STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Threat Actor

Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.

Threat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.

Threat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedname
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Threat Actor Specific
threat_actor_typesnamedescriptionaliasesrolesgoalsfirst_seenlast_seensophisticationresource_levelprimary_motivationsecondary_motivationspersonal_motivations
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `threat-actor`.
threat_actor_typesoptional
list of stringThis field specifies the type of threat actor. Open Vocab - threat-actor-type-ov
namerequired
stringA name used to identify this Threat Actor or Threat Actor group.
descriptionoptional
stringA description that provides more details and context about the Threat Actor.
aliasesoptional
list of stringA list of other names that this Threat Actor is believed to use.
rolesoptional
list of stringThis is a list of roles the Threat Actor plays. Open Vocab - threat-actor-role-ov
goalsoptional
list of stringThe high level goals of this Threat Actor, namely, what are they trying to do.
first_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
last_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
sophisticationoptional
stringThe skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab - threat-actor-sophistication-ov
resource_leveloptional
stringThis defines the organizational level at which this Threat Actor typically works. Open Vocab - attack-resource-level-ov
primary_motivationoptional
stringThe primary reason, motivation, or purpose behind this Threat Actor. Open Vocab - attack-motivation-ov
secondary_motivationsoptional
list of stringThe secondary reasons, motivations, or purposes behind this Threat Actor. Open Vocab - attack-motivation-ov
personal_motivationsoptional
list of stringThe personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Open Vocab - attack-motivation-ov

Relationships

These are the relationships explicitly defined between the Threat Actor object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Report

Previous Page

Tool

Next Page

On this page

PropertiesRelationships