Hello,
See below for a list of the changes I found between WD06 and WD07 of the STIX 2.1 specification. I generated this list to help with updating the schemas, tools, and libraries, but maybe you’ll find it helpful as well. Note that the list
doesn’t include typo fixes or non-normative wording changes.
Thank you,
Chris Lenk
MITRE
- external-reference.hashes - keys MUST be one of the entries in hash-algorithm-ov (treat it like an enum)
- property names - all MUST begin with a letter character
- created/modified timestamps - millisecond is the minimum precision not the exact precision (they can be more precise than millisecond)
- course-of-action - action_type, os_execution_envs, action_bin, action_reference all removed
- course-of-action - action is a reserved property again
- course-of-action - course-of-action-type-ov removed
- identity.identity_class - now optional instead of required
- indicator.indicator_types - now optional instead of required
- infrastructure.infrastructure_types - now optional instead of required
- malware.malware_types - now optional instead of required
- report.report_types - now optional instead of required
- threat-actor.threat_actor_types - now optional instead of required
- tool-actor.tool_types - now optional instead of required
- malware.os_execution_envs - renamed to operating_system_refs, now list of Software SCO identifiers instead of strings, no longer should be a CPE entry
- malware-analysis.av_result - split into result_name and result
- malware-analysis.sample_ref - new property, identifier (of type file, network-traffic, and artifact)
- malware analysis common relationships - av-analysis-of renamed to analysis-of
- domain-name.resolves_to_refs - no longer deprecated
- ipv4-addr.resolves_to_refs - no longer deprecated
- ipv4-addr.belongs_to_refs - no longer deprecated
- ipv6-addr.resolves_to_refs - no longer deprecated
- ipv6-addr.belongs_to_refs - no longer deprecated
- file - parent_directory_ref is now an ID-contributing property
- software - new optional string property: swid
- patterns - a WITHIN x SECONDS - x must be positive floating point OR INTEGER
- identity-class-ov - changed unspecified to unknown
- industry-sector-ov - changed defence to defense, added chemical, commercial, government (emergency-services, government-local, government-national, government-public-services, government-regional),
infrastructure (dams, nuclear, water)
- infrastructure-type-ov - changed unspecified to unknown
- custom properties on SCO extensions specifically called out as allowed
- custom SCO extension names MUST end with "-ext"
- properties on custom SCO extensions MUST be [a-z0-9_]
|