Current ThreatQ Version Filter
STIX 2.0 Data Mapping
Although the ThreatQ STIX parser does not support version 2.1, it will parse 2.1 files in the same manner as 2.0 files. As such, it does not parse out any object types introduced in STIX 2.1, except for Notes objects.
You can click on the expand icon located to the top-right of this topic to expand and collapse all mapping tables below.
- Attack Patterns MappingAttack Patterns Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Attack Pattern.Published_at description Attack Pattern.Attribute Description external_references[] See External References kill_chain_phases.[]e See Kill Chain Table modified Attack Pattern.Attribute Modified At name Attack Pattern.Value revoked (if revoked == true) Attack Pattern.Attribute Revoked labels Attack Pattern.Attribute Label - Threat Actors MappingThreat Actors Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name aliases Adversary * The Adversary created will have all the same attributes and published_at as the base Attribute. All alias Adversaries will be inter-related created Adversary.Published_At goals Adversary.Attribute Goal labels Adversary.Attribute Label modified Adversary.Attribute Modified At name Adversary.Value primary_motivation Adversary.Attribute Primary Motivation resource_level Adversary.Attribute Resource Level roles Adversary.Attribute Role secondary_motivation Adversary.Attribute Secondary Motivation sophistication Adversary.Attribute Sophistication revoked
(if revoked == true)Adversary.Attribute Revoked external_references[] See External References personal_motivations Adversary.Attribute Personal Motivation - Indicators MappingIndicators Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Signature.Published_at description Signature.Description external_references[] See External References labels Signature.Attribute Label modified Signature.Attribute Modified At name Signature.Name ThreatQ will default to using Indicator Pattern as the signature name if a name is not provided. pattern Signature.Value Signature.Type Indicator Pattern valid.from Signature.Attribute Valid From valid.until Signature.Attribute Valid Until revoked (if revoked == true) Signature.Attribute Revoked kill_chain_phases.[] See Kill Chain Table ThreatQ Indicator and / or Event objects based on the Observables Mapping may be derived from the
patternfield and related back to the resulting Signature. - Identities MappingIdentities Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name contact_information Identity.Contact_Information created Identity.Published_at description Identity.Description external_references[] See External References identity_class Identity.Attribute Identity Class modified Identity.Attribute Modified At name Identity.Value sectors Identity.Attribute Sector labels Identity.Attribute Label revoked (if revoked == true) Identity.Attribute Revoked - Observables MappingObservables Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Observable.Published_at modified Observable.Attribute Modified At revoked (if revoked == true) Observable.Attribute Revoked external_references Observable.Attribute External Reference
See External References.number_observed Observable.Attribute Number Observed objects[] Specifies Cyber Observable Objects representing this observation. See the tables below for parsing details. - Artifact MappingArtifact Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: artifact Indicator.Type URL mime_type Indicator.Attribute MIME Type url Indicator.Value hashes{} Indicator.relationship hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash hashes{}.value Indicator.Value - Automous System MappingAutomous System Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: autonomous-system Indicator.Type ASN number Indicator.Value name Indicator.Attribute Name rir Indicator.Attribute Regional Internet Registry - Directory MappingDirectory Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: directory Indicator.Type File Path path Indicator.Value path_enc Indicator.Attribute Path Encoding created Indicator.Attribute Created At accessed Indicator.Attribute Last Accessed contains_refs Indicator.relationship - Domain-Name MappingDomain-Name Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: domain-name Indicator.Type FQDN value Indicator.Value resolves_to_refs[] Indicator.relationship - Email Addr MappingEmail Addr Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: email-addr Indicator.Type Email Address display_name Indicator.Attribute Display Name value Indicator.Value belongs_to_ref[] Indicator.relationship - Email Message MappingEmail Message Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: email-message Event.Type
Indicator.TypeSpearphish
Email Subjectsubject** Event.Title
Indicator.Valueis_multipart Indicator.Attribute Is Multipart date (if parsing as an event)*
sent date (if parsing as an indicator)Event.happened_at
Indicator.Attributecontent_type Indicator.Attribute Content Type from_ref Event.Relationship
Indicator.RelationshipFrom sender_ref Event.Relationship
Indicator.RelationshipSender to_refs Event.Relationship
Indicator.RelationshipTo cc_refs Event.Relationship CC bcc_refs Event.Relationship
Indicator.RelationshipBCC received_lines Event.Attribute
Indicator.AttributeReceived Lines additional_header_fields Event.Attribute
Indicator.AttributeAdditional Header - {key} An attribute is created for each key-value pair of the additional_header_fields object.
body Event.Attribute
Indicator.AttributeBody body_multipart[].body_raw_ref*** Indicator Filename raw_email_ref Event.Relationship
Indicator.Relationship* To parse an event from an email message, the email must have a dateand subject field.
** To parse an indicator from an email message, the email must contain a subject field.
*** If an object in body_multipart has a body field (body_multipart[].body), an attribute is created. The attribute's name is "Body Multipart" and the attribute's value is in the format "Content Type: {body_multipart[].content_type}, Content Disposition: {body_multipart[].content_disposition}, Body: {body_multipart[].body}".
Note: Parsing both an indicator and event from an email message will relate the two objects .
- File MappingFile Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: file Indicator.Type Filename size Indicator.Attribute File Size hashes{} hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash hashes{}.value Indicator.Value name Indicator.Value name_enc Indicator.Attribute File Name Encoding magic_number_hex Indicator.Attribute Magic Number Hex mime_type Indicator.Attribute MIME Type created Indicator.Attribute Created At accessed Indicator.Attribute Last Accessed parent_directory_ref Indicator.Relationship is_encrypted Indicator.Attribute Encrypted encryption_algorithm Indicator.Attribute Encryption Algorithm decryption_key Indicator.Attribute Decryption Key contains_refs[] Indicator.Relationship content_ref Indicator.Relationship extensions.archive-ext.contains_refs[] Indicator.Relationship extensions.archive-ext.version Indicator.Attribute Archive Version extensions.archive-ext.comment Indicator.Attribute Archive File Comment extensions.ntfs-ext.sid Indicator.Attribute Security ID extensions.ntfs-ext.alternate_data_streams[].hashes{} extensions.ntfs-ext.alternate_data_streams[].hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash extensions.ntfs-ext.alternate_data_streams[].hashes{}.value Indicator.Value extensions.ntfs-ext.alternate_data_streams[].name Indicator.Attribute Alternate Data Stream Name extensions.ntfs-ext.alternate_data_streams[].size Indicator.Attribute Alternate Data Stream Size extensions.pdf-ext.version Indicator.Attribute PDF Specification Version extensions.pdf-ext.is_optimized Indicator.Attribute PDF Is Optimized extensions.pdf-ext.document_info_dict{}.key/value Indicator.Attribute Formatted as: 'PDF {key.title()}' extensions.pdf-ext.pdfid0 Indicator.Attribute PDF First File Identifier extensions.pdf-ext.pdfid1 Indicator.Attribute PDF Second File Identifier extensions.raster-image-ext.image_height Indicator.Attribute Image Height extensions.raster-image-ext.image_width Indicator.Attribute Image Width extensions.raster-image-ext.bits_per_pixel Indicator.Attribute Image Bits Per Pixel extensions.raster-image-ext.image_compression_algorithm Indicator.Attribute Image Compression Algorithm extensions.raster-image-ext.exif_tags{}.key/value Indicator.Attribute Formatted as: 'Image EXIF {key.title()}' extensions.windows-pebinary-ext.pe_type Indicator.Attribute Executable Extension Type extensions.windows-pebinary-ext.imphash Indicator.Attribute Executable Imphash extensions.windows-pebinary-ext.machine_hex Indicator.Attribute Target Machine Hex extensions.windows-pebinary-ext.number_of_sections Indicator.Attribute PE Binary Section Count extensions.windows-pebinary-ext.time_date_stamp Indicator.Attribute PE Binary Created Date extensions.windows-pebinary-ext.pointer_to_symbol_table_hex Indicator.Attribute Symbol Table Hex Offset extensions.windows-pebinary-ext.number_of_symbols Indicator.Attribute PE Binary Symbol Table Size extensions.windows-pebinary-ext.size_of_optional_header Indicator.Attribute PE Binary Optional Header Size extensions.windows-pebinary-ext.characteristics_hex Indicator.Attribute PE Binary Characteristics Hex extensions.windows-pebinary-ext.file_header_hashes{} extensions.windows-pebinary-ext.file_header_hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash extensions.windows-pebinary-ext.file_header_hashes{}.value Indicator.Value extensions.windows-pebinary-ext.optional_header.magic_hex Indicator.Attribute PE Binary Magic Hex extensions.windows-pebinary-ext.optional_header.major_linker_version Indicator.Attribute PE Binary Major Linker Version extensions.windows-pebinary-ext.optional_header.minor_linker_version Indicator.Attribute PE Binary Minor Linker Version extensions.windows-pebinary-ext.optional_header.size_of_code Indicator.Attribute PE Binary Code Size extensions.windows-pebinary-ext.optional_header.size_of_initialized_data Indicator.Attribute PE Binary Initialized Data Size extensions.windows-pebinary-ext.optional_header.size_of_uninitialized_data Indicator.Attribute PE Binary Uninitialized Data Size extensions.windows-pebinary-ext.optional_header.address_of_entry_point Indicator.Attribute PE Binary Memory Address Entry Point extensions.windows-pebinary-ext.optional_header.base_of_code Indicator.Attribute PE Binary Base Code Memory Address extensions.windows-pebinary-ext.optional_header.base_of_data Indicator.Attribute PE Binary Base Data Memory Address extensions.windows-pebinary-ext.optional_header.image_base Indicator.Attribute PE Binary Base Image Memory Address extensions.windows-pebinary-ext.optional_header.section_alignment Indicator.Attribute PE Binary Section Alignment Bytes extensions.windows-pebinary-ext.optional_header.file_alignment Indicator.Attribute PE Binary Image File Alignment Bytes extensions.windows-pebinary-ext.optional_header.major_os_version Indicator.Attribute Windows OS Major Version extensions.windows-pebinary-ext.optional_header.minor_os_version Indicator.Attribute Windows OS Minor Version extensions.windows-pebinary-ext.optional_header.major_image_version Indicator.Attribute Image Major Version extensions.windows-pebinary-ext.optional_header.minor_image_version Indicator.Attribute Image Minor Version extensions.windows-pebinary-ext.optional_header.major_subsystem_version Indicator.Attribute Subsystem Major Version extensions.windows-pebinary-ext.optional_header.minor_subsystem_version Indicator.Attribute Subsystem Minor Version extensions.windows-pebinary-ext.optional_header.win32_version_value_hex Indicator.Attribute Win32 Version Hex extensions.windows-pebinary-ext.optional_header.size_of_image Indicator.Attribute Image Byte Size extensions.windows-pebinary-ext.optional_header.size_of_headers Indicator.Attribute PE Binary Combined Header Size extensions.windows-pebinary-ext.optional_header.checksum_hex Indicator.Attribute PE Binary Checksum Hex extensions.windows-pebinary-ext.optional_header.subsystem_hex Indicator.Attribute PE Binary Required Subsystem Hex extensions.windows-pebinary-ext.optional_header.dll_characteristics_hex Indicator.Attribute DLL Characteristics Hex extensions.windows-pebinary-ext.optional_header.size_of_stack_reserve Indicator.Attribute Reserved Stack Size extensions.windows-pebinary-ext.optional_header.size_of_stack_commit Indicator.Attribute Stack Commit Size extensions.windows-pebinary-ext.optional_header.size_of_heap_reserve Indicator.Attribute Heap Space Reserve Size extensions.windows-pebinary-ext.optional_header.size_of_heap_commit Indicator.Attribute Heap Space Commit Size extensions.windows-pebinary-ext.optional_header.loader_flags_hex Indicator.Attribute Loader Flags Hex extensions.windows-pebinary-ext.optional_header.number_of_rva_and_sizes Indicator.Attribute Number of RVA and Sizes extensions.windows-pebinary-ext.optional_header.hashes{} extensions.windows-pebinary-ext.optional_header.hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash extensions.windows-pebinary-ext.optional_header.hashes{}.value Indicator.Value extensions.windows-pebinary-ext.sections[].hashes{} extensions.windows-pebinary-ext.sections[].hashes{}.key Indicator.Type MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 / Fuzzy Hash extensions.windows-pebinary-ext.sections[].hashes{}.value Indicator.Value extensions.windows-pebinary-ext.sections[].name Indicator.Attribute PE Binary Section Name extensions.windows-pebinary-ext.sections[].size Indicator.Attribute PE Binary Section Size extensions.windows-pebinary-ext.sections[].entropy Indicator.Attribute PE Binary Section Entropy - IPv4 MappingIPv4 Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: ipv4-addr Indicator.Type CIDR Block (if value contains a / and does not end with /32)
IP Address (if the value ends with /32, the /32 is omitted and reported as an IP Address)value Indicator.Value resolves_to_refs[] Indicator.Relationship belongs_to_refs[] Indicator.Relationship - IPv6 MappingIPv6 Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: ipv6-addr Indicator.Type IPv6 Address value Indicator.Value resolves_to_refs[] Indicator.Relationship belongs_to_refs[] Indicator.Relationship - MAC MappingMAC Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: mac-addr Indicator.Type MAC Address value Indicator.Value - Mutex MappingMutex Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: mutex Indicator.Type Mutex name Indicator.Value - URL MappingURL Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: url Indicator.Type URL value Indicator.Value - User Account MappingUser Account Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: user-account Indicator.Type Username user_id Indicator.Attribute User ID account_login Indicator.Value account_type Indicator.Attribute Account Type display_name Indicator.Attribute Display Name is_service_account Indicator.Attribute Is Service Account is_privileged Indicator.Attribute Is Privileged Account can_escalate_privs Indicator.Attribute Can Escalate Privileges is_disabled Indicator.Attribute Is Disabled account_created Indicator.Attribute Account Created account_expires Indicator.Attribute Account Expires password_last_changed Indicator.Attribute Password Last Changed account_first_login Indicator.Attribute Account First Login account_last_login Indicator.Attribute Account Last Login extensions.unix-account-ext.gid Indicator.Attribute Account Group ID extensions.unix-account-ext.groups[] Indicator.Attribute Account Group extensions.unix-account-ext.home_dir Indicator.Attribute Account Home Directory extensions.unix-account-ext.shell Indicator.Attribute Account Command Shell - Windows Registry Key MappingWindows Registry Key Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name type: windows-registry-key Indicator.Type Registry Key key Indicator.Value values[].name Indicator.Attribute Registry Name modified Indicator.Attribute Registry Modified At creator_user_ref Indicator.Relationship
- Artifact MappingArtifact Mapping
- Campaigns MappingCampaigns Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name aliases Campaign created Campaign.Published_at description Campaign.Description first_seen Campaign.Started_at last_seen Campaign.Ended_at modified Campaign.Attribute Modified At name Campaign.Value objective Campaign.Objective revoked (if revoked == true) Campaign.Attribute Revoked external_references[] See External References labels Campaign.Attribute Label - Courses of Action MappingCourses of Action Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Course of Action.Published_at modified Course of Action.Attribute Modified At name Course of Action.Value description Course of Action.Description action revoked (if revoked == true) Course of Action.Attribute Revoked external_references[] See External References labels Course of Action.Attribute Label - Intrusion Sets MappingIntrusion Sets Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name aliases Intrusion Set created Intrusion Set.Published_at description Intrusion Set.Description first_seen goals Intrusion Set.Attribute Goal modified Intrusion Set.Attribute Modified At name Intrusion Set.Value primary_motivation Intrusion Set.Attribute Primary Motivation resource_level Intrusion Set.Attribute Resource Level secondary_motivations Intrusion Set.Attribute Secondary Motivation external_references[] See External References revoked (if revoked == true) Intrusion Set.Attribute Revoked - Malware MappingMalware Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Malware.Published_at description Malware.Description kill_chain_phases.[] See Kill Chain Table labels Malware.Attribute Label modified Malware.Attribute Modified At name Malware.Value external_references[] See External References revoked (if revoked == true) Malware.Attribute Revoked - Tools MappingTools Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Tool.Published_at modified Tool.Attribute Modified At labels Tool.Attribute Label name Tool.Value revoked (if revoked == true) Tool.Attribute Revoked external_references[] See External References description Tool.Description kill_chain_phases.[] See Kill Chain Table tool_version Tool.Attribute Tool Version - Reports MappingReports Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name created Report.Published_at modified Report.Attribute Modified At name Report.Value description Report.Description labels Report.Attribute Label object_refs Report.Relationship.Link external_references[] See External References revoked (if revoked == true) Report.Attribute Revoked - Sightings MappingSightings Mapping
STIX 2.0 Field ThreatQ Field Mapping ThreatQ Name count Event.Attribute Count created Event.published_at first_seen Event.happened_at last_seen Event.Attribute Last Seen observed_data_refs Event.relationship.link sighting_of_ref Event.relationship.link where_sighted_refs Event.relationship.link revoked (if revoked == true) Object.attribute Revoked Event.name STIX Sighting Event.type Sighting external_references[] See External References modified Event.Attribute Modified
| STIX 2.0 Field | ThreatQ Field Mapping | ThreatQ Name |
|---|---|---|
| Object.external_references[].source_name | Object.Attribute | External Reference* |
| Object.external_references[].external_id | Object.Attribute | External Reference* |
| Object.external_references[].description | Object.Attribute | External Reference* |
| Object.external_references[].url | Object.Attribute | External Reference* |
| * Formatted as: {source_name} ({external_id}): {description} - {url} | ||
| STIX 2.0 Field | ThreatQ Field Mapping | ThreatQ Name |
|---|---|---|
| kill_chain_phases[].kill_chain_name | Object.Attribute | Kill Chain Name |
| kill_chain_phases[].phase_name | Object.Attribute | Kill Chain Phase |