Infrastructure
The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure.
Properties
| Property | Type | Description |
|---|---|---|
typeoptional | string | The type of this object, which MUST be the literal `infrastructure`. |
namerequired | string | The name used to identify the Infrastructure. |
descriptionoptional | string | A description that provides more details and context about this Infrastructure potentially including its purpose and its key characteristics. |
infrastructure_typesoptional | list of string | This field is an Open Vocabulary that specifies the type of infrastructure. Open vocab - infrastructure-type-ov |
aliasesoptional | list of string | Alternative names used to identify this Infrastructure. |
kill_chain_phasesoptional | list of object | The list of kill chain phases for which this infrastructure is used. |
first_seenoptional | string | Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'. |
last_seenoptional | string | Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'. |
Relationships
These are the relationships explicitly defined between the Infrastructure object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.
Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.
Forward Relationships
| Source | Relationship | Target | Description |
|---|---|---|---|
communicates-with | STIX relationship `communicates-with` from `infrastructure` to `infrastructure`, `ipv4-addr`, `ipv6-addr`, `domain-name`, `url`. | ||
consists-of | STIX relationship `consists-of` from `infrastructure` to `infrastructure`, `observed-data`, `<All STIX Cyber-observable Objects>`. | ||
controls | STIX relationship `controls` from `infrastructure` to `infrastructure`, `malware`. | ||
delivers | STIX relationship `delivers` from `infrastructure` to `malware`. | ||
has | STIX relationship `has` from `infrastructure` to `vulnerability`. | ||
hosts | STIX relationship `hosts` from `infrastructure` to `tool`, `malware`. | ||
located-at | STIX relationship `located-at` from `infrastructure` to `location`. | ||
uses | STIX relationship `uses` from `infrastructure` to `infrastructure`. |
Reverse Relationships
| Source | Relationship Type | Target | Description |
|---|---|---|---|
compromises | See forward relationship for definition. | ||
uses | See forward relationship for definition. | ||
indicates | See forward relationship for definition. | ||
communicates-with | See forward relationship for definition. | ||
consists-of | See forward relationship for definition. | ||
controls | See forward relationship for definition. | ||
hosts | See forward relationship for definition. | ||
owns | See forward relationship for definition. | ||
beacons-to | See forward relationship for definition. | ||
exfiltrate-to | See forward relationship for definition. | ||
targets | See forward relationship for definition. |