| Vulnerability [sn_ti_stix2_vulnerability] |
Represents weakness or defect in the requirements, designs, or implementations
of the computational logic (example code) found in software and some hardware
components (example firmware). They can be directly exploited to negatively impact
the confidentiality, integrity, or availability of that system. |
