STIX 2.1 Examples

The examples below demonstrate how to use STIX 2.1 concepts for common use cases. They are useful for linking multiple concepts together and provide more detail regarding STIX objects and properties.

Done with examples? Check out the spec!

Example STIX Types Description
Identifying a Threat Actor Profile Identity Icon Threat Actor Icon Threat Actors often have several discernible characteristics such as aliases, goals and motivations which can be captured within a STIX Threat Actor object. In this example, the threat actor can also be attributed to an Identity object which models more basic identifiable information.
Defining Campaigns vs. Intrusion Sets vs. Threat Actors Attack Pattern Icon Campaign Icon Identity Icon Intrusion Set Icon Threat Actor Icon Intrusion Sets in STIX are represented as an attack package consisting of potentially several campaigns, threat actors and attack patterns. This example helps explain the differences between the Campaign, Intrusion Set, and Threat Actor objects and demonstrates a scenario where all three are used together.
Indicator for Malicious URL Indicator Icon Malware Icon This example models a STIX Indicator object that represents a malicious URL using STIX patterning language. The Indicator indicates that it's a delivery mechanism for a piece of malware.
Malware Indicator for File Hash Indicator Icon Malware Icon File hashes for malware variants can be captured within an Indicator STIX Domain Object and then associated with a Malware object which provides more detail about the malware.
Sighting of an Indicator Identity Icon Indicator Icon Sighting Icon Indicators on one organization's network are often spotted on other organizations' networks. When this is the case, a Sighting STIX Relationship Object(SRO) can be issued to relay that this specific indicator was seen. This example discusses how a company can use a Sighting for a STIX Indicator object.
Sighting of Observed-data Identity Icon Observed-data Icon Sighting Icon Malware Icon Observed data represent machine-generated raw information and are different from Indicators which dictate more of an intelligence assertion. These Observed-data SDO's can still be shared and referenced within a Sighting SRO. This example demonstrates the usage of Observed-data and their relation to other STIX objects.
Threat Actor Leveraging Attack Patterns and Malware Attack Pattern Icon Identity Icon Malware Icon Threat Actor Icon Threat actors can often be characterized by the attack patterns they leverage and the malware varieties they use. This example describes how to represent a threat actor who uses a phishing attack pattern to deliver a form of malware.
Using Marking Definitions Identity Icon Indicator Icon Amber Marking Icon Statement Marking Icon Sometimes when creating STIX objects it may be useful to provide guidance or permissions on how those objects may be used. In this example, Marking Definition objects are created and applied to an Indicator object to specify restrictions and copyright information.
Using Granular Markings Identity Icon Indicator Icon Green Marking Icon Amber Marking Icon Red Marking Icon Whereas object markings in STIX can limit or restrict how entire objects are used, granular markings delve deeper into the objects and focus on restricting specific individual properties. This example demonstrates how to enforce different TLP markings on multiple properties of an Indicator SDO.
Visualized SDO Relationships Relationship Icon This example iterates over all SDOs and visually represents possible relationships of each SDO to another. Visual representations can simplify understanding and are often easier to interpret then text alone.

STIX 2.1 Threat Reports

The following threat reports have been converted into STIX 2.1.

Threat Report JSON Representation Description
Mandiant's APT1 Report APT1 JSON This in-depth threat report by Mandiant focuses on a sophisticated advanced persistent threat simply called “APT1”. Mandiant concluded that this extensive APT conducted cyber espionage campaigns potentially with sponsorship by the Chinese government. Within the STIX 2 JSON for this report, there are several Campaign, Threat Actor, Indicator, Attack Pattern and Malware objects, as well as an Intrusion Set SDO used to model APT1. Along with these SDOs, there are multiple relationships linking these objects together. Feel free to download this converted report to see all of the SDOs and SROs used.
Fireeye's Poison Ivy Report Poison Ivy JSON Fireeye's threat report on Poison Ivy covers how this remote access tool (RAT) was used by different campaigns and threat actors. In this converted report, there are several variants of PIVY malware represented by the Malware SDO, as well as Campaign, Threat Actor, Attack Pattern, and Vulnerability objects. Relationship SROs help link the malware variants to the campaigns and threat actors and demonstrate the vulnerabilities PIVY exploits. The JSON representation is available for download.
IMDDOS Botnet Report IMDDOS Threat Modeling ExerciseVisualized This report by Damballa discusses the Chinese IMDDOS botnet. For this report, several OASIS CTI-TC team members came up with solutions. This conversion to STIX 2.1 models Indicator, Malware, and Threat Actor SDOs, along with the corresponding Relationship objects linking them together.