Capability
|
2.0
|
2.x
|
Never
|
Relationships
|
|
|
|
Standardized Relationships
Relationships pre-defined in STIX
|
X |
|
|
User-Defined Relationships
Ability to use relationships that
were not pre-defined in STIX
|
X |
|
|
Indicator
Use Cases
|
|
|
|
Indicators
Basic indicator object
|
X |
|
|
CybOX Indicator Patterns
Use of "native" CybOX patterning for indicator patterns
|
x |
|
|
Third-Party Indicator Patterns
Use of Snort, Yara, OpenIOC, and other signature formats as patterns
|
X |
|
|
Sightings
Ability to create and share sightings of indicators, however it's
done
|
X |
|
|
Incident
Use Cases
|
|
|
|
Incident Basics
Just the basics needed to track incidents
|
X |
|
|
Asset Stub
A stub of an asset model, abstracted out of Incident, likely a pointer
|
X if basic definition
|
|
X if this means only a ext ref |
Complete Asset Model
A more complete asset model that defines many fields
|
|
X |
|
Advanced Incident
Impacts, detailed analytics, etc.
|
X if this means incident as in 1.2 |
X if above an beyond |
|
"Investigation" (pre-incident)
Something to track "events", "investigations", and other activity
that may not be an incident yet.
|
|
X |
|
Analysis
Objects
|
|
|
|
Attack Patterns
See STIX 1.2
AttackPatternType
|
X |
|
|
Exploits
See STIX 1.2
ExploitType
(note: NOT ExploitTargetType)
|
X |
|
|
Kill Chains
See STIX 1.2
KillChainType
and KillChainPhaseType
|
X |
|
|
Malicious Infrastructure
See STIX 1.2
InfrastructureType
|
X |
|
|
Malicious Tool
See STIX 1.2
ToolType
|
X |
|
|
Malware
See STIX 1.2
MalwareType
|
X |
|
|
Persona
See STIX 1.2
PersonasType
(was just an identity)
|
X |
|
|
Victim Targeting
See STIX 1.2
VictimTargetingType
|
X
Need more than basic identity |
|
|
Configuration/Misconfiguration
See STIX 1.2
ConfigurationType
|
X |
|
|
Vulnerability
See STIX 1.2
VulnerabilityType
|
X |
|
|
Weakness
See STIX 1.2
WeaknessType
|
X |
|
|
Attribution
& Tracking
|
|
|
|
Threat Actor
See STIX 1.2
ThreatActorType
|
X |
|
|
Campaign
See STIX 1.2
CampaignType
|
X |
|
|
Intrusion Set
Representation of intrusion sets, separate from actors and campaigns
|
|
? |
|
Response
Actions
|
|
|
|
Course of Action
See STIX 1.2
CourseOfActionType
|
X |
|
|
Automated Course of Action
Structured representation for automating courses of action
|
|
X |
|
Data Markings
|
|
|
|
Object-Level Markings
Markings applied to a complete top-level object (Level 1 Markings)
|
X |
|
|
Field-Level Markings
Markings applied to individual fields within objects (Level 2 Markings)
|
|
X |
|
TLP Marking Definition
Representation of a TLP marking
|
X |
|
|
Copyright/TOU Marking Definition
Representation of Copyright/TOU markings
|
X |
|
|
Consensus "STIX Default" Marking Definition
Representation of a more complete, consensus, "better than TLP" marking
|
|
X |
|
Cross-Cutting
Capabilities
|
|
|
|
Packaging around TLOs (Package object)
STIX "package" object, whatever that turns into
|
X |
|
|
Reports
Report object
|
X |
|
|
Internationalization
Support for STIX content in multiple languages/localizations
|
X |
|
|
Basic Identity
Small set of critical properties
|
X |
|
|
Full Identity
Extensive identity representation, similar to CIQ
|
X
Don’t need all of CIQ but relevant portions |
|
|
References/Sources
References to non-STIX content and information sources
|
X |
|
|
Defensive Tools
Representation of information about tools used for defense or to
create content.
|
X
At least use Tool |
|
|
Rich Text
HTML, Markdown, or some other rich text format for descriptions
|
|
X |
|
Versioning
Ability to version and revoke content
|
X |
|
|
Vendor-Defined Fields
Definition and conformance for how vendors can extend STIX
|
X |
|
|
Representing Confidence
Representation of confidence in the accuracy of information
|
X |
|
|
Representing Impact / Potential Impact
Representations of actual or potential impact of threats (e.g. for
malware)
|
X |
|
|
Custom Vocabularies
Ability to use custom (non-standard) vocabularies in places we have
standard vocabularies defined
|
X |
|
|
Opinion/Assert Object
Ability to represent opinions / assertions about STIX content created
by others
|
X |
|
|
STIX Request/Response
Ability to create asynchronous STIX requests and responses for information
beyond a single TAXII server
|
|
|
X |
Generic Tagging
Ability to tag STIX top-level objects with generic text
|
|
X |
|