STIX 2.1 Data Mapping
Although the ThreatQ STIX parser does not support version 2.1, it will parse 2.1 files in the same manner as 2.0 files. As such, it does not parse any object types introduced in STIX 2.1, except for Notes and Incident objects as well as Confidence values.
- Notes MappingNotes Mapping
STIX 2.1 Field ThreatQ Field Mapping ThreatQ Name abstract Object Value type "note" external_references[] See External References External Reference content Description authors Note Author created Notes.Published_At modified Notes.Attribute Modified At object_refs object_marking_refs - Incident MappingIncident Mapping
STIX 2.1 Field ThreatQ Field Mapping ThreatQ Name name Object Value type "incident" external_references[] See External References External Reference description Description created Incident.Published_At modified Incident.Attribute Modified At object_refs object_marking_refs - Infrastructure MappingInfrastructure Mapping
STIX 2.1 Field ThreatQ Field Mapping ThreatQ Name name value type "infrastructure" id TQUUID description Description created Infrastructure.Created_At modified Infrastructure.Attribute Modified At infrastructure_types infrastructure_type kill_chain_phases.[] See Kill Chain Table - Kill Chain Phase:
- When you import an infrastructure object that includes Kill Chain Phase information from a STIX file, this information is imported as attributes with the attribute name prefaced with the “Kill Chain:”. For example, if you import the InfraOne infrastructure item, it has an attribute of KillChain: mitre-attack.
- When you export an infrastructure object that includes Kill Chain: attributes to a STIX file, these attributes are exported as Kill Chain Phase information.
- Infrastructure Types:
- When you importing an infrastructure object, we convert the list infrastructure_types from the STIX field into attributes with the name infrastructure_type (singular) and setting their respective values.
- When you export an infrastructure object, these attributes are exported as infrastructure_types information.
| STIX 2.1 Field | ThreatQ Field Mapping | ThreatQ Name |
|---|---|---|
| Object.external_references[].source_name | Object.Attribute | External Reference* |
| Object.external_references[].external_id | Object.Attribute | External Reference* |
| Object.external_references[].description | Object.Attribute | External Reference* |
| Object.external_references[].url | Object.Attribute | External Reference* |
|
* Formatted as: {source_name} ({external_id}): {description} - {url} |
||
| STIX 2.1 Field | ThreatQ Field Mapping | ThreatQ Name |
|---|---|---|
| kill_chain_phases[].kill_chain_name | Object.Attribute | Kill Chain Name |
| kill_chain_phases[].phase_name | Object.Attribute | Kill Chain Phrase |
Common Properties
Confidence Values:
ThreatQ allows you to import system object Confidence values from STIX 2.1 files as attributes. Confidence is an optional value that specifies the confidence of the object creator in their data on a scale from zero to one hundred.
Location Keys:
When you export system objects with the following location keys as attributes to a STIX file, the export process converts these attributes to STIX location objects: latitude, region, city, longitude, country, street address, precision, administrative area, postal code. STIX imports of location objects convert these objects to attributes.