STIX and CybOX Parser Data Mappings
- 21 Oct 2022
- 1 Minute to read
-
Print
-
DarkLight
STIX and CybOX Parser Data Mappings
- Updated on 21 Oct 2022
- 1 Minute to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Overview
The Structured Threat Information eXpression (STIX™) and CybOX™ parser data mappings apply to the STIX 1.1.1 parser when configuring an inbound TAXII feed, as well as to the STIX Parser Playbook App in ThreatConnect®.
STIX 1.1.1 Data Mapping
IndicatorType
| Key | ThreatConnect Mapping |
|---|---|
@id | Indicator: Attribute: "STIX ID" |
Title | Indicator: Attribute: "Title" |
Type | Indicator: Attribute: "STIX Indicator Type" |
Description | Indicator: Attribute: "Description" |
Short_Description | Indicator: Attribute: "Description" (append) |
Kill_Chain_Phases | Indicator: Attribute: "Phase of Intrusion" |
Confidence | Indicator: Confidence |
Producer | Indicator: Attribute: "Producer" |
Observable:id | Indicator: Attribute: "STIX Observable ID" |
Handling | Indicator: Security Label |
IncidentType
| Key | ThreatConnect Mapping |
|---|---|
Title | Incident: Name |
External_ID | Incident: Attribute: "External ID" |
Description | Incident: Attribute: "Description" |
Related_Indicators | Incident: Association: Indicators |
Related_Observables | Incident: Association: Indicators |
Handling | Incident: Security Label |
ThreatActorType
| Key | ThreatConnect Mapping |
|---|---|
Title | Threat: Name |
Description | Threat: Attribute: "Description" |
CybOX 2.1 Data Mapping
DomainNameObjectType
| Key | ThreatConnect Mapping |
|---|---|
Value | Host |
DNSRecordObjectType
| Key | ThreatConnect Mapping |
|---|---|
Domain_Name | Host |
IP_Address | Address |
Description | Incident: Attribute: "Description" |
AddressObjectType
| Key | ThreatConnect Mapping |
|---|---|
Address_Value (@category == cidr) | CIDR |
Address_Value (@category == e-mail) | E-mail Address |
Address_Value (@category == ipv4-addr) | Address |
EmailMessageObjectType
| Key | ThreatConnect Mapping |
|---|---|
Raw_Body | Email: Body |
Raw_Header | Email: Header |
Links | URL |
EmailHeaderType:To | Email: To |
EmailHeaderType:From | Email: From |
EmailHeaderType:Subject | Email: Subject |
AttachmentsType:File | File |
LinkObjectType
| Key | ThreatConnect Mapping |
|---|---|
Link | URL |
MutexObjectType
| Key | ThreatConnect Mapping |
|---|---|
Mutex | Mutex |
HostnameObjectType
| Key | ThreatConnect Mapping |
|---|---|
@is_domain_name | if false, drop object. |
Hostname_Value | Host |
URLObjectType
| Key | ThreatConnect Mapping |
|---|---|
@type | If URL, save URL Indicator. If domain name, save Host Indicator. |
Value | URL or Host |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CybOX™ and STIX™ are trademarks of the MITRE Corporation.
20082-01 v.01.C
Was this article helpful?
