For those interested, the complete set of changes is below (we had missed a few things earlier):
Part 1: Master
-
Common property âspec_versionâ: implicit value is now 2.1 for all SCOs, still 2.0 for all other objects
-
SCO Common property renamed: is_defanged -> defanged
-
In 3.5 Object Creator, a MAY was changed to a MUST, which could be read to mean that
created_byÂ_ref SHOULD be present on all objects that can have this property
-
Language Content
-
Object_modified now optional
Part 2: SDOs and SROs
-
Attack Pattern
-
Grouping
-
object_refs are now required
-
Indicator
-
New property: pattern_type
-
New property: pattern_version
-
New relationship: indicator based-on observed-data
-
name, description SHOULD be present
-
Infrastructure
-
Location
-
New property: name
-
Property renamed: code -> street_address
-
Malware
-
New relationship: malware originates-from location
-
Malware Analysis
-
One of av_result or analysis_sco_refs MUST be present
-
Property renamed: module -> modules
-
Property type changed: string -> list of type string
-
Property renamed: av_engine_version -> analysis_engine_version
-
Property renamed: av_definition_version -> analysis_definition_version
-
Property renamed: host_vm -> host_vm_ref
-
Property renamed: operating_system -> operating_system_ref
-
Property renamed: installed_software -> installed_software_refs
-
Observed Data
-
Property deprecated: objects
-
Removed a MUST requirement (that we couldnât validate), so now observed data can contain SCOs not related to each other
-
Threat Actor
-
New property: first_seen
-
New property: last_seen
-
Tool
-
New relationship: tool has vulnerability
-
Vulnerability
-
Relationship removed:
vulnerability impacts infrastructure, tool
-
Sighting
-
New property: description
Part 3: SCOs
- Directory Object
- Property renamed: created -> ctime
- Property renamed: modified -> mtime
- Property renamed: accessed-> atime
- Domain Name Object
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- New relationship: domain-name resolves-to domain-name
- New relationship: domain-name resolves-to ipv4-addr
- New relationship: domain-name resolves-to ipv6-addr
- File Object
- Property renamed: created -> ctime
- Property renamed: modified -> mtime
- Property renamed: accessed-> atime
- IPv4 Address Object (ipv4-addr)
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- Property deprecated: belongs_to_refs (was already optional in WD 04)
- New relationship: ipv4-addr resolves-to mac-addr
- New relationship: ipv4-addr belongs-to autonomous-system
- IPv6 Address Object (ipv6-addr)
- Property deprecated: resolves_to_refs (was already optional in WD 04)
- Property deprecated: belongs_to_refs (was already optional in WD 04)
- New relationship: ipv6-addr resolves-to mac-addr
- New relationship: ipv6-addr belongs-to autonomous-system
- Windows Registry Key Object
- Property renamed: modified -> modified_time
- ID contributing properties: all items in
values MUST be included)
Part 4: Vocabs
-
Implementation Language (implementation-language-ov)
-
New value: perl
-
New value: ruby
Part 5: Patterns
-
An Observation _expression_ MUST NOT have more than one Qualifier of a particular type
-
For âa REPEATS x TIMESâ a MUST match at least x times (changed from âexactly x timesâ)
-
Comparison expressions MUST evaluate to false if evaluated against one or more Object Paths that are not present or cannot be obtained
-
New set operator for Comparison Expressions: EXISTS
Regards,
Ivan
From: Ivan Kirillov <ikirillov@mitre.org>
Date: Monday, July 15, 2019 at 10:03 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: STIX 2.1 WD04 -> WD05 Changes
All,
One of our team members put together a list of changes between WD04 and WD05 for those interested:
Part 2: SDOs and SROs
-
Attack Pattern
-
Grouping
-
object_refs are now required
-
Indicator
-
New property: pattern_type
-
New property: pattern_version
-
New relationship: indicator based-on observed-data
-
Infrastructure
-
Location
-
New property: name
-
Property renamed: code -> street_address
-
Malware
-
New relationship: malware originates-from location
-
Malware Analysis
-
Property renamed: module -> modules
-
Property type changed: string -> list of type string
-
Property renamed: av_engine_version -> analysis_engine_version
-
Property renamed: av_definition_version -> analysis_definition_version
-
Property renamed: host_vm -> host_vm_ref
-
Property renamed: operating_system -> operating_system_ref
-
Property renamed: installed_software -> installed_software_refs
-
Threat Actor
-
New property: first_seen
-
New property: last_seen
-
Tool
-
New relationship: tool has vulnerability
-
Vulnerability
-
Relationship removed:
vulnerability impacts infrastructure, tool
-
Sighting
-
New property: description
Part 4: Vocabs
-
Implementation Language (implementation-language-ov)
-
New value: perl
-
New value: ruby
Regards,
Ivan
|