-
Notifications
You must be signed in to change notification settings - Fork 1.4k
STIX2.0 to STIX2.1 changes
There is no way to specify if the attack pattern only describes ways that adversaries attempt to compromise targets or if they actually executed it.
As for the attack pattern objects, we have no way to differentiate recommendations from actual courses of action taken.
The description of what a Course of Action is (A Course of Action is an action taken either to prevent an attack or to respond to an attack in progress.
) is not 100% clear to make a difference.
(Rather a note for us than actual comments on the implementation of the object)
We need to decide if we stick to reports, or use groupings in some cases for MISP events...
- Campaign
- Malware Analysis
- Opinion
There is still no way to have display names withtout the email address
Filenames and paths cannot be multiple.
It would be helpful to have a filename property
There is in this object a CPE property, which is absent from the Vulnerability object...
- Attack Pattern new field: aliases (optional list of strings)
- Identity new field: roles (optional list of strings)
- Indicator new fields:
- indicator_types: optional list of type open-vocab
- pattern_type: required open-vocab
- pattern_version: optional string
- Malware new fields:
- malware_types: optional list of open-vocab
- is_family: required boolean
- aliases: list of strings
- first_seen / last_seen: optional timestamp
- operating_system_refs: optional list of identifiers (references to observable software objects)
- sample_refs: optional list of identifiers (references to observable file or artifact objects)
- architecture_execution_envs, implementation_languages, capabilities: lists of type open-vocab
- Observed Data: new field objects_refs (list of identifiers referencing Observable objects)
- Threat Actor new fields:
- threat_actor_types: optional list of type open-vocab
- first_seen / last_seen: optional timestamp
- Tool new fields:
- tool_types: optional list of type open-vocab
- aliases: optional list of strings
- Grouping object: explicitly asserts that the referenced STIX objects have a shared context.
- Infrastructure: describes any systems, software services and any associated physical or virtual resources intednde to support some purpose
- Location: basic geographic location
- Malware Analysis: captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family
- Note: intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects
- Opinion: assessment of the correctness of the information in a STIX Object produced by a different entity
- Artifact new fields:
- encryption_algorithm: optional enumeration
- decryption_key: optional string
- Directory field name changes:
- 'created' becomes 'ctime'
- 'modified' becomes 'mtime'
- 'accessed' becomes 'atime'
- Email message new field: message_id (optional string)
- File changes:
- field name changes:
- 'created' becomes 'ctime'
- 'modified' becomes 'mtime'
- 'accessed' becomes 'atime'
- fields removed:
- is_encrypted
- encryption_algorithm
- Archive extension field removed: version
- Raster image extension field removed (extension not mapped): image_compression_algorithm
- field name changes:
- Network Traffic - Socket extension change: protocol_family field removed
- Process fields changes:
- Fields removed:
- name
- arguments
- Field name change: 'created' becomes 'created_time'
- Fields removed:
- Software new field: swid (Software Identification - optional string)
- User Account changes:
- new field: credential (optional string)
- name change: 'password_last_changed' becomes 'credential_last_changed'
- Windows Registry Key field change: 'modified' becomes 'modified_time'
- Marking definition changes:
- Field removed: created
- Field added: name (optional string)
- New TLP marking definitions (the predefined marking definition that should be used as is)