Mappings from STIX 2.x to STIX 1.x¶
This section outlines the disposition of each property of the top-level objects when converted.
For each STIX 2.x object that was converted the following options are possible:
STIX 2.x property mapped directly to a STIX 1.x property. This property’s value is used unaltered in the conversion to 2.x.
STIX 2.x property translated into STIX 1.x property. This property’s value must undergo some minor processing to determine the corresponding content for 1.x.
STIX 2.x relationship mapped using STIX 1.x property. This 2.x relationship object is used to construct an embedded STIX 1.x relationship. If the STIX 2.x
relationship-typeis not listed below, then that relationship will not be converted to an embedded STIX 1.x relationship. The “reverse” notation indicates the the STIX 1.x property is found on target object.STIX 2.x property recorded in the STIX 1.x description property. This 2.x property has no corresponding property in STIX 1.x, but its value can be (optionally) included in the description property of the 1.x object as text.
If the STIX 2.x content was created using the elevator it might be the case that it recorded some 1.x properties in the description. However, the slider makes no attempt to examine the content of the 2.x descriptor property to determine if it can use information found within it to populate the original 1.x properties.
STIX 2.x property not mapped. This property will not be included in the converted 1.x object.
Many of the examples below convert STIX 2.0 to STIX 1.x. Conversions of STIX 2.1 are similar.
Top Level Object Mappings¶
STIX 2.x object |
STIX 1.x object |
|---|---|
|
|
|
|
|
|
|
|
|
not converted |
|
|
|
|
|
|
|
not converted |
|
|
|
|
|
not converted |
|
not converted |
|
|
|
not converted |
|
|
|
|
|
|
|
|
Common Properties¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
not converted (see |
|
|
|
|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
implicitly defined by its element name or explicitly using xsi:type |
|
|
|
|
|
|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
none
STIX 2.x Properties Recorded in the STIX 1.x Description Property
none
STIX 2.x Properties Not Mapped
revoked
Attack Pattern¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
none
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
labels(in 2.1)
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"type": "attack-pattern",
"id": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
"created": "2016-08-08T15:50:10.983Z",
"modified": "2017-01-30T21:15:04.127Z",
"external_references": [
{
"external_id": "CAPEC-148",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/148.html"
}
],
"name": "Content Spoofing"
}
STIX 1.x in XML
<stix:TTP id="example:ttp-19da6e1c-71ab-4c2f-886d-d620d09d3b5a" timestamp="2017-01-30T21:15:04.127000+00:00" xsi:type='ttp:TTPType'>
<ttp:Behavior>
<ttp:Attack_Patterns>
<ttp:Attack_Pattern capec_id="CAPEC-148">
<ttp:Title>Content Spoofing</ttp:Title>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns>
</ttp:Behavior>
<ttp:Information_Source>
<stixCommon:References>
<stixCommon:Reference>https://capec.mitre.org/data/definitions/148.html</stixCommon:Reference>
</stixCommon:References>
</ttp:Information_Source>
</stix:TTP>
Campaigns¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
none
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
first_seenlast_seenlabels(in 2.1)
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2014-08-08T15:50:10.983Z",
"description": "Attacking ATM machines in the Eastern US",
"external_references": [
{
"source_name": "ACME",
"url": "http://foo.com/bar"
},
{
"source_name": "wikipedia",
"url": "https://en.wikipedia.org/wiki/Automated_teller_machine"
},
{
"source_name": "ACME Bugzilla",
"external_id": "1370",
"url": "https://www.example.com/bugs/1370"
}
],
"id": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
"modified": "2014-08-08T15:50:10.983Z",
"name": "Compromise of ATM Machines",
"type": "campaign"
}
STIX 1.x in XML
<stix:Campaign id="example:campaign-e5268b6e-4931-42f1-b379-87f48eb41b1e" timestamp="2014-08-08T15:50:10.983000+00:00" xsi:type='campaign:CampaignType'>
<campaign:Title>Compromise of ATM Machines</campaign:Title>
<campaign:Description ordinality="1">Attacking ATM machines in the Eastern US</campaign:Description>
<campaign:Description ordinality="2">SOURCE: ACME Bugzilla - EXTERNAL ID: 1370</campaign:Description>
<campaign:Information_Source>
<stixCommon:References>
<stixCommon:Reference>http://foo.com/bar</stixCommon:Reference>
<stixCommon:Reference>https://en.wikipedia.org/wiki/Automated_teller_machine</stixCommon:Reference>
<stixCommon:Reference>https://www.example.com/bugs/1370</stixCommon:Reference>
</stixCommon:References>
</campaign:Information_Source>
</stix:Campaign>
Course of Action¶
In STIX 2.x the course-of-action object is defined as a stub. This means that in STIX 2.x this object type is pretty “bare-bones”, not containing most of the properties that were found in STIX 1.x.
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
none
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property | STIX 1.x property |
||
|---|---|---|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
labels(in 2.1)
STIX Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2017-01-27T13:49:41.298Z",
"description": "\n\nSTAGE:\n\tResponse\n\nOBJECTIVE: Block communication between the PIVY agents and the C2 Server\n\nCONFIDENCE: High\n\nIMPACT:LowThis IP address is not used for legitimate hosting so there should be no operational impact.\n\nCOST:Low\n\nEFFICACY:High",
"id": "course-of-action--495c9b28-b5d8-11e3-b7bb-000c29789db9",
"labels": [
"perimeter-blocking"
],
"modified": "2017-01-27T13:49:41.298Z",
"name": "Block traffic to PIVY C2 Server (10.10.10.10)",
"type": "course-of-action"
}
STIX 1.x in XML
<stix:Course_Of_Action id="example:course-of-action-495c9b28-b5d8-11e3-b7bb-000c29789db9" timestamp="2017-01-27T13:49:41.298000+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
<coa:Type xsi:type="stixVocabs:CourseOfActionTypeVocab-1.0">Perimeter Blocking</coa:Type>
<coa:Description>
STAGE:
Response
OBJECTIVE: Block communication between the PIVY agents and the C2 Server
CONFIDENCE: High
IMPACT:LowThis IP address is not used for legitimate hosting so there should be no operational impact.
COST:Low
EFFICACY:High
</coa:Description>
</stix:Course_Of_Action>
Notice that although there is information in the STIX 2.x description property (from a previous use of the elevator) that could be used to populate STIX 1.x properties, the description property is transferred directly, with no additional processing.
Indicator¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property | STIX 1.x property |
||
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
labels(in 2.1)
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2014-05-08T09:00:00.000Z",
"id": "indicator--53fe3b22-0201-47cf-85d0-97c02164528d",
"labels": [
"ip-watchlist"
],
"modified": "2014-05-08T09:00:00.000Z",
"name": "IP Address for known C2 channel",
"pattern": "[ipv4-addr:value = '10.0.0.0']",
"type": "indicator",
"valid_from": "2014-05-08T09:00:00.000000Z"
}
{
"created": "2014-05-08T09:00:00.000Z",
"id": "relationship--9606dac3-965a-47d3-b270-8b17431ba0e4",
"modified": "2014-05-08T09:00:00.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--53fe3b22-0201-47cf-85d0-97c02164528d",
"target_ref": "malware--73fe3b22-0201-47cf-85d0-97c02164528d",
"type": "relationship"
}
STIX 1.x in XML
<stix:Indicator id="example:indicator-53fe3b22-0201-47cf-85d0-97c02164528d" timestamp="2014-05-08T09:00:00+00:00" xsi:type='indicator:IndicatorType'>
<indicator:Title>IP Address for known C2 channel</indicator:Title>
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">IP Watchlist</indicator:Type>
<indicator:Valid_Time_Position>
<indicator:Start_Time precision="second">2014-05-08T09:00:00+00:00</indicator:Start_Time>
</indicator:Valid_Time_Position>
<indicator:Observable id="example:Observable-9f9e8592-1a3a-42f0-8e16-56c062671a5c">
<cybox:Object id="example:Address-3923ec77-e675-4db7-b2bb-8c42717b2b3a">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
<AddressObj:Address_Value condition="Equals">10.0.0.0</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
<indicator:Indicated_TTP>
<stixCommon:TTP idref="example:ttp-73fe3b22-0201-47cf-85d0-97c02164528d" xsi:type='ttp:TTPType'/>
</indicator:Indicated_TTP>
</stix:Indicator>
Infrastructure¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
none
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
aliasesfirst_seenlabels(in 2.1)last_seen
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2014-05-08T09:00:00.000Z",
"first_seen": "2014-05-08T09:00:00.000Z",
"id": "infrastructure--dd955e08-16d0-4f08-a064-50d9e7a3104d",
"infrastructure_types": [
"malware-c2"
],
"modified": "2014-05-08T09:00:00.000Z",
"name": "Malware C2 Channel",
"spec_version": "2.1",
"type": "infrastructure"
}
STIX 1.x in XML
<stix:TTP id="example:infrastructure-dd955e08-16d0-4f08-a064-50d9e7a3104d"
timestamp="2014-05-08T09:00:00+00:00" xsi:type='ttp:TTPType'>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Title>Malware C2 Channel</ttp:Title>
<ttp:Type>malware-c2</ttp:Type>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
Kill Chains¶
STIX 1.x defined kill_chain objects for the Lockheed Martin Cyber Kill Chain. These are used by the elevator. Because they are defined outside of any partiicular content, the objects themselves will only be referred to using Kill_Chain_Phase_Reference object. Other kill chains found in the STIX 2.x will be converted as fully as possible, because all phases of a kill chain may not be present.
Location¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
none
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x free_text_address Property
latitude
longitude
precision
region
city
code
postal_code
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"administrative_area": "California",
"country": "US",
"created": "2014-11-19T23:39:03.893Z",
"id": "location--c1445467-fd92-4532-9161-1c3024ab6467",
"modified": "2014-11-19T23:39:03.893Z",
"spec_version": "2.1",
"type": "location"
}
STIX 1.x in XML
<xpil:Address>
<xal:Country xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>US</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea xmlns:xal="urn:oasis:names:tc:ciq:xal:3">
<xal:NameElement>California</xal:NameElement>
</xal:AdministrativeArea>
</xpil:Address>
Malware¶
The Malware object in STIX 2.0 is a stub.
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
none
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
aliaseslabels(in 2.1)
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2017-01-27T13:49:53.997Z",
"description": "Poison Ivy Trojan",
"id": "malware--fdd60b30-b67c-11e3-b0b9-f01faf20d111",
"labels": [
"remote-access-trojan"
],
"modified": "2017-01-27T13:49:53.997Z",
"name": "Poison Ivy",
"type": "malware"
}
STIX 1.x in XML
<stix:TTPs>
<stix:TTP id="example:ttp-fdd60b30-b67c-11e3-b0b9-f01faf20d111" timestamp="2017-01-27T13:49:53.997000+00:00" xsi:type='ttp:TTPType'>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance>
<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
<ttp:Name>Poison Ivy</ttp:Name>
<ttp:Description>Poison Ivy Trojan</ttp:Description>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
</stix:TTPs>
Report¶
The Report object in 2.x does not contain objects, but only object references
to STIX objects that are specified elsewhere (the location of the actual
objects may not be contained in the same bundle that contains the report
object). 1.x objects with only the idref property are created for each
object reference in the STIX 2.x report.
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
not converted |
|
|
**STIX 2.x Properties Mapped Using STIX 1.x Relationships**
none
STIX 2.x Properties Recorded in the STIX 1.x Description Property
labels(in 2.1)published
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2015-05-07T14:22:14.760Z",
"created_by_ref": "identity--c1b58a86-e037-4069-814d-dd0bc75539e3",
"description": "Adversary Alpha has a campaign against the ICS sector!",
"id": "report--ab11f431-4b3b-457c-835f-59920625fe65",
"labels": [
"campaign-characterization"
],
"modified": "2015-05-07T14:22:14.760Z",
"name": "Report on Adversary Alpha's Campaign against the Industrial Control Sector",
"object_refs": [
"campaign--1855cb8a-d96c-4859-a450-abb1e7c061f2",
"indciator--66647c79-5766-4ca7-ab8a-a579056e3c83"
],
"published": "2015-05-31T00:00:00.000Z",
"type": "report"
}
STIX 1.x in XML
<stix:Report timestamp="2015-05-07T14:22:14.760000+00:00" id="example:report-ab11f431-4b3b-457c-835f-59920625fe65" xsi:type='report:ReportType' version="1.0">
<report:Header>
<report:Title>Report on Adversary Alpha's Campaign against the Industrial Control Sector</report:Title>
<report:Intent xsi:type="stixVocabs:ReportIntentVocab-1.0">Campaign Characterization</report:Intent>
<report:Description ordinality="1">Adversary Alpha has a campaign against the ICS sector!
<report:Description ordinality="2">published: 2015-05-31 00:00:00+00:00</report:Description>
</report:Header>
<report:Campaigns>
<report:Campaign idref="example:campaign-1855cb8a-d96c-4859-a450-abb1e7c061f2" xsi:type='campaign:CampaignType'/>
</report:Campaigns>
<report:Indicators>
<report:Indicator idref="example:indicator-66647c79-5766-4ca7-ab8a-a579056e3c83" xsi:type='indicator:IndicatorType'/>
</report:Indicators>
</stix:Report>
Threat Actor¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
**STIX 2.x Relationships Mapped Using STIX 1.x Relationships**
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
aliaseslabels(in 2.1)nameresource_levelroles
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2017-01-27T13:49:54.326Z",
"id": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
"labels": [
"nation-state"
],
"modified": "2017-01-27T13:49:54.326Z",
"name": "Adversary Bravo",
"sophistication": "advanced",
"type": "threat-actor"
}
STIX 1.x in XML
<stix:Threat_Actor id="example:threat-actor-9a8a0d25-7636-429b-a99e-b2a73cd0f11f"
timestamp="2017-01-27T13:49:54.326000+00:00"
xsi:type='ta:ThreatActorType'>
<ta:Title>Adversary Bravo</ta:Title>
<ta:Type timestamp="2018-05-06T16:57:09.692723+00:00">
<stixCommon:Value>State Actor / Agency</stixCommon:Value>
</ta:Type>
<ta:Sophistication timestamp="2018-05-06T16:57:09.692815+00:00">
<stixCommon:Value>Expert</stixCommon:Value>
</ta:Sophistication>
</stix:Threat_Actor>
Tool¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
**STIX 2.x Properties Translated to STIX 2.x Properties**
STIX 1.x property |
STIX 1.x property |
|---|---|
|
|
|
|
|
|
|
|
**STIX 2.x Relationships Mapped Using STIX 1.x Relationships**
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
ttp:Intended_Effect
STIX 1.x Properties Not Mapped
labels
An Example
STIX 2.x in JSON
{
"type": "tool",
"id": "tool--ce45f721-af14-4fc0-938c-000c16186418",
"created": "2015-05-15T09:00:00.000Z",
"modified": "2015-05-15T09:00:00.000Z",
"name": "cachedump",
"labels": [
"credential-exploitation"
],
"description": "This program extracts cached password hashes from a system’s registry.",
"kill_chain_phases": [
{
"kill_chain_name": "mandiant-attack-lifecycle-model",
"phase_name": "escalate-privileges"
}
]
}
STIX 1.x in XML
<stix:TTP id="example:tool-ce45f721-af14-4fc0-938c-000c16186418" timestamp="2015-05-15T09:00:00+00:00" xsi:type='ttp:TTPType'>
<ttp:Resources>
<ttp:Tools>
<ttp:Tool>
<cyboxCommon:Description>This program extracts cached password hashes from a system’s registry.</cyboxCommon:Description>
<stixCommon:Title>cachedump</stixCommon:Title>
</ttp:Tool>
</ttp:Tools>
</ttp:Resources>
<ttp:Kill_Chain_Phases>
<stixCommon:Kill_Chain_Phase name="escalate-privileges"
phase_id="example:TTP-17715bcf-84b9-4714-a3cd-ffaf7fce9d10"
kill_chain_name="mandiant-attack-lifecycle-model"
kill_chain_id="example:TTP-9df538ea-f0f0-4cf0-a147-1397e51f0a63"/>
</ttp:Kill_Chain_Phases>
</stix:TTP>
Vulnerability¶
STIX 2.x Properties Mapped Directly to STIX 1.x Properties
none
STIX 2.x Properties Translated to STIX 1.x Properties
STIX 2.x property |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Relationships Mapped Using STIX 1.x Relationships
STIX 2.x relationship type |
STIX 1.x property |
|---|---|
|
|
|
|
STIX 2.x Properties Recorded in the STIX 1.x Description Property
labels
STIX 2.x Properties Not Mapped
none
An Example
STIX 2.x in JSON
{
"created": "2014-06-20T15:16:56.986Z",
"external_references": [
{
"external_id": "CVE-2013-3893",
"source_name": "cve"
}
],
"id": "vulnerability--e77c1e36-5b43-4c5c-b8cb-7b36035f2b90",
"modified": "2017-01-27T13:49:54.310Z",
"name": "Heartbleed",
"type": "vulnerability"
}
STIX 1.x in XML
<stix:Exploit_Targets>
<stixCommon:Exploit_Target id="example:et-e77c1e36-5b43-4c5c-b8cb-7b36035f2b90"
timestamp="2014-06-20T15:16:56.986650+00:00"
xsi:type='et:ExploitTargetType' version="1.2">
<et:Title>Heartbleed</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2013-3893</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>