STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Intrusion Set

An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.

Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes.

While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedname
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Intrusion Set Specific
namedescriptionaliasesfirst_seenlast_seengoalsresource_levelprimary_motivationsecondary_motivations
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `intrusion-set`.
namerequired
stringThe name used to identify the Intrusion Set.
descriptionoptional
stringProvides more context and details about the Intrusion Set object.
aliasesoptional
list of stringAlternative names used to identify this Intrusion Set.
first_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
last_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
goalsoptional
list of stringThe high level goals of this Intrusion Set, namely, what are they trying to do.
resource_leveloptional
stringThis defines the organizational level at which this Intrusion Set typically works. Open Vocab - attack-resource-level-ov
primary_motivationoptional
stringThe primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab - attack-motivation-ov
secondary_motivationsoptional
list of stringThe secondary reasons, motivations, or purposes behind this Intrusion Set. Open Vocab - attack-motivation-ov

Relationships

These are the relationships explicitly defined between the Intrusion Set object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Infrastructure

Previous Page

Location

Next Page

On this page

PropertiesRelationships