OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposed normative text available for defining a common set of properties for all TLOs - (Goal: Reach official consensus by Monday)

Defining a common set of properties for all TLOs is one of the issues that we seem to have general consensus on but have not yet agreed to normative text.

Proposed normative text is now available for your review in the CTI Common 1.0 Specification Pre-draft document.
It is fairly straightforward and should not take long to consider.
Please review the normative text and add comments to the document for any concerns, questions or ideas you may have.
If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have officially achieved consensus and move on to others.

For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text is included below.

CTI Core Properties

CTI Core is a base set of properties that are inherited by most top-level objects across the CTI family of specifications (primarily STIX and CybOX).

Property Name



type (required)


The type of construct being represented. This is a fixed value for each top-level object, formatted as all lowercase with ‘-’ as a separator (e.g. attack-pattern). This is a serialization-based field and derives from the type of the construct in the model.

id (required)


A globally unique identifier for this object

spec_version (required)


The release version of the language specification used to represent this construct

created_at (required)


The time that the object with this ID was created

created_by_ref (optional)


The ID of the Identity Object that describes who created this object.

marking_refs (optional)


The set of “Level 1” markings applied to this object

structured_markings (optional)


The set of “Level 2” markings applied to this object



array of type string

A list of JSONPath statements, rooted at the top-level object that structured_markings is contained in, that the marking_refs apply to.

   marking_refs (required)


The list of markings that apply to the fields selected by controlled_structures.


This example shows the simultaneous use of a Level 1 marking and a Level 2 marking on the Indicator top-level object.  The Level 2 marking on the description takes precedence over the Level 1 marking for the rest of the object.  


 "type": "indicator",

 "id": "indicator--089a6ecb-cc15-43cc-9494-767639779235",

 "spec_version": "stix-2.0",

 "created_at": "2016-01-10T13:15:18Z",

 "created_by_ref": "source--089a6ecb-cc15-43cc-9494-767639779231",

 "marking_refs": ["data-marking--089a6ecb-cc15-43cc-9494-767639779123"],

 "structured_markings": [


     "controlled_structures": ["$.description"],

     "marking_refs": ["data-marking--089a6ecb-cc15-43cc-9494-767639779124"]


 "description": ["Some description"]


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]