What is the difference between a STIX Domain and STIX Cyber-Observable Object?

The STIX 2.1 is a schema that defines a taxonomy of cyber threat intelligence that is represented by different Object types.

STIX Object Types

In total there are 3 Core Object types:

STIX Domain Objects (SDOs)
STIX Cyber-observable Objects (SCOs)
STIX Relationship Objects (SROs)

Most widely known are the 18 STIX Domain Objects (SDOs) used to represent a concept commonly used in CTI: Attack Pattern, Campaign, Course of Action, Grouping, Identity, Indicator, Infrastructure, Intrusion Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion, Report, Threat Actor, Tool, and Vulnerability.

SSTIX Cyber-observable Objects (SCOs) are used for characterising host-based and network-based information. SCOs are used by various STIX Domain Objects (SDOs) to provide supporting context, for example STIX Pattern in the Indicator SDO.

For example, the Malware SDO might have relationships to Windows Registry Key SDO’s;

STIX 2.1 SDO vs SCO

STIX SCOs document the facts concerning what happened on a network or host, and do not capture the who, when, or why. By associating SCOs with SDOs it is possible to convey a higher-level understanding of the threat landscape, and to potentially provide insight as to the who and the why.

STIX SCO’s

Here is a list of STIX 2.1 SCO’s available for use:

Artifact Object (artifact)
- The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
- View STIX 2.1 specification.
AS Object (autonomous-system)
- The AS object represents the properties of an Autonomous System (AS).
- View STIX 2.1 specification.
Directory Object (directory)
- The Directory object represents the properties common to a file system directory.
- View STIX 2.1 specification.
Domain Name Object (domain-name)
- The Domain Name object represents the properties of a network domain name.
- View STIX 2.1 specification.
Email Address Object (email-addr)
- The Email Address object represents a single email address.
- View STIX 2.1 specification.
Email Message Object (email-message)
- The Email Message object represents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.
- View STIX 2.1 specification.
File Object (file)
- The File object represents the properties of a file.
- View STIX 2.1 specification.
IPv4 Address Object (ipv4-addr)
- The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation.
- View STIX 2.1 specification.
IPv6 Address Object (ipv6-addr)
- The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation.
- View STIX 2.1 specification.
MAC Address Object (mac-addr)
- The MAC Address object represents a single Media Access Control (MAC) address.
- View STIX 2.1 specification.
Mutex Object (mutex)
- The Mutex object represents the properties of a mutual exclusion (mutex) object.
- View STIX 2.1 specification.
Network Traffic Object (network-traffic)
- The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination.
- View STIX 2.1 specification.
Process Object (process)
- The Process object represents common properties of an instance of a computer program as executed on an operating system.
- View STIX 2.1 specification.
Software Object (software)
- The Software object represents high-level properties associated with software, including software products.
- View STIX 2.1 specification.
URL Object (url)
- The URL object represents the properties of a uniform resource locator (URL).
- View STIX 2.1 specification.
User Account Object (user-account)
- The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
- View STIX 2.1 specification.
Windows Registry Key Object (windows-registry-key)
- The Registry Key object represents the properties of a Windows registry key.
- View STIX 2.1 specification.
X.509 Certificate Object (x509-certificate)
- The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509.
- View STIX 2.1 specification.

STIX SCO Properties

As seen in the specifications, each SCO has a fair bit of other metadata.

I’ll use the Network Traffic Object offers a nice example.

{
  "type": "network-traffic",
  "spec_version": "2.1",
  "id": "network-traffic--630d7bb1-0bbc-53a6-a6d4-f3c2d35c2734",
  "src_ref": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "dst_ref": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "protocols": [
    "ipv4",
    "tcp"
  ],
  "src_byte_count": 147600,
  "src_packets": 100,
  "ipfix": {
    "minimumIpTotalLength": 32,
    "maximumIpTotalLength": 2556
  }
}

You can see the SCO defined in the second line "type": "network-traffic".

The SCO also contains protocols, src_byte_count, src_packets and ipfix properties, providing more information about the SCO. There are other properties available the Network Traffic SCO. Each SCO has its own properties.

SCOs can also be linked using the property fields.

{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "value": "203.0.113.1"
},
{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "value": "203.0.113.5"
},
{
  "type": "network-traffic",
  "spec_version": "2.1",
  "id": "network-traffic--630d7bb1-0bbc-53a6-a6d4-f3c2d35c2734",
  "src_ref": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "dst_ref": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "protocols": [
    "ipv4",
    "tcp"
  ],
  "src_byte_count": 147600,
  "src_packets": 100,
  "ipfix": {
    "minimumIpTotalLength": 32,
    "maximumIpTotalLength": 2556
  }
}