Re: STIX 2.1 WD04 -> WD05 Changes

["Kirillov, Ivan A." <ikirillov@mitre.org>]

For those interested, the complete set of changes is below (we had missed a few things earlier):

 

Part 1: Master

• Common property âspec_versionâ: implicit value is now 2.1 for all SCOs, still 2.0 for all other objects
• SCO Common property renamed: is_defanged -> defanged
• In 3.5 Object Creator, a MAY was changed to a MUST, which could be read to mean that created_byÂ_ref SHOULD be present on all objects that can have this property
• Language Content
• Object_modified now optional

Part 2: SDOs and SROs

• Attack Pattern
• New property: aliases
• Grouping
• object_refs are now required
• Indicator
• New property: pattern_type
• New property: pattern_version
• New relationship: indicator based-on observed-data
• name, description SHOULD be present
• Infrastructure
• New property: aliases
• Location
• New property: name
• Property renamed: code -> street_address
• Malware
• New relationship: malware originates-from location
• Malware Analysis
• One of av_result or analysis_sco_refs MUST be present
• Property renamed: module -> modules
• Property type changed: string -> list of type string
• Property renamed: av_engine_version -> analysis_engine_version
• Property renamed: av_definition_version -> analysis_definition_version
• Property renamed: host_vm -> host_vm_ref
• Property renamed: operating_system -> operating_system_ref
• Property renamed: installed_software -> installed_software_refs
• Observed Data
• Property deprecated: objects
• Removed a MUST requirement (that we couldnât validate), so now observed data can contain SCOs not related to each other
• Threat Actor
• New property: first_seen
• New property: last_seen
• Tool
• New relationship: tool has vulnerability
• Vulnerability
• Relationship removed: vulnerability impacts infrastructure, tool
• Sighting
• New property: description

Part 3: SCOs

• Directory Object
• Property renamed: created -> ctime
• Property renamed: modified -> mtime
• Property renamed: accessed-> atime
• Domain Name Object
• Property deprecated: resolves_to_refs (was already optional in WD 04)
• New relationship: domain-name resolves-to domain-name
• New relationship: domain-name resolves-to ipv4-addr
• New relationship: domain-name resolves-to ipv6-addr
• File Object
• Property renamed: created -> ctime
• Property renamed: modified -> mtime
• Property renamed: accessed-> atime
• IPv4 Address Object (ipv4-addr)
• Property deprecated: resolves_to_refs (was already optional in WD 04)
• Property deprecated: belongs_to_refs (was already optional in WD 04)
• New relationship: ipv4-addr resolves-to mac-addr
• New relationship: ipv4-addr belongs-to autonomous-system
• IPv6 Address Object (ipv6-addr)
• Property deprecated: resolves_to_refs (was already optional in WD 04)
• Property deprecated: belongs_to_refs (was already optional in WD 04)
• New relationship: ipv6-addr resolves-to mac-addr
• New relationship: ipv6-addr belongs-to autonomous-system
• Windows Registry Key Object
• Property renamed: modified -> modified_time
• ID contributing properties: all items in values MUST be included)

 

Part 4: Vocabs

• Implementation Language (implementation-language-ov)
• New value: perl
• New value: ruby

Part 5: Patterns

• An Observation _expression_ MUST NOT have more than one Qualifier of a particular type
• For âa REPEATS x TIMESâ a MUST match at least x times  (changed from âexactly x timesâ)
• Comparison expressions MUST evaluate to false if evaluated against one or more Object Paths that are not present or cannot be obtained
• New set operator for Comparison Expressions: EXISTS

 

Regards,

Ivan

 

From: Ivan Kirillov <ikirillov@mitre.org>
Date: Monday, July 15, 2019 at 10:03 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: STIX 2.1 WD04 -> WD05 Changes

 

All,

 

One of our team members put together a list of changes between WD04 and WD05 for those interested:

 

Part 2: SDOs and SROs

• Attack Pattern
• New property: aliases
• Grouping
• object_refs are now required
• Indicator
• New property: pattern_type
• New property: pattern_version
• New relationship: indicator based-on observed-data
• Infrastructure
• New property: aliases
• Location
• New property: name
• Property renamed: code -> street_address
• Malware
• New relationship: malware originates-from location
• Malware Analysis
• Property renamed: module -> modules
• Property type changed: string -> list of type string
• Property renamed: av_engine_version -> analysis_engine_version
• Property renamed: av_definition_version -> analysis_definition_version
• Property renamed: host_vm -> host_vm_ref
• Property renamed: operating_system -> operating_system_ref
• Property renamed: installed_software -> installed_software_refs
• Threat Actor
• New property: first_seen
• New property: last_seen
• Tool
• New relationship: tool has vulnerability
• Vulnerability
• Relationship removed: vulnerability impacts infrastructure, tool
• Sighting
• New property: description

Part 4: Vocabs

• Implementation Language (implementation-language-ov)
• New value: perl
• New value: ruby

 

Regards,

Ivan