STIX Wiki

Grouping

A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report.

A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping.

Properties

Required Common Properties

typespec_versionidcreatedmodifiedcontextobject_refs

Optional Common Properties

created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions

Not Applicable

defanged

Grouping Specific

namedescriptioncontextobject_refs

Property	Type	Description
`type`optional	`string`	The type of this object, which MUST be the literal `grouping`.
`name`optional	`string`	A name used to identify the Grouping.
`description`optional	`string`	A description which provides more details and context about the Grouping, potentially including the purpose and key characteristics.
`context`required	`string`	A short description of the particular context shared by the content referenced by the Grouping.
`object_refs`required	list of `string`	The STIX Objects (SDOs and SROs) that are referred to by this Grouping.

Relationships

There are no relationships explicitly defined between the Grouping object and other STIX Objects, other than those defined as common relationships. The first section lists the embedded relationships by property name along with their corresponding target.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Grouping

Properties

Required Common Properties

typespec_versionidcreatedmodifiedcontextobject_refs

Optional Common Properties

created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions

Not Applicable

defanged

Grouping Specific

namedescriptioncontextobject_refs

Property	Type	Description
`type`optional	`string`	The type of this object, which MUST be the literal `grouping`.
`name`optional	`string`	A name used to identify the Grouping.
`description`optional	`string`	A description which provides more details and context about the Grouping, potentially including the purpose and key characteristics.
`context`required	`string`	A short description of the particular context shared by the content referenced by the Grouping.
`object_refs`required	list of `string`	The STIX Objects (SDOs and SROs) that are referred to by this Grouping.

Relationships

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Grouping

Properties

Relationships

On this page

Grouping

Properties

Relationships

On this page