STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Relationship Objects
RelationshipSighting
Cyber-observable Objects
Meta Objects
Bundle Object
Relationship Objects

Relationship

The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges".

STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition.

STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail.

Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedrelationship_typesource_reftarget_ref
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Relationship Specific
relationship_typedescriptionsource_reftarget_refstart_timestop_time
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `relationship`.
relationship_typerequired
stringThe name used to identify the type of relationship.
descriptionoptional
stringA description that helps provide context about the relationship.
source_refrequired
The ID of the source (from) object.
target_refrequired
The ID of the target (to) object.
start_timeoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
stop_timeoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.

Relationship Objects

Previous Page

Sighting

Next Page

On this page

Properties