OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: STIX 2.1 WD06 to WD07 changes



See below for a list of the changes I found between WD06 and WD07 of the STIX 2.1 specification. I generated this list to help with updating the schemas, tools, and libraries, but maybe you’ll find it helpful as well. Note that the list doesn’t include typo fixes or non-normative wording changes.


Thank you,


Chris Lenk




  • external-reference.hashes - keys MUST be one of the entries in hash-algorithm-ov (treat it like an enum)
  • property names - all MUST begin with a letter character
  • created/modified timestamps - millisecond is the minimum precision not the exact precision (they can be more precise than millisecond)
  • course-of-action - action_type, os_execution_envs, action_bin, action_reference all removed
  • course-of-action - action is a reserved property again
  • course-of-action - course-of-action-type-ov removed


  • identity.identity_class - now optional instead of required
  • indicator.indicator_types - now optional instead of required
  • infrastructure.infrastructure_types - now optional instead of required
  • malware.malware_types - now optional instead of required
  • report.report_types - now optional instead of required
  • threat-actor.threat_actor_types - now optional instead of required
  • tool-actor.tool_types - now optional instead of required


  • malware.os_execution_envs - renamed to operating_system_refs, now list of Software SCO identifiers instead of strings, no longer should be a CPE entry
  • malware-analysis.av_result - split into result_name and result
  • malware-analysis.sample_ref - new property, identifier (of type file, network-traffic, and artifact)
  • malware analysis common relationships - av-analysis-of renamed to analysis-of


  • domain-name.resolves_to_refs - no longer deprecated
  • ipv4-addr.resolves_to_refs - no longer deprecated
  • ipv4-addr.belongs_to_refs - no longer deprecated
  • ipv6-addr.resolves_to_refs - no longer deprecated
  • ipv6-addr.belongs_to_refs - no longer deprecated


  • file - parent_directory_ref is now an ID-contributing property
  • software - new optional string property: swid
  • patterns - a WITHIN x SECONDS - x must be positive floating point OR INTEGER
  • identity-class-ov - changed unspecified to unknown
  • industry-sector-ov - changed defence to defense, added chemical, commercial, government (emergency-services, government-local, government-national, government-public-services,  government-regional), infrastructure (dams, nuclear, water)
  • infrastructure-type-ov - changed unspecified to unknown


  • custom properties on SCO extensions specifically called out as allowed
  • custom SCO extension names MUST end with "-ext"
  • properties on custom SCO extensions MUST be [a-z0-9_]


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]