Current ThreatQ Version Filter
STIX 1.1.1, 1.2 Data Mapping
You can click on the expand icon located to top-right of this topic to expand and collapse all mapping tables below.
- Threat Actors MappingThreat Actors Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Identity Adversary.value ID Adversary.attribute STIX Reference ID Title Adversary.value Type Adversary.attribute Type Timestamp Adversary.published_at Description Adversary.attribute Description Motivation Adversary.attribute Motivation Sophistication Adversary.attribute Sophistication Intended_Effect Adversary.attribute Intended Effect Role Adversary.attribute Role Confidence Adversary.attribute Confidence Handling Adversary.tlp Observed_TTPs TTP Associated_Actors Adversary Associated_Campaigns Campaign - Indicators MappingIndicators Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title Indicator.attribute Indicator Title ID Indicator.attribute STIX Reference ID Timestamp Indicator.published_at Type Indicator.attribute Indicator Type Description Indicator.attribute Description Short Description Indicator.attribute Short Description Producer Indicator.source Observable Indicator Indicated_TTP TTP Kill_Chain_Phases Indicator.attribute Kill Chain Phase Likely_Impact Indicator.attribute Likely Impact Suggested_COAs Course of Action Handling Indicator.tlp Confidence Indicator.attribute Confidence Indicator.attribute.source Related_Observables Related_Indicators Indicator Related_Campaigns Campaign Signature Signature.type = "Snort" Signature.value Indicator.source Course of Action Indicator.attribute Start Time Indicator.attribute End Time Indicator.published_at - Exploit Target MappingExploit Target Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title Exploit Target.value ID Exploit Target.attribute STIX Reference ID Description Exploit Target.attribute Description Short Description Exploit Target.attribute Short Description Weakness Exploit Target.attribute CWE ID Weakness Exploit Target.attribute Weakness Description Configuration Exploit Target.attribute CCE ID Configuration Exploit Target.attribute Configuration Description Configuration Exploit Target.attribute Configuration Short Description Vulnerability Exploit Target.attribute CVE ID Potential_COAs Course of Action Related_Exploit_Targets Exploit Target - Observables MappingObservables Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name ID Indicator.attribute STIX Reference ID Indicator.attribute Description Indicator.type IP Address Indicator.value Indicator.type Filename Indicator.value Indicator.type File Path Indicator.value Indicator.attribute File Size Indicator.attribute File Format Indicator.attribute Packer Indicator.type MD5 Indicator.type SHA-256 Indicator.type SHA-1 Indicator.type SHA-512 Indicator.value Indicator.type SSDEEP Indicator.value Indicator.type FQDN Indicator.value Indicator.type URL Indicator.value Indicator.type Email Subject Indicator.value Indicator.type Email Address Indicator.value Indicator.type IP Address Indicator.value Indicator.type User-agent Indicator.value Indicator.type Filename Indicator.value Indicator.type Mutex Indicator.value Indicator.attribute Port Indicator.attribute Protocol Object.Description Spearphish.value Indicator.type Registry Key Indicator.value Indicator.attribute Hive - Campaigns MappingCampaigns Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title Campaign.value ID Campaign.attribute STIX Reference ID Description Campaign.attribute Description Short Description Campaign.attribute Short Description Timestamp Campaign.started_at Names Campaign.attribute Alias Status Campaign.attribute Status Intended_Effect Campaign.attribute Intended Effect Confidence Campaign.attribute Confidence Activity Campaign.attribute Activity Related TTPs TTP Related Incidents Incident Attribution Adversary Associated_Campaigns Campaign - Courses of Action MappingCourses of Action Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title Course of Action.value ID Course of Action.attribute STIX Reference ID Description Course of Action.attribute Description Stage Course of Action.attribute Stage Objective Course of Action.attribute Objective Objective Confidence Course of Action.attribute Objective Confidence Type Course of Action.attribute Type Short Description Course of Action.attribute Short Description Parameter_Observables Indicator Impact Course of Action.attribute Impact Cost Course of Action.attribute Cost Efficacy Course of Action.attribute Efficacy Related_COAs Course of Action - Incidents MappingIncidents Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title Incident.value ID Incident.attribute STIX Reference ID Timestamp Incident.published_at Description Incident.attribute Description Categories Incident.attribute Category First Malicious Action Incident.attribute First Malicious Action Initial_Compromise Incident.attribute Initial Compromise First_Data_Exfiltration Incident.attribute First Data Exfiltration Incident_Discovery Incident.attribute Incident Discovery Incident_Opened Incident.attribute Incident Opened Incident_Opened Incident.started_at Containment_Achieved Incident.attribute Containment Achieved Restoration_Achieved Incident.attribute Restoration Achieved Incident_Reported Incident.attribute Incident Reported Incident_Closed Incident.attribute Incident Closed Incident_Closed Coordinator Incident.attribute Coordinator Incident.attribute Coordinator Reporter Incident.attribute Reporter Incident.attribute Reporter Responder Incident.attribute Responder Incident.attribute Responder Victim Incident.attribute Victim Incident.attribute Victim Related Indicators Indicator Related Observables Indicator Leveraged_TTPs TTP Intended_Effect Incident.attribute Intended Effect COA_Requested Course of Action COA_Taken Course of Action Confidence Incident.attribute Confidence Attributed_Threat_Actors Adversary Discovery_Method Incident.attribute Discovery Method Related_Incidents Incident - TTP MappingTTP Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Title TTP.value ID TTP.attribute STIX Reference ID Description TTP.attribute Description Handling TTP.tlp Kill_Chain_Phases TTP.attribute Kill Chain Phase Intended_Effect TTP.attribute Intended Effect TTP.attribute CAPEC ID Behavior TTP.attribute Attack Pattern TTP.attribute Attack Pattern Description TTP.attribute Attack Pattern Short Description TTP.attribute Malware Type TTP.attribute Malware Name TTP.attribute Malware Description TTP.attribute Malware Short Description TTP.attribute Malware Detection Vendor TTP.attribute Malware Family TTP.attribute Exploit TTP.attribute Exploit Description TTP.attribute Exploit Short Description Exploit_Targets Exploit Target Related_TTPs TTP Resources TTP.attribute Tool TTP.attribute Tool TTP.attribute Tool Type TTP.attribute Tool Description TTP.attribute Tool Short Description TTP.attribute Infrastructure Type TTP.attribute Infrastructure TTP.attribute Infrastructure Short Description TTP.attribute Infrastructure Description Indicator TTP.attribute Persona Victim Targeting TTP.attribute Victim Name TTP.attribute Victim <CIQ Identity Name> TTP.attribute Targeted Systems TTP.attribute Targeted Information Indicator - CIQ Identity MappingCIQ Identity Mapping
STIX Field ThreatQ Field Mapping ThreatQ Name Party Name Object.attribute Name Organization Name Object.attribute Organization Industry Sector Object.attribute Industry Nationality Object.attribute Nationality Languages Object.attribute Language Address Object.attribute Country Email Address Object.attribute E-Mail Address Chat Handle Object.attribute Chat Handle Phone Object.attribute Phone