STIX 2.0 Examples

The examples below demonstrate how to use STIX 2.0 concepts for common use cases. They are useful for linking multiple concepts together and provide more detail regarding STIX objects and properties.

Example STIX Types Description
Identifying a Threat Actor Profile Identity Icon Threat Actor Icon Threat Actors often have several discernible characteristics such as aliases, goals and motivations which can be captured within a STIX Threat Actor object. In this example, the threat actor can also be attributed to an Identity object which models more basic identifiable information.
Indicator for Malicious URL Indicator Icon Malware Icon This example models a STIX Indicator object that represents a malicious URL using STIX patterning language. The Indicator indicates that it's a delivery mechanism for a piece of malware.
Malware Indicator for File Hash Indicator Icon Malware Icon File hashes for malware variants can be captured within an Indicator STIX Domain Object and then associated with a Malware object which provides more detail about the malware.
Sighting of an Indicator Identity Icon Indicator Icon Sighting Icon Indicators on one organization's network are often spotted on other organizations' networks. When this is the case, a Sighting STIX Relationship Object (SRO) can be issued to relay that this specific indicator was seen. This example discusses how a company can use a Sighting for a STIX Indicator object.
Sighting of Observed-data Identity Icon Observed-data Icon Sighting Icon Malware Icon Observed data represent machine-generated raw information and are different from Indicators which dictate more of an intelligence assertion. These Observed-data SDO's can still be shared and referenced within a Sighting SRO. This example demonstrates the usage of Observed-data and their relation to other STIX objects.
Threat Actor Leveraging Attack Patterns and Malware Attack Pattern Icon Identity Icon Malware Icon Threat Actor Icon Threat actors can often be characterized by the attack patterns they leverage and the malware varieties they use. This example describes how to represent a threat actor who uses a phishing attack pattern to deliver a form of malware.
Using Marking Definitions Identity Icon Indicator Icon Amber Marking Icon Statement Marking Icon Sometimes when creating STIX objects it may be useful to provide guidance or permissions on how those objects may be used. In this example, Marking Definition objects are created and applied to an Indicator object to specify restrictions and copyright information.
Using Granular Markings Identity Icon Indicator Icon Green Marking Icon Amber Marking Icon Red Marking Icon Whereas object markings in STIX can limit or restrict how entire objects are used, granular markings delve deeper into the objects and focus on restricting specific individual properties. This example demonstrates how to enforce different TLP markings on multiple properties of an Indicator SDO.

STIX 2.0 Tutorials

The following tutorials help to clarify common STIX 2.0 concepts.

STIX Versioning

The first video focuses on STIX 2.0 versioning. It discusses what STIX object versioning is, why objects are versioned, and who can version objects.

Objects Overview

The next video provides an overview of STIX 2.0 objects. It highlights the four types of objects in STIX 2: STIX Domain Objects (SDOs), STIX Relationship Objects (SROs), Marking Definition objects, and Bundle objects.

Common Properties

This video discusses the common properties that are universal to all STIX Domain Objects (SDOs) and STIX Relationship Objects (SROs).