Draft

8 July 2024

Editors:

  • IMG - Incident Mini Group

Additional artifacts:

This prose specification is one component of a Work Product that also includes:
  • STIX™ Version 2.1 - OS

Related work:

This specification replaces or supersedes:
  • Incident Core Extension Version 1.0 for STIXTM Version 2.1

Table of Contents

Abstract:

The current STIX 2.1 Incident object was defined as a stub with the expectation that it would be fleshed out using extensions, and that in time either a set of core features would be integrated into a future version of the STIX or that the community would arrive at the consensus to continue to use these extensions.

In the 1.0 version of the core incident extension, information on impact, events, and tasks were embedded within the Incident object itself, however this was found to have limitations. Therefore, the 2.0 version of this extension has been created in which these components have been separated into independent SDOs for more complex incidents to be accurately modeled.

These extensions allow incidents to be tracked across their life cycle where events are first flagged for investigation resulting in incidents with tasks being worked to resolve them. Incidents have impacts that change over time. events can cause or influence these impacts which are in turn mitigated and potentially resolved by tasks performed as part of the incident response process. Both events and tasks can exist independently of incidents and in most workflows will occur prior to an incident being declared.

1. Incidents in STIX

Incident objects represent cases composed of events and tasks as well as actual or potential impacts. An Incident SDO can be created prior to a formal determination that the incident has an impact as a way to logically track case work in an attempt to investigate events or lower level alerts.

The Incident object should have sufficient properties to represent the current state of the incident or investigation while serving as an anchor point to record both related activities and the impact to an organization.

2. Extensions

2.1. Incident Core

The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, common properties such as id are not present, but are present in the incident object stub . This extension MUST use extension-definition—​ef765651-680c-498d-9894-99799f2fa126 as its extension ID.

Property Name Type Description

determination (required)

incident-determination-enum

A high-level determination on the status of this incident. The value of this property SHOULD be suspected until enough information is available to provide a well researched result.

Some automated tools may flag results as blocked or low-value automatically depending on the tool type or activity. For example, a tool that blocks a series of phishing emails may create an incident with a blocked determination automatically.

The values of this property MUST come from the incident-determination-enum enumeration.

extension_type (required)

string

The value of this property MUST be property-extension

investigation_status (required)

open-vocab

The current status of the incident investigation.

The values of this property SHOULD come from the incident-investigation-ov open vocabulary.

criticality (optional)

integer

The criticality of the incident. If present, this value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B.

detection_methods (optional)

list of type open-vocab

A list of strings corresponding to the methods used to detect the activity, e.g., commercial tool names, techniques associated with proprietary solutions, human review, external sources, or other methods.

These values SHOULD be selected from the detection-methods-ov open vocabulary.

event_refs (optional)

list of type identifier

A list of events tied to this incident. It MUST contain references to one or more event objects.

Events can be grouped into sequences based on the next_events_refs property of the relevant event objects. Events that are the first in a sequence are not referenced by the next_event_refs property of any other event object.

impact_refs (optional)

list of type identifier

A list of the impacts of this incident. All objects referenced in this list MUST be an impact object.

incident_types (optional)

list of type open-vocab

A list of incident types of incident that occurred, if applicable.

The values of this property SHOULD come from the event-type-ov open vocabulary.

recoverability (optional)

recoverability-enum

The recoverability of this particular Incident with respect to feasibility and required time and resources.

The value of this property MUST come from the recoverability-enum enumeration.

scores (optional)

list of type incident-score

A list of scores from various automated or manual mechanisms along with optional descriptions.

task_refs (optional)

list of type identifier

A list of tasks tied to this incident. It MUST contain references to one or more task objects.

Tasks can be grouped into sequences based on the next_tasks_refs property of the relevant task objects. Tasks that are the first in a sequence are not referenced by the next_tasks_refs property of any other task object.

2.1.1. Relationships

These are the relationships explicitly defined between the Incident object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.

The reverse relationships section illustrates the relationships targeting this object type from another object type.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Because of this, these relationships can be used with the Incident object as defined in the STIX 2.1 specification.

Common Relationships

derived-from, duplicate-of, related-to

Source

Type

Target

Description

incident

led-to

incident

One incident led to another.

incident

impacts

identity,
infrastructure

The incident has an impact on the victim or specific infrastructure.

incident

attributed-to

intrusion-set,
threat-actor

The incident has been attributed to the intrusion set or threat actor.

incident

targets

identity,
infrastructure

The incident targets the identity or infrastructure.

incident

located-at

location

The incident occurred at a specific location.

Reverse Relationships

campaign

associated-with

incident

The incident is associated with the campaign.

identity

contact-for

incident

The identity should be considered a point of contact for an incident.

This relationship is different from the created_by_ref property, which is the creator of the STIX Incident object. Additionally, this can be used to supplement the created_by_ref property in cases where external authorship would prevent using it for this purpose.

indicator

detected

incident

The indicator detected the incident.

2.1.2. Example

{
  "type": "incident",
  "id": "incident--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
  "created": "2023-11-22T15:30:00.000Z",
  "modified": "2023-11-22T15:30:00.000Z",
  "spec_version": "2.1",
  "name": "incident-2173",
  "extensions": {
    "extension-definition--ef765651-680c-498d-9894-99799f2fa126": {
      "extension_type": "property-extension",
      "determination": "confirmed",
      "investigation_status": "open",
      "criticality": 70,
      "detection_methods": [
        "automated-tools",
        "human-review"
      ],
      "event_refs": [
        "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
        "event--193a3ea2-32ae-4bfd-b353-16836ab70788",
        "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a",
        "event--9ca38544-c247-45d9-9e33-957ba7c9e119"

      ],
      "impact_refs": [
        "impact--7a5806e4-0f37-4c48-9a50-7301bff4b195"
      ],
      "impacted_entity_counts": {
        "individual": 100,
        "employee": 70,
        "customer-individual": 30
      },
      "incident_types": [
        "hosting-phishing-sites"
      ],
      "recoverability": "regular",
      "scores": [
        {
          "name": "ExampleSystem Automated Exposure Score",
          "value": 75.5,
          "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
        }
      ],
      "task_refs": [
        "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
        "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7"
      ]
    }
  }
}

2.2. Event

An Event is an activity that has a harmful effect or which will be investigated or already has been investigated as potentially having a harmful effect. The activity is not necessarily performed by an attacker. For example, an event could result from a user or system administrator’s mistake. Events can be used to further enrich and explain Sightings by allowing analysts to indicate if these sightings are part of a potential threat, and if so how they connects to a larger incident. Some activity, described in an Event, will be found to be not harmful when investigated.

This new SDO extension MUST use extension-definition—​4ca6de00-5b0d-45ef-a1dc-ea7279ea910e as its extension ID.

As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.

Required Common Properties

created, id, modified, spec_version, type

Optional Common Properties

created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions

Not Applicable Common Properties

defanged

Event Object Specific Properties

changed_objects, description, end_time, end_time_fidelity, event_types, goal, name, next_events_refs, status, sighting_refs, start_time, start_time_fidelity

Property Name Type Description

status (required)

event-status-enum

The current status of the event.

The values of this property MUST come from the event-status-enum enumeration.

type (required)

string

The value of this property MUST be set to event.

changed_objects (optional)

list of type state-change

A list of changes that this event has caused. This is typically used to indicate how an event has affected impacts.

description (optional)

string

A description of event that occurred.

end_time (optional)

timestamp

The date and time the event was last recorded. If this is not present it is assumed to be unknown.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

end_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the end_time property is recorded in.

This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

event_types (optional)

list of type open-vocab

High level types for the event to enable aggregation and summarization.

The values of this property SHOULD come from the event-type-ov open vocabulary.

goal (optional)

string

The assumed goal, objective, desired outcome, or intended effect of this event. Not all events have goals.

name (optional)

string

A name for the event.

next_events_refs (optional)

list of type identifier

The event objects to follow. They MUST be of type event.

sighting_refs (optional)

list of type identifier

A list of sighting objects that were related to this event. Sightings referenced in this SHOULD be based on attack-pattern, indicator, or malware SDOs.

The sighting_refs property SHOULD be used to relate an event to an SDO, instead of using right an SRO.

In some cases observed data may be present, but no indicator can be created. In these cases it is recommended to use an attack-pattern using the name or description of the behavior or rule that triggered the sighting.

start_time (optional)

timestamp

The date and time the event was first recorded. If this is not present it is assumed to be unknown.

This property SHOULD be populated.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

start_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the start_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

2.2.1. Relationships

These are the relationships explicitly defined between the Event object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.

The reverse relationships section illustrates the relationships targeting this object type from another object type.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

To relate events to an incident the event_refs property SHOULD be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.)

Common Relationships

derived-from, duplicate-of, related-to

Source

Type

Target

Description

event

causes

impact

The event caused the impact.

event

led-to

task

The event led to performing the task.

event

impacts

infrastructure,
<All STIX Cyber-observable Objects>

An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used.

event

located-at

location

The event occurred at a specific location.

Reverse Relationships

Source

Type

Target

Description

identity

performed

event

An identity performed a specific event.

indicator

based-on

event

An indicator is based on an event.

malware

performed

event

Malware performed a specific event.

tool

performed

event

A tool performed a specific event.

task

uses

course-of-action

An task uses a particular course of action.

task

blocks

event

A task was performed to block a potential event.

task

causes

event

A task was performed that caused an event, usually due to an error.

2.2.2. Example

{
    "type": "event",
    "id": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "status": "ongoing",
    "changed_objects": [
        {
            "state_change_type": "escalation",
            "initial_ref": "impact--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
            "result_ref": "impact--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f6d"
        }
    ],
    "description": "Phishing attack on company email accounts.",
    "end_time": "2023-11-22T15:30:00Z",
    "end_time_fidelity": "minute",
    "event_types": [
        "phishing"
    ],
    "goal": "Gain unauthorized access to sensitive information.",
    "name": "Phishing Attack",
    "next_event_refs": [
        "event--193a3ea2-32ae-4bfd-b353-16836ab70788",
        "event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a"
    ],
    "start_time": "2023-11-22T14:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e": {
            "extension_type": "new-sdo"
        }
    }
}

2.3. Impact

An Impact is the result of the Incident on the victim, captured in the impact_ref property of the Incident object. Impacts can have many categories: availability of resources, confidentiality of data, integrity of data or resources, monetary, physical damage, damage to others and traceability (auditing).

This new SDO extension MUST use extension-definition—​7cc33dd6-f6a1-489b-98ea-522d351d71b9 as its extension ID.

As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.

Required Common Properties

created, id, modified, spec_version, type

Optional Common Properties

created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions

Not Applicable Common Properties

defanged

Impact Object Specific Properties

impact_category, criticality, description, end_time, end_time_fidelity, impacted_entity_counts, impacted_refs, recoverability, start_time, start_time_fidelity, superseded_by_ref

Property Name Type Description

impact_category (required)

string

The category to which the impact belongs. This MUST be either undetermined or match an extension that provides greater details of a specific type of impact, and SHOULD come from the extensions listed in section 2.3.2 of this document.

The value can be specified with or without the "-ext" suffix. If this property is set to undetermined then there MUST not be an "-ext" extension providing further details for this impact.

type (required)

string

The value of this property MUST be set to impact.

criticality (optional)

integer

The criticality of this impact. If present, this value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B.

description (optional)

string

Additional details about this impact

end_time (optional)

timestamp

The date and time the impact was last recorded.

This property SHOULD be populated if this impact is resolved or mitigated.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

If the superseded_by_ref property is included this MUST be included.

end_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the end_time property is recorded in.

This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

impacted_entity_counts (optional)

entity-count

A listing of the entity types that were impacted and how many of each were affected.

If this property is not present it should be assumed that this information is not being shared, not that there were no impacted entities.

To affirmatively state no entities of a given class were impacted they should be included with the number of entities affected by it set to 0.

impacted_refs (optional)

list of type identifier

A list of all impacted entities or infrastructure. The values of this property MUST be the identifier for an SDO or SCO.

recoverability (optional)

recoverability-enum

The recoverability of this particular impact with respect to feasibility and required time and resources.

The value of this property MUST come from the recoverability-enum enumeration.

start_time (optional)

timestamp

The date and time this impact was first recorded.

This property SHOULD be populated.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

start_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the start_time property is recorded in.

This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

superseded_by_ref (optional)

identifier

The referenced impact supersedes the end_time for the current impact. This allows capturing how the severity of this impact changes over time.

When this property is populated this impact MUST have an end_time and and the superseded_by_ref value MUST reference an impact of the same as the category specified in the impact_category property.

2.3.1. Relationships

There are no relationships explicitly defined between the Impact object and other STIX Objects, other than those defined as common relationships (duplicate-of, derived-from, related-to, and the embedded relationships defined by the common SDO properties.)

The reverse relationships section illustrates the relationships targeting this object type from another object type.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Reverse Relationships

Source

Type

Target

Description

event

causes

impact

An event causes an impact.

2.3.2. Extensions

There are many types of impacts, each with its own unique properties, therefore the Impact SDO emulates the File SCO through the use of STIX (sub-type) Extensions to provide the granular details of specific categories of impacts. Seven extensions to impact, which further define the impact on a related Incident, are given below. As such, every Impact MUST have the one extension which matches the value of the impact_category property (see this property description above). This allows consumers to quickly validate their ability to process this category of impact and then load all of its specific details.

Because these extensions are used to specify very different types of impacts, producers SHOULD use one and only one of these extensions per Impact object. However, additional extensions might be proposed in the future and might be used in conjunction with one of these.

2.3.2.1. Availability Impact Extension

Type Name: availability-ext

Property Name Type Description

availability_impact (required)

integer

The availability / functional impact of the related incident on the objects referenced in impacted_refs. If no objects are referenced, the impact should be treated as the overall availability impact for the related incident.

This value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix A.

2.3.2.1.1. Availability Impact Example
{
    "type": "impact",
    "id": "impact--de425325-5ac8-4f4b-ace7-054301b80863",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "impact_category": "availability",
    "criticality": 70,
    "description": "Loss of availability for a critical service.",
    "end_time": "2023-11-22T16:00:00Z",
    "end_time_fidelity": "minute",
    "impacted_entity_counts": {
        "system": 1
    },
    "impacted_refs": [
        "infrastructure--11c25d0e-48f5-4491-960a-0da71c4e0d16"
    ],
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "availability-ext": {
            "availability_impact": 90
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.2. Confidentiality Impact Extension

Type Name: confidentiality-ext

Property Name Type Description

loss_type (required)

incident-confidentiality-loss-enum

The type of loss that occurred with respect to the relevant information.

The values of this property MUST come from the incident-confidentiality-loss-enum enumeration.

information_type (optional)

open-vocab

The type of information that had its confidentiality compromised. This can include information about control systems and other processes that can result in other impacts.

The value of this property SHOULD come from the information-type-ov open vocabulary.

This value MUST be included if the loss_type is not none. Otherwise, including an entry with loss_type of none and no information_type indicates that no information had its confidentiality impacted by the related incident.

record_count (optional)

integer

The number of records of this information type that were compromised.

The value of this property MUST NOT be negative.

record_size (optional)

integer

The amount of data that was compromised in bytes.

The value of this property MUST NOT be negative.

2.3.2.2.1. Confidentiality Impact Example
{
    "type": "impact",
    "id": "impact--c08d9e5a-ba7e-465c-96d5-659683aa9395",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "impact_category": "confidentiality-ext",
    "criticality": 80,
    "description": "Confidential customer data was leaked.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "confidentiality-ext": {
            "information_type": "customer-data",
            "loss_type": "confirmed-loss",
            "record_count": 1000
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.3. External Impact Extension

Type Name: external-ext

Property Name Type Description

impact_type (required)

open-vocab

The type of impact outside of the targeted organization.

The value of this property SHOULD come from the external-impact-ov open vocabulary.

2.3.2.3.1. External Impact Example
{
    "type": "impact",
    "id": "impact--765719be-0e65-4c40-8024-a7295c90da35",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "impact_category": "external-ext",
    "criticality": 60,
    "description": "Negative impact on the company's reputation.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "external-ext": {
            "impact_type": "reputation"
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.4. Integrity Impact Extension

Type Name: integrity-ext

Property Name Type Description

alteration (required)

integrity-alteration-enum

The type of alteration affecting integrity of the information.

The value of this property MUST come from the integrity-alteration-enum enumeration.

information_type (optional)

open-vocab

The type of information that had its integrity compromised. This can include information about control systems and other processes that can result in other impacts.

The value of this property SHOULD come from the information-type-ov open vocabulary.

This value MUST be included if the alternation is not none. Otherwise, including an entry that with an alteration of none and no information_type provided indicates that no information had its integrity impacted by the related incident.

record_count (optional)

integer

The number of records of this type that were compromised.

The value of this property MUST NOT be negative.

record_size (optional)

integer

The amount of data that was compromised in bytes.

The value of this property MUST NOT be negative.

2.3.2.4.1. Integrity Impact Example
{
    "type": "impact",
    "id": "impact--72047fc7-1b34-4cc2-aea7-61b90cdb832d",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "impact_category": "integrity-ext",
    "criticality": 75,
    "description": "Unauthorized modification of financial records.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "integrity-ext": {
            "alteration": "full-modification",
            "information_type": "financial-records",
            "record_count": 500
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.5. Monetary Impact Extension

Type Name: monetary-ext

Property Name Type Description

variety (required)

open-vocab

The variety of this monetary impact.

The value of this property SHOULD come from the monetary-impact-type-ov open vocabulary.

conversion_rate (optional)

number

The conversion rate between the currency and currency_actual properties.

This MUST NOT be included if the currency_actual property is not included. This MUST be included if the currency_actual property is included. This value MUST be greater than zero.

If this property is provided, the conversion_time property must also be provided.

conversion_time (optional)

timestamp

The timestamp corresponding to the conversion rate from the currency property to the currency_actual property.

This MUST be included if a conversion_rate property is included.

currency (optional)

string

The currency used for reporting the max_amount and min_amount properties values. This SHOULD be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. This SHOULD match the currency of the organization or the government producing the report.

This value MUST be included if the min_amount property is included.

currency_actual (optional)

string

The currency that the impact actually used. For ransom demands this should be the currency of the demand. If this is not included it should be assumed to be the same value as the currency property.

If this is included then the currency property MUST be included.

This SHOULD be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency.

max_amount (optional)

number

The maximum monetary amount of the impact using the currency specified in the currency property. This value MUST be greater than zero.

This value MUST be included if the min_amount property is included.

If min_amount and max_amount properties are both defined, then max_amount value MUST be greater than or equal to the min_amount value.

min_amount (optional)

number

The maximum monetary amount of the impact using the currency specified in the currency property. This value MUST be greater than zero.

This value MUST be included if the max_amount property is included.

If min_amount and max_amount properties are both defined, then max_amount value MUST be greater than or equal to the min_amount value.

2.3.2.5.1. Monetary Impact Example
{
    "type": "impact",
    "id": "impact--562c7b03-3c27-4adf-8580-57ecce6687c8",
    "created": "2023-11-22T15:30:00.000Z",
    "modified": "2023-11-22T15:30:00.000Z",
    "spec_version": "2.1",
    "impact_category": "monetary",
    "criticality": 85,
    "description": "Financial loss due to a ransomware attack.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "monetary-ext": {
            "variety": "ransom",
            "currency": "USD",
            "min_amount": 10000,
            "max_amount": 15000
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.6. Physical Impact Extension

Type Name: physical-ext

Property Name Type Description

impact_type (required)

physical-impact-enum

The type of physical impact that has occurred.

The value of this property MUST come from the physical-impact-enum enumeration.

asset_type (optional)

open-vocab

The type of property or system that was affected by this impact.

The value of this property SHOULD come from the asset-type-ov open vocabulary.

This value MUST be included if the impact_type is not none . Otherwise, including an entry with an impact_type of none and no asset_type indicates that no physical damage was caused by the related incident.

2.3.2.6.1. Physical Impact Example
{
    "type": "impact",
    "id": "impact--738492bd-288b-48c9-ad2a-83230d2dee86",
    "created": "2023-11-22T15:30:00.123Z",
    "modified": "2023-11-22T15:30:00.446Z",
    "spec_version": "2.1",
    "impact_category": "physical",
    "criticality": 95,
    "description": "Physical damage to a power plant.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "physical-ext": {
            "impact_type": "destruction",
            "asset_type": "power-plant"
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}
2.3.2.7. Traceability Impact Extension

Type Name: traceability-ext

Property Name Type Description

traceability_impact (required)

traceability-enum

The impact on a system or organization’s ability to perform audits or provide non-repudiation.

The value of this property MUST come from the traceability-enum enumeration.

2.3.2.7.1. Traceability Impact Example
{
    "type": "impact",
    "id": "impact--ef58b184-e4b8-4f1f-9ac3-f22aff3f9459",
    "created": "2023-11-22T15:30:00.628Z",
    "modified": "2023-11-22T15:30:00.845Z",
    "spec_version": "2.1",
    "impact_category": "traceability",
    "criticality": 65,
    "description": "Loss of audit logs due to a cyber attack.",
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "traceability-ext": {
            "traceability_impact": "partial-accountability"
        },
        "extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
            "extension_type": "new-sdo"
        }
    }
}

2.4. Task

A Task is an activity that is performed by or for the victim/defender to respond to the related incident.

This new SDO extension MUST use extension-definition—​2074a052-8be4-4932-849e-f5e7798e0030 as its extension ID.

As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.

Required Common Properties

created, id, modified, spec_version, type

Optional Common Properties

created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions

Not Applicable Common Properties

defanged

Task Object Specific Properties

task_types, affected_entity_counts, changed_objects, description, end_time, end_time_fidelity, error, name, next_tasks_refs outcome, priority, start_time, start_time_fidelity

Property Name Type Description

outcome (required)

task-outcome-enum

The outcome of the task.

The value of this property MUST come from the task-outcome-enum enumeration.

type (required)

string

The value of this property MUST be set to task.

changed_objects (optional)

list of type state-change

A list of changes that this task has caused. This is typically used to indicate how a task has affected impacts.

task_types (optional)

list of type open-vocabulary

A list of high level types for the task in order to enable aggregation and summaries.

The values of this property SHOULD come from the task-type-ov open vocabulary.

description (optional)

string

A description of the task.

end_time (optional)

timestamp

The date and time the task was last recorded. If this is not present it is assumed to be unknown.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

end_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the end_time fidelity is recorded in.

This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

error (optional)

string

Details about any failures or deviations that occurred in the task.

affected_entity_counts (optional)

entity-count

A listing of the entity types and how many of each that were affected.

This is primarily used when recording victim notifications.

name (optional)

string

A name used to identify the task.

next_tasks_refs (optional)

list of type identifier

The task objects to follow. They MUST be of type task.

priority (optional)

integer

The priority or importance of the task. This value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B.

start_time (optional)

timestamp

The date and time the task was first recorded. If this is not present it is assumed to be unknown.

This property SHOULD be populated.

If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value.

start_time_fidelity (optional)

timestamp-fidelity-enum

The level of fidelity that the start_time property is recorded in.

This value MUST come from timestamp-fidelity-enum enumeration.

If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes.

2.4.1. Relationships

These are the relationships explicitly defined between the Task object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.

The reverse relationships section illustrates the relationships targeting this object type from another object type.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

To relate tasks to an incident the task_refs property SHOULD be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.)

Common Relationships

derived-from, duplicate-of, related-to

Source

Type

Target

Description

task

uses

course-of-action

An task uses a particular course of action.

task

blocks

event

A task was performed to block a potential event.

task

causes

event

A task was performed that caused an event, usually due to an error.

task

detects

event

A task was used to detect an event.

task

creates

indicator

A task was performed that created an indicator.

task

impacts

infrastructure,
<All STIX Cyber-observable Objects>

A task has an impact on specific infrastructure.

task

located-at

location

The task occurred at a specific location.

Reverse Relationships

Source

Type

Target

Description

event

led-to

task

The event led to performing the task.

identity

assigned

task

An identity has been assigned the task

identity

contact-for

task

An identity is a point of contact for this task.

identity

participated-in

task

An identity participated in a specific task, but as not the primary performer

identity

performed

task

An identity performed a specific task.

tool

performed

task

A tool performed a specific task.

2.4.2. Example

{
    "type": "task",
    "id": "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
    "created": "2023-11-22T15:30:00.529Z",
    "modified": "2023-11-22T15:30:00.811Z",
    "spec_version": "2.1",
    "outcome": "successful",
    "changed_objects": [
        {
            "state_change_type": "mitigated",
            "initial_ref": "impact--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
            "result_ref": "impact--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f62"
        }
    ],
    "description": "Mitigated the impact of the phishing attack.",
    "end_time": "2023-11-22T16:30:00Z",
    "end_time_fidelity": "minute",
    "task_types": [
        "blocked"
    ],
    "name": "Mitigation Task",
    "next_task_refs": [
        "task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7"
    ],
    "priority": 80,
    "start_time": "2023-11-22T15:30:00Z",
    "start_time_fidelity": "minute",
    "extensions": {
        "extension-definition--2074a052-8be4-4932-849e-f5e7798e0030": {
            "extension_type": "new-sdo"
        }
    }
}

3. Additional Sub-Objects Types

3.1. Entity Count Type

Type Name: entity-count

The Entity Count type represents the count of one or more entity types. The name of each entity type MUST be specified as a key in the dictionary and MUST identify the count of the entity that corresponds to the value. Each key SHOULD come from entity-type-ov open vocabulary. This value MUST be an integer that is equal to or greater than zero.

Examples:

100 individuals, 70 employees, 30 customers

{
    "individual": 100,
    "employee": 70,
    "customer-individual": 30
}

1000 systems, 10 organizations

{
    "organization": 10,
    "system": 1000
}

0 individuals

{
    "individual": 0
}

3.2. Incident Score Object Type

Type Name: incident-score

Property Name Type Description

name (required)

string

The name of the score.

This is normally a system or process name or some combination of these such as "<Tool Name> Automated Exposure Score".

value (required)

number

The numeric score.

description (optional)

string

A description of how this score was calculated by the system, if that information is provided.

3.2.1. Example

{
    "name": "ExampleSystem Automated Exposure Score",
    "value": 75.5,
    "description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
}

3.3. State Change Object Type

Type Name: state-change

The initial_ref or result_ref property MUST be populated.

Property Name Type Description

state_change_type (required)

open-vocabulary

How this activity influenced the change in state between the initial_ref and result_ref.

The value of this property SHOULD come from the state-change-type-ov open vocabulary.

initial_ref (optional)

identifier

The initial object state that this event affected. It MUST be an SDO. To capture a changing SCO, the Observed Data SDO must be used.

If the result_ref property is not populated then this MUST be populated.

If there is no result state this typically means that this event/task removed or resolved the initial object. For example, a task resolved a network outage.

If both are present this indicates a transition between these states. For example, a confidentiality impact was made worse as the information was shared further.

If the result_ref property is populated this MUST reference the same type of SDO.

result_ref (optional)

identifier

The final state that this event influenced.

If the initial_ref property is not populated then this MUST be populated.

If there is no initial state it typically means that this event/task caused or created the result. For example, an event causing a network outage.

If the initial_ref property is populated this MUST reference the same type of SDO.

3.3.1. Example

{
    "state_change_type": "escalation",
    "initial_ref": "incident--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
    "result_ref": "incident--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f62"
}

4. Vocabularies

4.1. Asset Type Vocabulary

Type Name: asset-type-ov

Vocabulary Value Description

building-doors

Doors within buildings or structures.

building-windows

The exterior or interior windows of buildings or structures.

buildings

Entire buildings or structures.

computers-mobile

Mobile devices such as smartphones.

computers-personal

Workstations or laptops owned by an organization.

computers-server

Servers owned by an organization.

environment

Land, environment or the ability of either to support humans or wildlife.

ics-actuator

Actuator for industrial control systems.

ics-engineering-workstation

Engineering workstation for industrial control systems.

ics-historian

Historian for industrial control systems.

ics-hmi

Human machine interfaces for industrial control systems.

ics-other

Other Industrial control systems.

ics-plc

Programmable logic controller for industrial control systems.

ics-safety-system

Safety system for industrial control systems.

ics-sensor

Sensor for industrial control systems.

inventory

Stocks of goods to be sold or consumed.

network-device

Switches, routers, and wireless communication towers.

private-infrastructure

Privately owned infrastructure such as roads, plumbing, railways, pipelines and electrical infrastructure.

public-infrastructure

Publicly owned infrastructure such as roads, plumbing, railways, pipelines and electrical infrastructure.

security-containers

Safes or other security containers.

vehicles

Vehicles of various types including cars, trains, and planes.

4.2. Detection Methods Vocabulary

Type Name: detection-methods-ov

Vocabulary Value Description

automated-tool

An incident is detected by an automated tool. If this option is used it is generally useful to also include a separate entry for the tool itself.

commercial-solution

A commercial tool or provider detected this incident. This can be combined with other methods including automated-tool to allow greater fidelity.

external-notification

An external entity detected this incident and notified the impacted organization.

human-review

An incident is detected by human threat hunting.

message-from-attacker

Notification comes from a message provided by the attacker including email, a note left of a message or popup message.

propriety-solution

An internally developed tool or process detected this incident. This can be combined with other methods including automated-tool to allow greater fidelity.

system-outage

An incident is detected because a system is no longer available.

user-reporting

One or more users report an incident.

4.3. Entity Type Vocabulary

Type Name: entity-type-ov

Vocabulary Value Description

computers-mobile

Mobile devices such as smartphones.

computers-personal

Workstations or laptops owned by an organization.

computers-server

Servers owned by an organization.

customer

An customer or client. This can be an individual or organization.

customer-individual

An customer or client that represents an individual.

customer-organization

An customer or client that represents a business or other organization.

domain-controller

A windows domain controller.

employee

An employee of an organization.

group

An informal collection of people, without formal governance, such as a distributed hacker group.

ics-actuator

Actuator for industrial control systems.

ics-engineering-workstation

Engineering workstation for industrial control systems.

ics-historian

Historian for industrial control systems.

ics-hmi

Human machine interfaces for industrial control systems.

ics-other

Other Industrial control systems.

ics-plc

Programmable logic controller for industrial control systems.

ics-safety-system

Safety system for industrial control systems.

ics-sensor

Sensor for industrial control systems.

individual

A single person.

network-device

Switches, routers, and wireless communication towers.

organization

A formal organization of people, with governance, such as a company or country.

system

A computer system, such as a SIEM.

vehicles

Vehicles of various types including cars, trains, and planes.

4.4. Event Type Vocabulary

This vocabulary draws for numerous sources including heavily from MISP taxonomies.

These include:

Type Name: event-type-ov

Vocabulary Value Description

aggregation-information-phishing-schemes

Collecting data obtained through phishing attacks on web pages, email accounts, etc…​

benign

The event was neither dangerous nor malicious and was not suspected to be malicious or dangerous.

blocked

The event was suspected to be malicious and was blocked.

brute-force-attempt

Unsuccessful login attempt by using sequential credentials for gaining access to the system.

c&c-server-hosting

Web page disseminating one or various types of malware.

compromised-system

Attackers obtained control of a compromised system.

confirmed

The event was confirmed to be tied to an incident and response is underway.

connection-malware-port

System attempting to gain access to a port normally linked to a specific type of malware.

connection-malware-system

System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.

content-forbidden-by-law

Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc…​

control-system-bypass

Unauthorized access to a system or component by bypassing an access control system in place.

copyrighted-content

Distribution or sharing of content protected by copyright and related rights.

data-exfiltration

Unauthorized access to and sharing of a specific set of information.

deferred

The event is deferred due to resource constraints, information types or external reasons.

deletion-information

Unauthorized deleting of a specific set of information.

denial-of-service

The event or incident resulted in a loss of availability for a service or system.

Incidents of this type SHOULD have an availability impact, but organizations may choose to not share the details of these impacts.

destruction

The event or incident destroyed data or systems.

Incidents of this SHOULD have an integrity impact, but organizations may choose to not share the details of these impacts.

dictionary-attack-attempt

Unsuccessful login attempt by using system access credentials previously loaded into a dictionary.

discarded

The event was discarded due to resource constraints, information types or external reasons.

disruption-data-transmission

Logical and physical activities aimed at causing damage to information or at preventing its transmission among systems.

dissemination-malware-email

Malware attached to a message or email message containing link to malicious URL.

dissemination-phishing-emails

Mass emailing aimed at collecting data for phishing purposes with regard to the victims.

dns-cache-poisoning

DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver’s cache by injecting false DNS records, causing the resolver to records controlled by the attacker.

dns-local-resolver-hijacking

Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.

dns-spoofing-registered

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.

dns-rebinding

DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim’s local resources.

dns-server-compromise

Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.

dns-spoofing-unregistered

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.

dns-stub-resolver-hijacking

The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.

dns-zone-transfer

Transfer of a specific DNS zone.

domain-name-compromise

The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.

duplicate

This event is a duplicate of another event. A relationship should be created between this event and the event it duplicates.

email-flooding

Sending an unusually large quantity of email messages.

equipment-loss

A loss of control of physical equipment that is not known to be theft.

equipment-theft

Theft of equipment. In general this should be paired with equipment-loss.

exploit

Successful use of a tool exploiting a specific vulnerability of the system.

exploit-attempt

Unsuccessful use of a tool exploiting a specific vulnerability of the system.

exploit-framework-exhausting-resources

Various sources using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability.

exploit-tool-exhausting-resources

One single source using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability.

failed

The event failed its suspected goal.

file-inclusion

Inclusion of files into a system under attack with the use of file inclusion techniques.

file-inclusion-attempt

Unsuccessful attempt to include files in the system under attack by using file inclusion techniques.

hosting-malware-webpage

Web page disseminating one or various types of malware.

hosting-phishing-sites

Hosting web sites for phishing purposes.

illegitimate-use-name

Using the name of an institution without permission to do so.

illegitimate-use-resources

Use of institutional resources for purposes other than those intended.

infected-by-known-malware

The presence of any of the types of malware was detected in a system.

insufficient-data

Not enough data is available to assess this event.

known-malware

This incident involves a known type of malware. Events and incidents SHOULD be related to a Malware object, but organizations may choose not to share the details on this malware.

lame-delegations

Lame delegations occur as a result of expired name server domains allowing attackers to take control of the domain resolution by re-registering this expired name server domain.

major

The incident is classified as major based on the internal criteria within the organization or due to external reporting requirements.

modification-information

Unauthorized changes to a specific set of information.

misconfiguration

A false positive where this event was triggered by a misconfiguration.

natural

The event was due to natural causes such as an earthquake or hurricane.

negotiation

Negotiation of a deal or payment amount.

network-scanning

Scanning a network aimed at identifying systems which are active in the same network.

no-apt

It is not believed that this incident involved an advanced persistent threat.

packet-flood

Mass mailing of requests (network packets, emails, etc…​) from various sources to a specific service, aimed at affecting its normal functioning.

password-cracking-attempt

Attempt to acquire access credentials by breaking the protective cryptographic keys.

policy-violation

The event or incident was a violation of organizational or regulatory policy.

ransomware

This incident involved malware that encrypted data with a demand that a ransom is paid to regain access to it.

ransomware-payment

The event or incident associated with actually paying a ransom.

refuted

The event was previously suspected to have achieved a goal, but this has since been refuted.

scan-probe

Event was triggered based on scanning activity

silently-discarded

The event was silently discarded due to resource constraints, information types or external reasons.

supply-chain-customer

This incident used a vendor further up in the supply chain where the target was a customer.

supply-chain-vendor

This incident targeted a system or product that is supplied to others to enable further attacks.

spam

Sending an email message that was unsolicited or unwanted by the recipient.

sql-injection

Manipulation or reading of information contained in a database by using the SQL injection technique.

sql-injection-attempt

Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique.

successful

The event is believed to have succeeded in its goal.

system-probe

Single system scan searching for open ports or services using these ports for responding.

theft-access-credentials

Unauthorized access to a system or component by using stolen access credentials.

unattributed

This event or incident has not been attributed. It is unclear if it is tied to a specific advanced persistent threat group.

unauthorized-access-information

Unauthorized access to a set of information.

Incidents of this SHOULD have a confidentiality impact, but organizations may choose to not share the details of these impacts.

unauthorized-access-system

Unauthorized access to a system or component.

unauthorized-equipment

Usage of unauthorized devices as part of the incident

unauthorized-release

The unauthorized release of information.

Incidents of this SHOULD have a confidentiality impact, but organizations may choose to not share the details of these impacts.

unauthorized-use

The usage of information that falls outside of official purposes

undetermined

Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning.

unintentional

The event was due to unintentional activity.

unknown-apt

This incident is believed to involve an advanced persistent threat, but the specific APT is unknown.

unspecified

Other unlisted events.

vandalism

Logical and physical activities which - although they are not aimed at causing damage to information or at preventing its transmission among systems - have this effect.

wiretapping

Logical or physical interception of communications.

worm-spreading

System infected by a worm trying to infect other systems.

xss

Attacks performed with the use of cross-site scripting techniques.

xss-attempt

Unsuccessful attempts to perform attacks by using cross-site scripting techniques.

4.5. External Impact Vocabulary

Type Name: external-impact-ov

Vocabulary Value Description

economic

This incident is expected to have national or international economic impacts.

emergency-services

This incident impacts emergency services.

foreign-relations

This incident impacts international politics.

national-security

This incident impacts the national security of one or more nations.

public-confidence

This incident impacts the confidence in public or private institutions.

public-health

This incident impacts the public health of one or more nations.

public-safety

This incident impacts the public safety of individuals in one or more nations.

4.6. Incident Investigation Open Vocabulary

Type Name: incident-investigation-ov

Vocabulary Value Description

closed

All victim/defender work on this incident has been concluded.

Blue teams may use a closed incident as a starting point for their work, by creating child Incidents of the closed Incident. In these cases, it is appropriate to mark an initial Incident as closed if the related child incidents that track this work are still open.

new

A new incident which the victim/defender has not begun formal work on.

open

Victim/Defender work is in underway for this Incident.

4.7. Information Type Vocabulary

Type Name: information-type-ov

Vocabulary Value Description

classified-material

Data classified based on relevant government authorities.

communication

Communication records including emails, chats and instant messages.

credentials-admin

Administrative credential data.

credentials-user

User credential data.

financial

Financial records including purchasing activity and planned activities.

legal

Legal records that are not yet public including contracts under negotiation and documents protected under legal privilege.

payment

Payment information.

phi

Protected Health Information.

pii

Personally Identifiable Information.

proprietary

Proprietary information e.g., intellectual property.

system

Information necessary to keep a system operational. The destruction or encryption of this data can cause availability impacts.

4.8. Monetary Impact Type Vocabulary

Type Name: monetary-impact-type-ov

Vocabulary Value Description

asset-and-fraud

Losses incurred due to loss of assets or fraud.

brand-damage

Losses incurred due to reputational or brand damage.

business-disruption

Losses incurred due to business disruptions.

competitive-advantage

Losses incurred due to theft of intellectual property, techniques or other capabilities that grant an advantage in the field.

legal-and-regulatory

Losses incurred due to legal or regulatory actions in response to the incident.

operating-costs

Losses incurred due to additional operating costs that have been incurred due to the incident.

ransom-demand

The demanded amount of ransom to be paid. When this is selected the demand amount should be listed as the max_amount and the min_amount should be 0.

ransom-payment

An actual payment of a ransom.

response-and-recovery

Losses incurred due to response and recovery efforts for the incident.

uncategorized

Losses incurred that have not been categorized yet.

4.9. State Change Type Vocabulary

Type Name: state-change-type-ov

Vocabulary Value Description

caused

This task or event is the primary cause of the resulting object.

contributed-to

This task or event is a contributing factor to the result occurring.

input

This task or event took in a group as an input for automated or playbook activities.

If this is selected the initial_ref property MUST be populated.

mitigated

This task or event lessened the severity of the initial object.

output

This task or event produced a group as an output as part of automated or playbook activities.

If this is selected the result_ref property MUST be populated..

resolved

This task or event resolved the initial object.

4.10. Task Type Vocabulary

Type Name: task-type-ov

Vocabulary Value Description

administrative

Perform an administrative action such as the introduction or change of a policy.

attribution

Perform an administrative action such as the introduction or change of a policy.

containment

The containment phase of incident response

declared

When this was officially declared an incident.

detected

When the incident was detected.

eradication

The eradication phase of incident response.

escalated

When the incident was escalated to a major incident.

exercised-control

Attempted to use a security control that was already in place within the environment.

external-intelligence

Used external intelligence information.

external-outreach

Reaching out to an external organization to gain support or information.

external-support

Acquire support from an external organization.

implemented-control

Implemented a security control within the environment.

investigation

Performed an investigation into an event or incident.

negotiation

Negotiation of a deal or payment amount.

playbook-execution

Executing an automated playbook. If the playbook is stored outside of STIX it should be included as an external-reference.

playbook-step-execution

Executing a step in an automated playbook. If the playbook is stored outside of STIX both the playbook and step stored in separate external-reference objects.

If playbook steps feed each other information that is designed to be passed as STIX it SHOULD be referenced as a grouping as either the initial_ref or result_ref of a state-change.

ransom-payment

An actual payment of a ransom.

recovery

The recovery phase of incident response.

reported

When the incident was reported externally.

routine-updates

Performed a routine update in the environment including patching.

victim-notification

Notified victims, potentially impacted individuals or organizations about the incident.

5. Enumerations

5.1. Event Status Enumeration

Type Name: event-status-enum

Vocabulary Value Description

ongoing

The event is still occurring.

occurred

The event took place and is no longer ongoing.

not-occurred

The event did not take place, but it was previously expected to.

pending

The event has not yet been started or observed, but it is projected or otherwise planned.

Pending activity may never occur as various factors can cause it to be blocked or not attempted. As such any time or sequence values for pending activities should be treated as an estimation or projection that is subject to change.

undetermined

The status of the event has not been determined or is not shareable.

5.2. Incident Confidentiality Loss Enumeration

Type Name: incident-confidentiality-loss-enum

Vocabulary Value Description

confirmed-loss

Information has been exfiltrated and is now available to the attacker, but it is unknown if it has been misused.

contained

Information’s confidentiality was compromised, but the spill was within an environment that allowed it to be effectively contained.

For example: a sensitive data spill occurred within a controlled network allowing it to be resolved before information exited the organization.

exploited-loss

Information has been exfiltrated and has been actively misused by the attacker.

none

This information type was not compromised based on the investigation that was performed. This option should be used to affirmatively supply this information when necessary.

suspected-loss

It is suspected but not confirmed that the attacker may have gained access to this information.

unknown

It is unknown if the attacker may have gained access to this information.

5.3. Incident Determination Enumeration

Type Name: incident-determination-enum

Vocabulary Value Description

blocked

The incident had no or minimal impact due to pre-emptive measures including rate limiting or spam filters.

confirmed

An incident has been determined to have caused at least some harm or violated a policy.

failed-attempt

The incident had no or minimal impact but not due to any affirmative defense for example a password guesser failed but was also not rate limited.

false-positive

An incident was determined to have been triggered by a false alert and no action including automatically performed automated actions were needed to remediate the issue.

This should not be used when an incident was flagged correctly, but is of no importance. For findings of that nature low-value should be used.

suspected

An incident is suspected, but not yet confirmed.

5.4. Integrity Alteration Enumeration

Type Name: integrity-alteration-enum

Vocabulary Value Description

potential-destruction

Information may have been destroyed within the system.

potential-modification

Information may have been modified within the system.

partial-destruction

Some data of this type has been destroyed, but sufficient data remains to allow partial functionality.

partial-modification

Some data in the system has been modified, but the remaining data is of an acceptable level of integrity for operations to continue.

full-destruction

Sufficient data of this type was destroyed to render the system inoperable until recovery can be completed.

full-modification

Sufficient data of this type was modified to render the system inoperable until recovery can be completed.

none

There is no evidence of destruction or modification of this data type in the system.

unknown

It is unknown if destruction or modification of this data type in the system has occurred.

5.5. Physical Impact Enumeration

Type Name: physical-impact-enum

Vocabulary Value Description

damaged-functional

The property, asset or system was damaged but still remains functional and repair may be possible.

damaged-nonfunctional

The property, asset or system was damaged and does not remain functional, but repair may be possible.

destruction

The property, asset or system was destroyed, cannot be repaired and no longer functions.

In some cases destroyed assets can be rebuilt, but doing so involves a similar amount of effort as the original construction.

none

No damage or destruction has occurred.

unknown

The degree of damage has not been determined yet.

5.6. Recoverability Enumeration

Type Name: recoverability-enum

Vocabulary Value Description

extended

Time to recovery is unpredictable; additional resources and outside help are necessary.

not-applicable

No recovery is necessary.

not-recoverable

Recovery from the incident is not possible.

regular

Time to recovery is predictable with existing resources.

supplemented

Time to recovery is predictable with additional resources.

5.7. Task Outcome Enumeration

Type Name: task-outcome-enum

Vocabulary Value Description

cancelled

The task was planned or started, but later cancelled or discarded.

failed

The task has been completed, but failed.

ongoing

The task is still taking place.

pending

The task has not yet been started, but is currently planned.

successful

The task was completed successfully.

unknown

The status of this task is currently unknown.

5.8. Timestamp Fidelity Enumeration

Type Name: timestamp-fidelity-enum

Vocabulary Value Description

day

The associated timestamp should be considered to represent a time within the one day period starting with the provided timestamp.

Hours and minutes should be understood to establish the timezone for this activity.

hour

The associated timestamp should be considered to represent a time within the one hour period starting with the provided timestamp.

minute

The associated timestamp should be considered to represent a time within the one minute period starting with the provided timestamp.

month

The associated timestamp should be considered to represent a time within the one month period starting with the provided timestamp.

Hours and minutes should be understood to establish the timezone for the activity. The day should always be listed as the first or the last day of the previous month if in a timezone that is offset before UTC.

second

The associated timestamp should be considered to represent a time within the one second period starting with the provided timestamp.

year

The associated timestamp should be considered to represent a time within the one year period starting with the provided timestamp.

Hours and minutes should be understood to establish the timezone for the activity.

5.9. Traceability Enumeration

Type Name: traceability-enum

Vocabulary Value Description

accountability-lost

Traces used to retrieve accountability are lost or do not exist.

partial-accountability

Traces are present, but insufficient to have provable accountability.

provable-accountability

Accountability can be ensured from the traces that are present.

unknown-accountability

Accountability is unknown.

6. Relationship Summary Table

Source

Type

Target

event

causes

impact

event

impacts

infrastructure

event

led-to

task

event

located-at

location

task

blocks

event

task

causes

event

task

creates

indicator

task

detects

event

task

impacts

infrastructure

task

located-at

location

task

uses

course-of-action

campaign

associated-with

incident

identity

assigned

task

identity

contact-for

task, incident

identity

participated-in

task

identity

performed

task, event,

incident

attributed-to

intrusion-set

incident

impacts

identity

incident

led-to

incident

incident

located-at

location

incident

targets

identity

indicator

based-on

event

indicator

detected

incident

malware

performed

event

tool

performed

event, task

Appendix A. Incident Availability Impact Mapping

This appendix defines mappings for availability and functional scales to be used by the availability impact property. A value of "Not Specified" in the table below means that the criticality property is not present.

US-CERT STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

No Impact

0

0

No Impact to Services

5

1-9

Minimal Impact to Non-Critical Services

15

10-19

Minimal Impact to Critical Services

30

20-39

Significant Impact to Non-Critical Services

50

40-59

Denial of Non-Critical Services

65

60-69

Significant Impact to Critical Services

75

70-79

Denial of Critical Services / Loss of Control

90

80-100

Simple Qualitative STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

None

0

0

Minimal

20

1-39

Significant

50

40-59

Denial

75

60-89

Loss of Control

95

90-100

0 to 10 STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

0

0

0-4

1

10

5-14

2

20

15-24

3

30

25-34

4

40

35-44

5

50

45-54

6

60

55-64

7

70

65-74

8

80

75-84

9

90

85-94

10

100

95-100

Appendix B. Incident Criticality Mapping

This appendix defines mappings for criticality scales to be used by the criticality property. A value of "Not Specified" in the table below means that the criticality property is not present.

5 Qualitative STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

False Positive

0

0

Low

15

1-29

Moderate

40

30-49

High

70

50-89

Extreme

95

90-100

Major / Minor STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

None

0

0

Minor

25

1-49

Major

75

50-100

Major / Minor / Critical STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

None

0

0

Minor

25

1-49

Major

70

50-89

Critical

95

90-100

None, Low, High, Extreme STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

None

0

0

Low

20

1-39

High

65

40-89

Extreme

95

90-100

VERIS STIX Criticality Value Range of Values

Unknown

Not Specified

N/A

Insignificant

10

0-19

Distracting

35

20-49

Painful

60

50-69

Damaging

80

70-90

Catastrophic

95

90-100

0 to 10 STIX Criticality Value Range of Values

Not Specified

Not Specified

N/A

0

0

0-4

1

10

5-14

2

20

15-24

3

30

25-34

4

40

35-44

5

50

45-54

6

60

55-64

7

70

65-74

8

80

75-84

9

90

85-94

10

100

95-100

Appendix C. Acknowledgements

Primary Editor

Jeffrey Mates, US Department of Defense (DoD)

Contributors

The following individuals were members of the OASIS CTI Technical Committee and contributed time and effort to ensure that this extension would be possible. Their contributions are gratefully acknowledged:

  • Alexandre Cabrol Perales, Sopra Steria Group

  • Alexandre Dulaunoy, CIRCL

  • Ben Ottoman, Cyber Threat Intelligence Network, Inc. (CTIN)

  • Christian Hunt, Copado

  • Christopher Robinson, Cyber Threat Intelligence Network, Inc. (CTIN)

  • Christian Studer, CIRCL

  • David Kemp, National Security Agency (NSA)

  • Desiree Beck, MITRE Corporation

  • Duncan Sparrell, sFractal Consulting LLC

  • Emily Ratliff, IBM

  • Jane Ginn, Cyber Threat Intelligence Network, Inc. (CTIN)

  • Jason Keirstead, IBM

  • Jean-Philippe Salles, Filigran

  • Jeremy Berthelet, Sopra Steria Group

  • Jonathan Matkowsky, Microsoft

  • Keven Ates, US Federal Bureau of Investigation

  • Kirk Dunkelberger, Peraton

  • Leszek Adamiak, IBM

  • Margaux Quittelier, Sopra Steria Group

  • Marlon Taylor, DHS Cybersecurity and Infrastructure Security Agency (CISA)

  • Mateusz Zych, University of Oslo

  • Michael Rosa, National Security Agency (NSA)

  • Patrick Maroney, AT&T

  • Qem Lumi, Northrop Grumman

  • Richard Piazza, MITRE Corporation

  • Rob Coderre, Accenture

  • Robert Keith, Accenture

  • Ryan Hohimer, DarkLight, Inc.

  • Scott Robertson, Kaiser Permanente

  • Sean Carroll, National Security Agency

  • Stephen Campbell, Cyber Threat Intelligence Network, Inc. (CTIN)

  • Trey Darley, CCB/CERT.be

  • Vasileios Mavroeidis, University of Oslo

Appendix D. Revision History

Revision Date Editor Changes Made

01

2022-05-23

Incident Mini Group

Initial Version

02

2022-10-27

Jeffrey Mates

Added ongoing to activity-outcome-enum. Removed normative text for attacker_activity.pattern_ref that indicated a field that does not exist can be excluded if it is present.

03

2023-02-15

Jeffrey Mates

Added labels and criticality to all impact types. Made impacted_refs optional for availability impact.

Replaced availability_impact with availability_impacts new guidance is to use scores for this in more granular availability_impacts.

Added ransom-demand and ransom-payment to monetary-impact-type-ov.

04

2023-07-10

Incident Mini Group

Version 2.0

05

2023-10-10

Richard Piazza and Jeffrey Mates

Multiple editorial fixes, removing copy paste errors and obsolete relationships.

06

2024-02-15

Richard Piazza, Jeffrey Mates and Dez Beck

Additional editorial fixes, a minor changes to normative statements

07

2024-07-02

Richard Piazza, Jeffrey Mates and Dez Beck

Removed event_sequence, event_entry, task_sequence, task_entry