STIX Wiki

Report

Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.

The Report SDO contains a list of references to STIX Objects (the CTI objects included in the report) along with a textual description and the name of the report.

For example, a threat report produced by ACME Defense Corp. discussing the Glass Gazelle campaign should be represented using Report. The Report itself would contain the narrative of the report while the Campaign SDO and any related SDOs (e.g., Indicators for the Campaign, Malware it uses, and the associated Relationships) would be referenced in the report contents.

Properties

Required Common Properties

typespec_versionidcreatedmodifiednameobject_refspublished

Optional Common Properties

created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions

Not Applicable

defanged

Report Specific

report_typesnamedescriptionpublishedobject_refs

Property	Type	Description
`type`optional	`string`	The type of this object, which MUST be the literal `report`.
`report_types`optional	list of `string`	This field is an Open Vocabulary that specifies the primary subject of this report. The suggested values for this field are in report-type-ov.
`name`required	`string`	The name used to identify the Report.
`description`optional	`string`	A description that provides more details and context about Report.
`published`required	`string`	Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
`object_refs`required	list of `string`	Specifies the STIX Objects that are referred to by this Report.

Relationships

There are no relationships explicitly defined between the Report object and other STIX Objects, other than those defined as common relationships. The first section lists the embedded relationships by property name along with their corresponding target.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship name or, as with open vocabularies, user-defined names.

Report

The Report SDO contains a list of references to STIX Objects (the CTI objects included in the report) along with a textual description and the name of the report.

Properties

Required Common Properties

typespec_versionidcreatedmodifiednameobject_refspublished

Optional Common Properties

created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions

Not Applicable

defanged

Report Specific

report_typesnamedescriptionpublishedobject_refs

Property	Type	Description
`type`optional	`string`	The type of this object, which MUST be the literal `report`.
`report_types`optional	list of `string`	This field is an Open Vocabulary that specifies the primary subject of this report. The suggested values for this field are in report-type-ov.
`name`required	`string`	The name used to identify the Report.
`description`optional	`string`	A description that provides more details and context about Report.
`published`required	`string`	Represents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
`object_refs`required	list of `string`	Specifies the STIX Objects that are referred to by this Report.

Relationships

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship name or, as with open vocabularies, user-defined names.

Report

Properties

Relationships

On this page

Report

Properties

Relationships

On this page