IRI:
http://purl.org/cyber/stix
Version IRI:
http://purl.org/cyber/stix
Other visualisation :
Ontology source - WebVowl

Abstract

An OWL ontology for representing cybersecurity information using the STIX 2 data model.

Table of Content

  1. Classes
  2. Object Properties
  3. Data Properties
  4. Namespace Declarations

Classes

adversaryc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Adversary

has super-classes
stix domain objectc
has sub-classes
campaignc, intrusion setc, threat actorc
is in domain of
aliasdp, goalsdp

artifactc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Artifact

The Artifact Object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. The size of the base64-encoded data captured in the payload_bin property MUST be less than or equal to 10MB. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. If a URL is provided, then the hashes property MUST contain the hash of the URL contents.
has super-classes
stix observablesc
is in domain of
payload bindp

attack patternc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#AttackPattern

Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. Relationships from Attack Pattern can be used to relate it to what it targets (Vulnerabilities and Identities) and which tools and malware use it (Tool and Malware).
has super-classes
stix thingc

attack patternc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#attack-pattern

has super-classes
t t pc
is in domain of
x mitre data sourcedp, x mitre defense bypasseddp, x mitre deprecateddp, x mitre effective permissiondp, x mitre network requirementsdp, x mitre permissions requireddp, x mitre platformdp, x mitre remote supportdp, x mitre system requirementdp, x mitre tactic typedp, x resources requireddp

autonomous systemc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#AutonomousSystem

Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet. An ISP must have an officially registered autonomous system number (ASN). A unique ASN is allocated to each AS for use in BGP routing. AS numbers are important because the ASN uniquely identifies each network on the Internet.
has super-classes
stix observablesc

campaignc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Campaign

A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.
has super-classes
adversaryc

course of actionc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#CourseOfAction

A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as placeholder for future inclusion of machine automatable courses of action. Relationships from the Course of Action can be used to link it to the Vulnerabilities or behaviors (Tool, Malware, Attack Pattern) that it mitigates.
has super-classes
stix domain objectc
is in domain of
mitigatesop
is in range of
mitigated byop

crime syndicatec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#CrimeSyndicate

is equivalent to
threat actorc and (labeldp some { "crime-syndicate" })
has super-classes
threat actorc

criminalc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Criminal

is equivalent to
threat actorc and (labeldp some { "criminal" })
has super-classes
threat actorc

definition objectc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#DefinitionObject

has super-classes
stix thingc

domain namec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#DomainName

The Domain Name represents the properties of a network domain name.
has super-classes
stix observablesc

email addrc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#EmailAddr

The Email Address Object represents a single email address.
has super-classes
stix observablesc

email messagec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#EmailMessage

The Email Message Object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message Object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact Object through the raw_email_ref property.
has super-classes
stix observablesc
is in domain of
bodydp, email propertydp, is multipartdp, subjectdp

external referencec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#ExternalReference

has super-classes
stix thingc
is in domain of
external reference ofop
is also defined as
object property

filec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#File

The File Object represents the properties of a file. A File Object MUST contain at least one of hashes or name.
has super-classes
stix observablesc
is in domain of
hashdp, pathdp, sizedp

file namec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#FileName

has super-classes
stix observablesc

file pathc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#FilePath

has super-classes
stix observablesc

granular markingc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#GranularMarking

has super-classes
stix thingc
is in range of
has granular markingop

identityc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Identity

Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities.
has super-classes
stix domain objectc
has sub-classes
individualc, organizationc
is in domain of
creator ofop, identity classdp, sectordp
is in range of
created byop, impersonatesop

indicatorc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Indicator

Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (STIX™ Version 2.0. Part 5: STIX Patterning) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in STIX™ Version 2.0. Part 5: STIX Patterning. While each structured pattern language has different syntax and potentially different semantics, in general an Indicator is considered to have "matched" (or been "sighted") when the conditions specified in the structured pattern are satisfied in whatever context they are evaluated in. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern) as well as the Campaigns, Intrusion Sets, and Threat Actors that it might indicate the presence of.
has super-classes
stix domain objectc
is in domain of
indicatesop

individualc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Individual

is equivalent to
identityc and (identity classdp some { "individual" })
has super-classes
identityc

intrusion setc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#IntrusionSet

An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.
has super-classes
adversaryc

ip addrc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#IpAddr

has super-classes
stix observablesc
has sub-classes
ipv4 addrc, ipv6 addrc
is in domain of
resolves toop

ipv4 addrc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Ipv4Addr

The IPv4 Address Object represents one or more IPv4 addresses expressed using CIDR notation.
has super-classes
ip addrc

ipv6 addrc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Ipv6Addr

The IPv6 Address Object represents one or more IPv6 addresses expressed using CIDR notation.
has super-classes
ip addrc

kill chainc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#KillChain

has super-classes
stix thingc
is in domain of
has phaseop
is in range of
phase ofop

kill chain phasec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#KillChainPhase

has super-classes
stix thingc
is in domain of
kill chain namedp, phase namedp, phase ofop
is in range of
has phaseop

local filec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#LocalFile

has super-classes
stix thingc

mac addrc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#macAddr

The MAC Address Object represents a single Media Access Control (MAC) address.
has super-classes
stix observablesc
is in range of
resolves toop

malwarec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Malware

Note: The Malware object in STIX 2.0 is a stub. It is included to support basic use cases but is likely not useful for actual malware analysis or for including even simple malware instance data. Future versions of STIX 2 will expand it to include these capabilities. Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.[1] The Malware SDO characterizes, identifies, and categorizes malware samples and families via a text description property. This provides detailed information about how the malware works and what it does. Relationships from Malware can capture what the malware targets (Vulnerability and Identity) and link it to another Malware SDO that it is a variant of.
has super-classes
stix domain objectc
t t pc
is in domain of
kill chain phaseop, variantop
is in range of
kill chain phase ofop, variantop

marking definitionc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#MarkingDefinition

has super-classes
stix thingc
is in domain of
definitionop, definition typedp
is in range of
object markingop

mutexc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Mutex

The Mutex Object represents the properties of a mutual exclusion (mutex) object.
has super-classes
stix observablesc

nation statec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#NationState

is equivalent to
threat actorc and (labeldp some { "nation-state" })
has super-classes
threat actorc

network trafficc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#NetworkTraffic

The Network Traffic Object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood. To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic Object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties.
has super-classes
stix observablesc

notec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Note

has super-classes
stix domain objectc

observed datac back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#ObservedData

Observed Data conveys information that was observed on systems and networks using the Cyber Observable specification defined in parts 3 and 4 of this specification. For example, Observed Data can capture the observation of an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply information: this file was seen, without any context for what it means. Observed Data captures both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data is of a single entity. When the number_observed property is greater than 1, the observed data consists of several instances of an entity collected over the time window specified by the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some fields in the Cyber Observable Object (e.g., timestamp fields) will be omitted because they would differ for each of the individual observations. Observed Data may be used by itself (without relationships) to convey raw data collected from network and host-based detection tools. A firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. The Sighting object, which captures the sighting of an Indicator, Malware, or other SDO, uses Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).
has super-classes
stix thingc

opinionc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Opinion

has super-classes
stix thingc

opinionc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#opinion

has super-classes
stix domain objectc
is in domain of
confidencedp
is in range of
opinion aboutop
is also defined as
data property

organizationc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Organization

is equivalent to
identityc and (identity classdp some { "organisation" , "organization" })
has super-classes
identityc

ownerc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Owner

has super-classes
stix thingc
is in domain of
owner ofop
is in range of
ownerop

portc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Port

has super-classes
stix observablesc

processc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Process

The Process Object represents common properties of an instance of a computer program as executed on an operating system. A Process Object MUST contain at least one property (other than type) from this object (or one of its extensions).
has super-classes
stix observablesc

protocolc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Protocol

has super-classes
stix observablesc

relationshipc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Relationship

he Relationship object is used to link together two SDOs in order to describe how they are related to each other. If SDOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". STIX defines many relationship types to link together SDOs. These relationships are contained in the "Relationships" table under each SDO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. STIX also allows relationships from any SDO to any SDO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a custom relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a custom name they determined) to indicate more detail. Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX.
has super-classes
stix thingc
is in domain of
relationship typedp, sourceop, targetop

reportc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Report

Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. The Report SDO contains a list of references to SDOs and SROs (the CTI objects included in the report) along with a textual description and the name of the report. For example, a threat report produced by ACME Defense Corp. discussing the Glass Gazelle campaign should be represented using Report. The Report itself would contain the narrative of the report while the Campaign SDO and any related SDOs (e.g., Indicators for the Campaign, Malware it uses, and the associated Relationships) would be referenced in the report contents.
has super-classes
stix domain objectc

sightingc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Sighting

has super-classes
stix thingc
is in domain of
sighting ofop
is in range of
sighted byop

softwarec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Software

The Software Object represents high-level properties associated with software, including software products.
has super-classes
stix observablesc
is in domain of
cpedp, vendordp

spyc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Spy

is equivalent to
threat actorc and (labeldp some { "spy" })
has super-classes
threat actorc

stix domain objectc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#StixDomainObject

This specification defines the set of STIX Domain Objects (SDOs), each of which corresponds to a unique concept commonly represented in CTI. Using SDOs and STIX relationships as building blocks, individuals can create and share broad and comprehensive cyber threat intelligence. Property information, relationship information, and examples are provided for each SDO defined below. Property information includes common properties as well as properties that are specific to each SDO. Relationship information includes embedded relationships (e.g., created_by_ref), common relationships (e.g., related-to), and SDO-specific relationships. Forward relationships (i.e., relationships from the SDO to other SDOs) are fully defined, while reverse relationships (i.e., relationships to the SDO from other SDOs) are duplicated for convenience. Some SDOs are similar and can be grouped together into categories. Attack Pattern, Malware, and Tool can all be considered types of tactics, techniques, and procedures (TTPs): they describe behaviors and resources that attackers use to carry out their attacks. Similarly, Campaign, Intrusion Set, and Threat Actor all describe information about why adversaries carry out attacks and how they organize themselves.
has super-classes
stix thingc
has sub-classes
adversaryc, course of actionc, identityc, indicatorc, malwarec, notec, opinionc, reportc, t t pc, toolc, vulnerabilityc
is in range of
sourceop, targetop

stix observablesc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#StixObservables

The ObservableType is a complex type representing a description of a single cyber observable.
has super-classes
stix thingc
has sub-classes
artifactc, autonomous systemc, domain namec, email addrc, email messagec, filec, file namec, file pathc, ip addrc, mac addrc, mutexc, network trafficc, portc, processc, protocolc, softwarec, u r lc, u r l pathc, user accountc, user agentc, windows registry keyc, x509 certificatec
is in domain of
belongs toop

t t pc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#TTP

TPP is a Tactic, Technique, or Procedure, i.e., behaviors and resources that attackers use to carry out their attacks
has super-classes
stix domain objectc
has sub-classes
attack patternc, malwarec, toolc
is in domain of
platformdp, used byop
is in range of
usesop

terroristc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Terrorist

is equivalent to
threat actorc and (labeldp some { "terrorist" })
has super-classes
threat actorc

threat actorc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#ThreatActor

Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. Threat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. Threat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization.
has super-classes
adversaryc
has sub-classes
crime syndicatec, criminalc, nation statec, spyc, terroristc
is in domain of
impersonatesop
is in range of
authored byop

toolc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Tool

Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. This SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterise tools used as part of a course of action in response to an attack. Tools used during response activities can be included directly as part of a Course of Action SDO.
has super-classes
stix domain objectc
t t pc

u r lc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#URL

has super-classes
stix observablesc
is also defined as
data property

u r l pathc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#URLPath

has super-classes
stix observablesc

user accountc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#UserAccount

The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
has super-classes
stix observablesc

user agentc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#UserAgent

has super-classes
stix observablesc
is in domain of
user iddp

vulnerabilityc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#Vulnerability

A Vulnerability is "a mistake in software that can be directly used by a hacker to gain access to a system or network" [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. The Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process.
has super-classes
stix domain objectc
is in range of
exploitsop

windows registry keyc back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#WindowsRegistryKey

The Registry Key Object represents the properties of a Windows registry key.
has super-classes
stix observablesc

x509 certificatec back to ToC or Class ToC

IRI: http://purl.org/cyber/stix#X509Certificate

The X.509 Certificate Object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate Object MUST contain at least one property (other than type) from this object.
has super-classes
stix observablesc

Object Properties

attributed toop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#attributedTo

has domain
campaignc or intrusion setc or threat actorc
has range
identityc or intrusion setc or threat actorc
is inverse of
attribution ofop

attribution ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#attributionOf

has domain
identityc or intrusion setc or threat actorc
has range
campaignc or intrusion setc or threat actorc
is inverse of
attributed toop

author ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#authorOf

is inverse of
authored byop

authored byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#authoredBy

has domain
malwarec or toolc
has range
threat actorc
is inverse of
author ofop

belongs toop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#belongsTo

has domain
stix observablesc

created byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#createdBy

has domain
campaignc or intrusion setc or threat actorc
has range
identityc
is inverse of
creator ofop

creator ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#creatorOf

has domain
identityc
has range
campaignc or intrusion setc or threat actorc
is inverse of
created byop

definitionop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#definition

has domain
marking definitionc

derived fromop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#derivedFrom

has domain
stix thingc
has range
stix thingc

duplicate ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#duplicateOf

has characteristics : transitive

has domain
stix thingc
has range
stix thingc

exploited byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#exploitedBy

is inverse of
exploitsop

exploitsop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#exploits

has domain
campaignc or malwarec or threat actorc or attack patternc
has range
vulnerabilityc
is inverse of
exploited byop

external referenceop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#ExternalReference

has domain
stix thingc
is inverse of
external reference ofop
is also defined as
class

external reference ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#externalReferenceOf

has domain
external referencec
has range
stix thingc
is inverse of
external referenceop

granular marking ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#granularMarkingOf

is inverse of
has granular markingop

has granular markingop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#hasGranularMarking

a GranularMarking that apply to this object
has domain
stix thingc
has range
granular markingc
is inverse of
granular marking ofop

has phaseop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#hasPhase

has domain
kill chainc
has range
kill chain phasec
is inverse of
phase ofop

impersonatesop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#impersonates

This Relationship describes that the Threat Actor impersonates the related Identity. For example, an impersonates Relationship from the gh0st Threat Actor to the ACME Corp. Identity means that the actor known as gh0st impersonates ACME Corp.
has domain
threat actorc
has range
identityc

indicated byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#indicatedBy

is inverse of
indicatesop

indicatesop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#indicates

has domain
indicatorc
has range
adversaryc or t t pc
is inverse of
indicated byop

kill chain phaseop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#killChainPhase

has domain
malwarec
is inverse of
kill chain phase ofop

kill chain phase ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#killChainPhaseOf

has range
malwarec
is inverse of
kill chain phaseop

mitigated byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#mitigatedBy

has domain
t t pc or vulnerabilityc
has range
course of actionc
is inverse of
mitigatesop

mitigatesop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#mitigates

has domain
course of actionc
has range
t t pc or vulnerabilityc
is inverse of
mitigated byop

objectop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#object

has domain
stix thingc
has range
stix thingc

object markingop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#objectMarking

a marking-definition object to be applied to this object
has domain
stix thingc
has range
marking definitionc
is inverse of
object marking ofop

opinion aboutop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#opinionAbout

has domain
stix thingc
has range
opinionc

ownerop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#owner

has domain
stix thingc
has range
ownerc

owner ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#ownerOf

has domain
ownerc
has range
stix thingc

phase ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#phaseOf

has domain
kill chain phasec
has range
kill chainc
is inverse of
has phaseop

provenanceop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#provenance

has domain
stix thingc

related toop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#relatedTo

has characteristics : transitive

has domain
stix thingc
has range
stix thingc

resolves toop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#resolvesTo

has domain
ip addrc
has range
mac addrc

sighted byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#sightedBy

has domain
adversaryc or indicatorc or stix observablesc or t t pc
has range
sightingc
is inverse of
sighting ofop

sighting ofop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#sightingOf

has domain
sightingc
has range
adversaryc or indicatorc or stix observablesc or t t pc
is inverse of
sighted byop

sourceop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#source

has domain
relationshipc
has range
stix domain objectc
is inverse of
source ofop

targetop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#target

has domain
relationshipc
has range
stix domain objectc
is inverse of
target ofop

targeted byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#targetedBy

has domain
identityc or vulnerabilityc
has range
adversaryc or t t pc
is inverse of
targetsop

targetsop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#targets

has domain
adversaryc or t t pc
has range
identityc or vulnerabilityc
is inverse of
targeted byop

used byop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#usedBy

has domain
t t pc
has range
adversaryc or t t pc
is inverse of
usesop

usesop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#uses

has domain
adversaryc or t t pc
has range
t t pc
is inverse of
used byop

variantop back to ToC or Object Property ToC

IRI: http://purl.org/cyber/stix#variant

This variantOf relation is used to document that one piece of Malware is a variant of another piece of Malware. For example, TorrentLocker is a variant of CryptoLocker.

has characteristics : symmetric, transitive

has domain
malwarec
has range
malwarec

Data Properties

aliasdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#alias

has super-properties
stix data propertydp
has domain
adversaryc
has range
string

bodydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#body

has super-properties
email propertydp
has domain
email messagec

common data propertydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#commonDataProperty

a collection of data properties that can be used with any stix object
has super-properties
stix data propertydp
has sub-properties
createddp, iddp, labeldp, modifieddp, revokeddp, typedp
has domain
stix thingc

confidencedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#confidence

has super-properties
stix data propertydp
has domain
opinionc

countrydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#country

has super-properties
stix data propertydp
has range
string

cpedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#cpe

has super-properties
stix data propertydp
has domain
softwarec

createddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#created

The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.
has super-properties
common data propertydp
has domain
stix thingc

definition typedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#definitionType

has super-properties
stix data propertydp
has domain
marking definitionc

descriptiondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#description

has super-properties
stix data propertydp

email propertydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#emailProperty

has super-properties
stix data propertydp
has sub-properties
bodydp, is multipartdp, subjectdp
has domain
email messagec

goalsdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#goals

has super-properties
stix data propertydp
has domain
adversaryc
has range
string

hashdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#hash

has super-properties
stix data propertydp
has sub-properties
md5dp, sha 1dp, sha 224dp, sha 256dp, sha 384dp, sha 512dp
has domain
filec
has range
string

iddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#id

The id property universally and uniquely identifies this object.
has super-properties
common data propertydp
has domain
stix thingc
has range
string

identity classdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#identityClass

This property describes the type of entity that the Identity represents: whether it describes an organization, group, individual, class or unknown
has super-properties
stix data propertydp
has domain
identityc

is multipartdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#isMultipart

has super-properties
email propertydp
has domain
email messagec

kill chain namedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#killChainName

has super-properties
stix data propertydp
has domain
kill chain phasec

labeldp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#label

has super-properties
common data propertydp

languagedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#language

has super-properties
stix data propertydp

md5dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#md5

has characteristics : functional

has super-properties
hashdp

mime typedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#mimeType

The value of this property MUST be a valid MIME type as specified in the IANA Media Types registry [Media Types].
has super-properties
stix data propertydp

modifieddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#modified

The modified property represents the time that this particular version of the object was created. The timstamp value MUST be precise to the nearest millisecond.
has super-properties
common data propertydp
has domain
stix thingc

namedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#name

has super-properties
stix data propertydp
has domain
stix thingc

opiniondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#opinion

has super-properties
stix data propertydp
is also defined as
class

pathdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#path

has super-properties
stix data propertydp
has domain
filec

payload bindp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#payloadBin

has super-properties
stix data propertydp
has domain
artifactc

phase namedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#phaseName

has super-properties
stix data propertydp
has domain
kill chain phasec

platformdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#platform

has super-properties
stix data propertydp
has domain
t t pc
has range
{ "Android" , "Linux" , "Windows" , "iOS" , "macOS" }

publisheddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#published

has super-properties
stix data propertydp

relationship typedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#relationshipType

has super-properties
stix data propertydp
has domain
relationshipc
has range
string

revokeddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#revoked

The revoked property indicates whether the object has been revoked.
has super-properties
common data propertydp
has domain
stix thingc
has range
boolean

sectordp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sector

has super-properties
stix data propertydp
has domain
identityc

sha 1dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sha-1

has characteristics : functional

has super-properties
hashdp

sha 224dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sha-224

has characteristics : functional

has super-properties
hashdp

sha 256dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sha-256

has characteristics : functional

has super-properties
hashdp

sha 384dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sha-384

has characteristics : functional

has super-properties
hashdp

sha 512dp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#sha-512

has characteristics : functional

has super-properties
hashdp

sizedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#size

has super-properties
stix data propertydp
has domain
filec
has range
int

skill descriptiondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#skillDescription

has super-properties
stix data propertydp

skill leveldp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#skillLevel

has super-properties
stix data propertydp

spec versiondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#specVersion

has super-properties
stix data propertydp
has range
string

statementdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#statement

has super-properties
stix data propertydp

stix data propertydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#stixDataProperty

has sub-properties
aliasdp, common data propertydp, confidencedp, countrydp, cpedp, definition typedp, descriptiondp, email propertydp, goalsdp, hashdp, identity classdp, kill chain namedp, languagedp, mime typedp, namedp, opiniondp, pathdp, payload bindp, phase namedp, platformdp, publisheddp, relationship typedp, sectordp, sizedp, skill descriptiondp, skill leveldp, spec versiondp, statementdp, stix namedp, tlpdp, u r ldp, user iddp, valuedp, vendordp, versiondp, x mitre propertydp
has domain
stix thingc

stix namedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#stixName

has super-properties
stix data propertydp

subjectdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#subject

has super-properties
email propertydp
has domain
email messagec

tlpdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#tlp

has super-properties
stix data propertydp

typedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#type

The type property identifies the type of STIX Object (SDO, Relationship Object, etc). The value of the type field MUST be one of the types defined by a STIX Object (e.g., indicator).
has super-properties
common data propertydp
has domain
stix thingc
has range
string

u r ldp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#URL

has super-properties
stix data propertydp
is also defined as
class

user iddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#user_id

has super-properties
stix data propertydp
has domain
user agentc
has range
string

valuedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#value

has super-properties
stix data propertydp
has domain
stix thingc
has range
literal

vendordp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#vendor

Specifies the name of the vendor of the software
has super-properties
stix data propertydp
has domain
softwarec

versiondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#version

Specifies the version of the software
has super-properties
stix data propertydp
has domain
filec or softwarec or x509 certificatec

x mitre aliasdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_alias

has super-properties
x mitre propertydp
has domain
malwarec or toolc

x mitre contributordp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x-mitre-contributor

has super-properties
x mitre propertydp
has domain
intrusion setc or malwarec or toolc or attack patternc

x mitre data sourcedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_data_source

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre defense bypasseddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_defense_bypassed

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre deprecateddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_deprecated

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre effective permissiondp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_effective_permission

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre network requirementsdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_network_requirements

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre permissions requireddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_permissions_required

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre platformdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_platform

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre propertydp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x-mitre-property

has super-properties
stix data propertydp
has sub-properties
x mitre aliasdp, x mitre contributordp, x mitre data sourcedp, x mitre defense bypasseddp, x mitre deprecateddp, x mitre effective permissiondp, x mitre network requirementsdp, x mitre permissions requireddp, x mitre platformdp, x mitre remote supportdp, x mitre system requirementdp, x mitre tactic typedp, x resources requireddp

x mitre remote supportdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_remote_support

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre system requirementdp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_system_requirement

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x mitre tactic typedp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_mitre_tactic_type

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

x resources requireddp back to ToC or Data Property ToC

IRI: http://purl.org/cyber/stix#x_resources_required

has super-properties
x mitre propertydp
has domain
attack patternc
has range
string

Namespace Declarations back to ToC

default namespace
http://purl.org/cyber/stix#
cyber
http://purl.org/cyber/
owl
http://www.w3.org/2002/07/owl#
rdf
http://www.w3.org/1999/02/22-rdf-syntax-ns#
rdfs
http://www.w3.org/2000/01/rdf-schema#
xsd
http://www.w3.org/2001/XMLSchema#

This HTML document was obtained by processing the OWL ontology source code through LODE, Live OWL Documentation Environment, developed by Silvio Peroni .