STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Indicator

Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains.

The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9.

Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedpatternpattern_typevalid_from
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Indicator Specific
indicator_typesnamedescriptionpatternpattern_typepattern_versionvalid_fromvalid_untilkill_chain_phases
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `indicator`.
indicator_typesoptional
list of stringThis field is an Open Vocabulary that specifies the type of indicator. Open vocab - indicator-type-ov
nameoptional
stringThe name used to identify the Indicator.
descriptionoptional
stringA description that provides the recipient with context about this Indicator potentially including its purpose and its key characteristics.
patternrequired
stringThe detection pattern for this indicator.
pattern_typerequired
stringThe type of pattern used in this indicator.
pattern_versionoptional
stringThe version of the pattern that is used.
valid_fromrequired
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
valid_untiloptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
kill_chain_phasesoptional
list of objectThe phases of the kill chain that this indicator detects.

Relationships

These are the relationships explicitly defined between the Indicator object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Incident

Previous Page

Infrastructure

Next Page

On this page

PropertiesRelationships