STIX MVP

[Paul Patrick <ppatrick@isightpartners.com>]

Capability	2.0	2.x	Never
Relationships
Standardized Relationships Relationships pre-defined in STIX	X
User-Defined Relationships Ability to use relationships that were not pre-defined in STIX	X
Indicator Use Cases
Indicators Basic indicator object	X
CybOX Indicator Patterns Use of "native" CybOX patterning for indicator patterns	x
Third-Party Indicator Patterns Use of Snort, Yara, OpenIOC, and other signature formats as patterns	X
Sightings Ability to create and share sightings of indicators, however it's done	X
Incident Use Cases
Incident Basics Just the basics needed to track incidents	X
Asset Stub A stub of an asset model, abstracted out of Incident, likely a pointer	X if basic definition		X if this means only a ext ref
Complete Asset Model A more complete asset model that defines many fields		X
Advanced Incident Impacts, detailed analytics, etc.	X if this means incident as in 1.2	X if above an beyond
"Investigation" (pre-incident) Something to track "events", "investigations", and other activity that may not be an incident yet.		X
Analysis Objects
Attack Patterns See STIX 1.2 AttackPatternType	X
Exploits See STIX 1.2 ExploitType (note: NOT ExploitTargetType)	X
Kill Chains See STIX 1.2 KillChainType and KillChainPhaseType	X
Malicious Infrastructure See STIX 1.2 InfrastructureType	X
Malicious Tool See STIX 1.2 ToolType	X
Malware See STIX 1.2 MalwareType	X
Persona See STIX 1.2 PersonasType (was just an identity)	X
Victim Targeting See STIX 1.2 VictimTargetingType	X Need more than basic identity
Configuration/Misconfiguration See STIX 1.2 ConfigurationType	X
Vulnerability See STIX 1.2 VulnerabilityType	X
Weakness See STIX 1.2 WeaknessType	X
Attribution & Tracking
Threat Actor See STIX 1.2 ThreatActorType	X
Campaign See STIX 1.2 CampaignType	X
Intrusion Set Representation of intrusion sets, separate from actors and campaigns		?
Response Actions
Course of Action See STIX 1.2 CourseOfActionType	X
Automated Course of Action Structured representation for automating courses of action		X
Data Markings
Object-Level Markings Markings applied to a complete top-level object (Level 1 Markings)	X
Field-Level Markings Markings applied to individual fields within objects (Level 2 Markings)		X
TLP Marking Definition Representation of a TLP marking	X
Copyright/TOU Marking Definition Representation of Copyright/TOU markings	X
Consensus "STIX Default" Marking Definition Representation of a more complete, consensus, "better than TLP" marking		X
Cross-Cutting Capabilities
Packaging around TLOs (Package object) STIX "package" object, whatever that turns into	X
Reports Report object	X
Internationalization Support for STIX content in multiple languages/localizations	X
Basic Identity Small set of critical properties	X
Full Identity Extensive identity representation, similar to CIQ	X Don’t need all of CIQ but relevant portions
References/Sources References to non-STIX content and information sources	X
Defensive Tools Representation of information about tools used for defense or to create content.	X At least use Tool
Rich Text HTML, Markdown, or some other rich text format for descriptions		X
Versioning Ability to version and revoke content	X
Vendor-Defined Fields Definition and conformance for how vendors can extend STIX	X
Representing Confidence Representation of confidence in the accuracy of information	X
Representing Impact / Potential Impact Representations of actual or potential impact of threats (e.g. for malware)	X
Custom Vocabularies Ability to use custom (non-standard) vocabularies in places we have standard vocabularies defined	X
Opinion/Assert Object Ability to represent opinions / assertions about STIX content created by others	X
STIX Request/Response Ability to create asynchronous STIX requests and responses for information beyond a single TAXII server			X
Generic Tagging Ability to tag STIX top-level objects with generic text		X