Capability
2.0
2.x
Never
Relationships
Standardized Relationships
Relationships pre-defined in STIX
X
User-Defined Relationships
Ability to use relationships that
were not pre-defined in STIX
X
Indicator
Use Cases
Indicators
Basic indicator object
X
CybOX Indicator Patterns
Use of "native" CybOX patterning for indicator patterns
x
Third-Party Indicator Patterns
Use of Snort, Yara, OpenIOC, and other signature formats as patterns
X
Sightings
Ability to create and share sightings of indicators, however it's
done
X
Incident
Use Cases
Incident Basics
Just the basics needed to track incidents
X
Asset Stub
A stub of an asset model, abstracted out of Incident, likely a pointer
X if basic definition
X if this means only a ext ref
Complete Asset Model
A more complete asset model that defines many fields
X
Advanced Incident
Impacts, detailed analytics, etc.
X if this means incident as in 1.2
X if above an beyond
"Investigation" (pre-incident)
Something to track "events", "investigations", and other activity
that may not be an incident yet.
X
Analysis
Objects
Attack Patterns
See STIX 1.2
AttackPatternType
X
Exploits
See STIX 1.2
ExploitType
(note: NOT ExploitTargetType)
X
Kill Chains
See STIX 1.2
KillChainType
and KillChainPhaseType
X
Malicious Infrastructure
See STIX 1.2
InfrastructureType
X
Malicious Tool
See STIX 1.2
ToolType
X
Malware
See STIX 1.2
MalwareType
X
Persona
See STIX 1.2
PersonasType
(was just an identity)
X
Victim Targeting
See STIX 1.2
VictimTargetingType
X
Need more than basic identity
Configuration/Misconfiguration
See STIX 1.2
ConfigurationType
X
Vulnerability
See STIX 1.2
VulnerabilityType
X
Weakness
See STIX 1.2
WeaknessType
X
Attribution
& Tracking
Threat Actor
See STIX 1.2
ThreatActorType
X
Campaign
See STIX 1.2
CampaignType
X
Intrusion Set
Representation of intrusion sets, separate from actors and campaigns
?
Response
Actions
Course of Action
See STIX 1.2
CourseOfActionType
X
Automated Course of Action
Structured representation for automating courses of action
X
Data Markings
Object-Level Markings
Markings applied to a complete top-level object (Level 1 Markings)
X
Field-Level Markings
Markings applied to individual fields within objects (Level 2 Markings)
X
TLP Marking Definition
Representation of a TLP marking
X
Copyright/TOU Marking Definition
Representation of Copyright/TOU markings
X
Consensus "STIX Default" Marking Definition
Representation of a more complete, consensus, "better than TLP" marking
X
Cross-Cutting
Capabilities
Packaging around TLOs (Package object)
STIX "package" object, whatever that turns into
X
Reports
Report object
X
Internationalization
Support for STIX content in multiple languages/localizations
X
Basic Identity
Small set of critical properties
X
Full Identity
Extensive identity representation, similar to CIQ
X
Don’t need all of CIQ but relevant portions
References/Sources
References to non-STIX content and information sources
X
Defensive Tools
Representation of information about tools used for defense or to
create content.
X
At least use Tool
Rich Text
HTML, Markdown, or some other rich text format for descriptions
X
Versioning
Ability to version and revoke content
X
Vendor-Defined Fields
Definition and conformance for how vendors can extend STIX
X
Representing Confidence
Representation of confidence in the accuracy of information
X
Representing Impact / Potential Impact
Representations of actual or potential impact of threats (e.g. for
malware)
X
Custom Vocabularies
Ability to use custom (non-standard) vocabularies in places we have
standard vocabularies defined
X
Opinion/Assert Object
Ability to represent opinions / assertions about STIX content created
by others
X
STIX Request/Response
Ability to create asynchronous STIX requests and responses for information
beyond a single TAXII server
X
Generic Tagging
Ability to tag STIX top-level objects with generic text
X