Skip to content

Active Issue: IDable Construct Properties

sbarnum edited this page Feb 10, 2016 · 23 revisions

Consensus

There is general agreement that top-level objects across CTI (STIX and CybOX) should extend from a common base class (have a common set of properties). This was agreed to at the face to face and has not been challenged. The following table outlines the current consensus on the this common set of properties.

Property Name Type Description
id (required) IDFormat A globally unique identifier for this object
type (required) String The type of construct being represented. This is a fixed value for each top-level object, formatted as all lowercase with ‘-’ as a separator (e.g. attack-pattern). This is a serialization-based field and derives from the type of the construct in the model.
spec_version VersionEnum The release version of the language specification used to represent this construct
created_at (required) Timestamp The time that the object with this ID was created
created_by_ref (optional) String The ID of the Identity Object that describes who created this Object. Please note this is not who produced the analysis of information referred to contained within the Object, but who actually created the Object itself.
marking_refs (optional) Array The set of “Level 1” markings (see STIX specification) applied to this object.
structured_markings (optional) Array The set of “Level 2” markings (see STIX specification) applied to this object.
----controlled_structures (required) Array A list of path selection statements (e.g. JSONPath), rooted at the top-level object that structured_markings is contained in, that the marking_refs apply to.
----marking_refs (required) Array The list of markings that apply to the fields selected by controlled_structures.
Clone this wiki locally