Posted by:

David Greenwood

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on for the full interactive viewing experience.

In this post I will introduce some of the basic STIX concepts with a focus on STIX 2.1 Domain Objects (SDOs).

Note: this post is written for OASIS STIX version 2.1. The concepts discussed are not always correct for earlier versions of OASIS STIX.

STIX 2.1 defines a taxonomy of cyber threat intelligence that is represented by different Object types.

STIX 2.1 allows you to tell stories by connecting the Objects together to form the story-line of cyber actors, campaigns, incidents, and much more.

After reading this series of seven blog posts, you will be able to create rich STIX 2.1 stories like those shown above.

Here are a two example reports modelled in STIX 2.1 from Mandiant and Fireeye;

Mandiant’s APT1 Report


Fireeye’s Poison Ivy Report


STIX 2.1 Specification in 1 minute

The full STIX 2.1 specification makes for a lot of reading.

STIX Object Types

I will try an simplify it.

In short STIX 2.1 revolves around Objects. There are 3 Core Object types in STIX 2.1:

STIX Domain Objects (SDOs)

Most widely known are the 18 predefined STIX Domain Objects (SDOs) used to represent a concept commonly used in cyber threat intelligence:

  • Attack Pattern ("type": "attack-pattern"): A type of TTP that describes ways that adversaries attempt to compromise targets.
  • Campaign ("type": "campaign"): A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
  • Course of Action ("type": "course-of-action"): A recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence.
  • Grouping ("type": "grouping"): Explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX 2.1 Bundle (which explicitly conveys no context).
  • Identity ("type": "identity"): Actual individuals, organisations, or groups as well as classes of individuals, organizations, systems or groups (e.g., the finance sector) that are non-malicious. Use the Threat Actor SDO for those operating with malicious intent.
  • Indicator ("type": "indicator"): Contains a pattern that can be used to detect suspicious or malicious cyber activity.
  • Infrastructure ("type": "infrastructure"): Represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defence, database servers targeted by an attack, etc.).
  • Intrusion Set ("type": "intrusion-set"): A grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization.
  • Location ("type": "location"): Represents a geographic location.
  • Malware ("type": "malware"): A type of TTP that represents malicious code.
  • Malware Analysis: The metadata and results of a particular static or dynamic analysis performed on a malware instance or family.
  • Note ("type": "note"): Conveys informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to.
  • Observed Data ("type": "observed-data"): Conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs).
  • Opinion ("type": "opinion"): An assessment of the correctness of the information in a STIX Object produced by a different entity.
  • Report ("type": "report"): Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
  • Threat Actor ("type": "threat-actor"): Actual individuals, groups, or organizations believed to be operating with malicious intent.
  • Tool ("type": "tool"): Legitimate software that can be used by threat actors to perform attacks or by teams to defend against attacks.
  • Vulnerability ("type": "vulnerability"): A mistake in software that can be directly used by a hacker to gain access to a system or network (commonly an official CVE, but can be any vulnerability).

Each one of these Domain Objects is represented as a .json object.

For example, here is a sample Attack Pattern Object (attack-pattern) for spear phishing, referencing CAPEC;

You can see the SDO type defined in the json representation, line "type": "attack-pattern".

The Object is made up of other Properties (fields) defined in the STIX 2.1 Specification. There are four Property types;

  • Required Common Properties (Properties shared between Objects)
    • e.g. for attack-pattern, spec_version is a Required Common Property
  • Optional Common Properties (Properties shared between Objects)
    • e.g. for attack-pattern, created_by_ref is an Optional Common Property
  • Required Object Specific Properties (Properties unique to the Object in question)
    • e.g. for attack-pattern, name is a Required Object Specific Property
  • Optional Object Specific Properties (Properties unique to the Object in question)
    • e.g. for attack-pattern, kill_chain_phases is an Optional Object Specific Property

Here is the full specification for the Attack Pattern Object:

STIX 2.1 Attack Pattern Object Specification

STIX Cyber-observable Objects (SCOs)

STIX Cyber-observable Objects (SCOs) are used for characterising host-based and network-based information.

STIX SCOs document the facts concerning what happened on a network or host. They do not capture the who, when, or why (covered in SDOs).

By associating SCOs with SDOs it is possible to convey a higher-level understanding of the threat landscape, and to potentially provide insight as to the who and the why.

One or more SCOs can be linked to one or more SDOs to provide supporting context. Typically SCOs are linked to Observed Data SDOs.

For example, an Observed Data SDO might have links to one or more SCOs, for example, an IPv4 Address SCO and Domain SCO (you will also see the Domain SCO has a link (resolves_to_refs) to an IPv4 SCO);


Here is what this looks like in a real STIX Bundle;

Here is a full list of predefined STIX 2.1 SCOs available for use:

  • Artifact Object ("type": "artifact")
    • The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
    • View STIX 2.1 specification.
  • AS Object ("type": "autonomous-system")
  • Directory Object ("type": "directory")
  • Domain Name Object ("type": "domain-name")
  • Email Address Object ("type": "email-addr")
  • Email Message Object ("type": "email-message")
    • The Email Message object represents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.
    • View STIX 2.1 specification.
  • File Object ("type": "file")
  • IPv4 Address Object ("type": "ipv4-addr")
  • IPv6 Address Object ("type": "ipv6-addr")
  • MAC Address Object ("type": "mac-addr")
  • Mutex Object ("type": "mutex")
  • Network Traffic Object ("type": "network-traffic")
    • The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination.
    • View STIX 2.1 specification.
  • Process Object ("type": "process")
    • The Process object represents common properties of an instance of a computer program as executed on an operating system.
    • View STIX 2.1 specification.
  • Software Object ("type": "software")
    • The Software object represents high-level properties associated with software, including software products.
    • View STIX 2.1 specification.
  • URL Object ("type": "url")
  • User Account Object ("type": "user-account")
    • The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
    • View STIX 2.1 specification.
  • Windows Registry Key Object ("type": "windows-registry-key")
  • X.509 Certificate Object ("type": "x509-certificate")
    • The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509.
    • View STIX 2.1 specification.

Like SDOs, SCOs have may properties; some shared, some unique, some required, and some optional.

Network Traffic SCO Properties

I will use the Network Traffic SCO linked to two IPv4 Address SCOs to demonstate;

Network Traffic SCO and IPv4 Address SCO

Here is what this looks like in a real STIX Bundle;

You can see the SCOs types defined in the json representation lines "type": "network-traffic" and "type": "ipv4-addr".

Like SDOs, SCOs also contains Properties. In the Network Traffic SCO these include protocols, src_byte_count, src_packets and ipfix Properties. These predefined Properties are all defined in the specification for each SCO.

You will also see that SCOs can be linked to provide even more contextual evidence. In the case of network traffic, this could be linking a source IPv4 (src_ref) and destination IPv4 (dst_ref).

Network Traffic SCO Extension Property

SCOs can also utilise predefined Object Extensions that define a coherent sets of Properties beyond the base (useful in adding standardised additional content). For example, HTTP request information for a Network Traffic object;

Network Traffic SCO Extension

Here is what this looks like in a real STIX Bundle;

You can see the extensions defined in the json representation of the Network Traffic SCO.

Each SCO may include one or more Object Extension defined in the STIX 2.1 specification.

STIX Relationship Objects (SROs)

In this post I have covered how SCOs and SDOs, and SCOs and SCOs can be linked using Properties like dst_ref, src_ref, and object_refs.

STIX Relationship Objects are similar, but offer a much richer way to represent and describe certain types of relationships between STIX Objects for other use-cases not covered by Properties.

In my next post, STIX 102, I will cover how SROs work.

STIX 2.1 Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our STIX 2.1 training.

If you want to join a select group of certified STIX 2.1 professionals, subscribe to our newsletter below to be notified of new course dates.

Discuss this post

Signals Corps Slack

Never miss an update

Sign up to receive new articles in your inbox as they published.