Mappings from STIX 1.x to STIX 2.0
=======================================
This section outlines the disposition of each property of the top-level objects when converted.
For each STIX 2.0 object that was converted the following options are possible:
- **STIX 2.0 property mapped directly to a STIX 1.x property.** This property's value is used unaltered in the conversion to 2.0.
- **STIX 2.0 property translated into STIX 1.x property.** This property's value must undergo some minor processing to determine the
corresponding content for 1.x.
- **STIX 2.0 relationship mapped using STIX 1.x property.** This 2.0 relationship object is used to construct an embedded STIX 1.x relationship.
If the STIX 2.0 ``relationship-type`` is not listed below, then that relationship will not be converted to an embedded STIX 1.x relationship.
The "reverse" notation indicates the the STIX 1.x property is found on target object.
- **STIX 2.0 property recorded in the STIX 1.x description property.** This 2.0 property has no corresponding property in STIX 1.x, but its value
can be (optionally) included in the description property of the 1.x object as text.
If the STIX 2.0 content was created using the elevator
it might be the case that it recorded some 1.x properties in the description. However, the slider makes no attempt to examine the content of
the 2.0 descriptor property to determine if it can use information found within it to populate the original 1.x properties.
- **STIX 2.0 property not mapped.** This property will not be included in the converted 1.x object.
Top Level Object Mappings
-------------------------------
+-------------------------+---------------------------+
| **STIX 2.0 object** | **STIX 1.x object** |
+=========================+===========================+
| ``attack-pattern`` | ``ttp:Attack_Pattern`` |
+-------------------------+---------------------------+
| ``bundle`` | ``Package`` |
+-------------------------+---------------------------+
| ``campaign`` | ``Campaign`` |
+-------------------------+---------------------------+
| ``course-of-action`` | ``Course_Of_Action`` |
+-------------------------+---------------------------+
| ``identity`` | ``Information_Source`` or |
| | ``ttp:Victim_Targeting`` |
+-------------------------+---------------------------+
| ``indicator`` | ``Indicator`` |
+-------------------------+---------------------------+
| ``intrusion-set`` | *not converted* |
+-------------------------+---------------------------+
| ``observed-data`` | ``Observable`` |
+-------------------------+---------------------------+
| ``malware`` | ``ttp:MalwareInstance`` |
+-------------------------+---------------------------+
| ``report`` | ``Report`` |
+-------------------------+---------------------------+
| ``threat-actor`` | ``Threat Actor`` |
+-------------------------+---------------------------+
| ``tool`` | ``ttp:Tool`` |
+-------------------------+---------------------------+
| ``vulnerability`` | ``et:Vulnerability`` |
+-------------------------+---------------------------+
Common Properties
------------------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+-------------------------+------------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================+====================================+
| ``created`` | *not converted* (see ``modified``) |
+-------------------------+------------------------------------+
| ``description`` | ``Description`` |
+-------------------------+------------------------------------+
| ``modified`` | ``timestamp`` |
+-------------------------+------------------------------------+
| ``name`` | ``Title`` |
+-------------------------+------------------------------------+
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+-------------------------+--------------------------------------------------------------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================+======================================================================================+
| ``type`` | *implicitly defined by its element name or explicitly using xsi:type* |
+-------------------------+--------------------------------------------------------------------------------------+
| ``id`` | ``id`` |
+-------------------------+--------------------------------------------------------------------------------------+
| ``created_by_ref`` | ``Information_Source`` |
+-------------------------+--------------------------------------------------------------------------------------+
| ``external_references`` | ``Information_Source``, |
| | ``et:Vulnerability.cve_id``, |
| | ``ttp:Attack_Patterns.capec.id`` |
+-------------------------+--------------------------------------------------------------------------------------+
| ``object_markings_refs``| ``Handling`` |
+-------------------------+--------------------------------------------------------------------------------------+
| ``granular_markings`` | ``Handling`` |
+-------------------------+--------------------------------------------------------------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
*none*
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
*none*
**STIX 2.0 Properties Not Mapped**
- ``revoked``
Attack Pattern
------------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
*none*
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+---------------------------+-------------------------------------------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+===========================+===================================================================+
| ``external_references`` | ``capec_id`` |
+---------------------------+-------------------------------------------------------------------+
| ``kill_chain_phases`` | ``ttp:Kill_Chain_Phases`` |
+---------------------------+-------------------------------------------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+------------------------------------------------+----------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+================================================+============================+
| ``targets`` (identity only) | ``ttp:Victim_Targeting`` |
+------------------------------------------------+----------------------------+
| ``targets`` (vulnerability only) | ``ttp:Exploit_Targets`` |
+------------------------------------------------+----------------------------+
| ``uses`` (malware, tool) | ``ttp:Related_TTPs`` |
+------------------------------------------------+----------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``labels``
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"type": "attack-pattern",
"id": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
"created": "2016-08-08T15:50:10.983Z",
"modified": "2017-01-30T21:15:04.127Z",
"external_references": [
{
"external_id": "CAPEC-148",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/148.html"
}
],
"name": "Content Spoofing"
}
STIX 1.x in XML
.. code-block:: xml
Content Spoofing
SOURCE: capec - https://capec.mitre.org/data/definitions/148.html
Campaigns
----------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+-------------------------+------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================+========================+
| ``aliases`` | ``Names`` |
+-------------------------+------------------------+
| ``objective`` | ``Intended_Effect`` |
+-------------------------+------------------------+
**STIX 2.0 Properties Translated to STIX 1.x Properties**
*none*
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+----------------------------------------------+----------------------------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+==============================================+==============================================+
| ``uses`` | ``Related_TTPs`` |
+----------------------------------------------+----------------------------------------------+
| ``indicates`` (reverse) | ``Related_Indicators`` |
+----------------------------------------------+----------------------------------------------+
| ``attributed-to`` | ``Attribution`` |
+----------------------------------------------+----------------------------------------------+
| ``related-to`` (campaign) | ``Associated_Campaigns`` |
+----------------------------------------------+----------------------------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``first_seen``
- ``last_seen``
- ``labels``
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2014-08-08T15:50:10.983Z",
"description": "Attacking ATM machines in the Eastern US",
"external_references": [
{
"source_name": "ACME",
"url": "http://foo.com/bar"
},
{
"source_name": "wikipedia",
"url": "https://en.wikipedia.org/wiki/Automated_teller_machine"
},
{
"source_name": "ACME Bugzilla",
"external_id": "1370",
"url": "https://www.example.com/bugs/1370"
}
],
"id": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
"modified": "2014-08-08T15:50:10.983Z",
"name": "Compromise of ATM Machines",
"type": "campaign"
}
STIX 1.x in XML
.. code-block:: xml
Compromise of ATM Machines
Attacking ATM machines in the Eastern US
SOURCE: ACME - http://foo.com/bar
SOURCE: wikipedia - https://en.wikipedia.org/wiki/Automated_teller_machine
SOURCE: ACME Bugzilla - https://www.example.com/bugs/1370
SOURCE: ACME Bugzilla - EXTERNAL ID: 1370
Course of Action
----------------------
In STIX 2.0 the course-of-action object is defined as a stub. This means that in STIX
2.0 this object type is pretty "bare-bones", not containing most of the
properties that were found in STIX 1.x.
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
*none*
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+-------------------------+------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================+========================+
| ``labels`` | ``Type`` |
+-------------------------+------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+----------------------------------------------+----------------------------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+==============================================+==============================================+
| ``related-to`` (course-of-action) | ``Related_COAs`` |
+----------------------------------------------+----------------------------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
*none*
**STIX Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2017-01-27T13:49:41.298Z",
"description": "\n\nSTAGE:\n\tResponse\n\nOBJECTIVE: Block communication between the PIVY agents and the C2 Server\n\nCONFIDENCE: High\n\nIMPACT:LowThis IP address is not used for legitimate hosting so there should be no operational impact.\n\nCOST:Low\n\nEFFICACY:High",
"id": "course-of-action--495c9b28-b5d8-11e3-b7bb-000c29789db9",
"labels": [
"perimeter-blocking"
],
"modified": "2017-01-27T13:49:41.298Z",
"name": "Block traffic to PIVY C2 Server (10.10.10.10)",
"type": "course-of-action"
}
STIX 1.x in XML
.. code-block:: xml
Block traffic to PIVY C2 Server (10.10.10.10)
Perimeter Blocking
STAGE:
Response
OBJECTIVE: Block communication between the PIVY agents and the C2 Server
CONFIDENCE: High
IMPACT:LowThis IP address is not used for legitimate hosting so there should be no operational impact.
COST:Low
EFFICACY:High
Notice that although there is information in the STIX 2.0 description property (from a previous use of the elevator) that
could be used to populate STIX 1.x properties, the description property is transferred directly, with no additional processing.
Indicator
------------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+-----------------------------------+---------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+===================================+===========================+
| ``valid_from``, ``valid_until`` | ``Valid_Time_Position`` |
+-----------------------------------+---------------------------+
| ``created_by_ref`` | ``Producer`` |
+-----------------------------------+---------------------------+
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+-------------------------+---------------------------------------------+
|**STIX 2.0 property** | **STIX 1.x property** |
+=========================+=============================================+
| ``kill_chain_phases`` | ``Kill_Chain_Phases`` |
+-------------------------+---------------------------------------------+
| ``pattern`` | ``IndicatorExpression`` |
+-------------------------+---------------------------------------------+
| ``labels`` | ``Type`` |
+-------------------------+---------------------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+----------------------------------------------+-----------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+==============================================+=======================+
| ``detects`` | ``Indicated_TTP`` |
+----------------------------------------------+-----------------------+
| ``indicates`` (campaign) | ``Related_Campaigns`` |
+----------------------------------------------+-----------------------+
| ``indicates`` (attack-pattern, malware, tool)| ``Indicated_TTPs`` |
+----------------------------------------------+-----------------------+
| ``related-to`` (indicator) | ``Related_Indicators``|
+----------------------------------------------+-----------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
*none*
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2014-05-08T09:00:00.000Z",
"id": "indicator--53fe3b22-0201-47cf-85d0-97c02164528d",
"labels": [
"ip-watchlist"
],
"modified": "2014-05-08T09:00:00.000Z",
"name": "IP Address for known C2 channel",
"pattern": "[ipv4-addr:value = '10.0.0.0']",
"type": "indicator",
"valid_from": "2014-05-08T09:00:00.000000Z"
}
{
"created": "2014-05-08T09:00:00.000Z",
"id": "relationship--9606dac3-965a-47d3-b270-8b17431ba0e4",
"modified": "2014-05-08T09:00:00.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--53fe3b22-0201-47cf-85d0-97c02164528d",
"target_ref": "malware--73fe3b22-0201-47cf-85d0-97c02164528d",
"type": "relationship"
}
STIX 1.x in XML
.. code-block:: xml
IP Address for known C2 channel
IP Watchlist
2014-05-08T09:00:00+00:00
10.0.0.0
Malware
-------------
The Malware object in STIX 2.0 is a stub.
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
*none*
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+---------------------------+-------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+===========================+===============================+
| ``kill_chain_phases`` | ``ttp:Kill_Chain_Phases`` |
+---------------------------+-------------------------------+
| ``labels`` | ``Type`` |
+---------------------------+-------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+------------------------------------------+-----------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+==========================================+=============================+
| ``variant-of`` | ``ttp:Related_TTPs`` |
+------------------------------------------+-----------------------------+
| ``uses`` | ``ttp:Related_TTPs`` |
+------------------------------------------+-----------------------------+
| ``targets`` (vulnerability only) | ``ttp:Exploit_Targets`` |
+------------------------------------------+-----------------------------+
| ``targets`` (identity only) | ``ttp:Victim_Targeting`` |
+------------------------------------------+-----------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
*none*
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2017-01-27T13:49:53.997Z",
"description": "Poison Ivy Trojan",
"id": "malware--fdd60b30-b67c-11e3-b0b9-f01faf20d111",
"labels": [
"remote-access-trojan"
],
"modified": "2017-01-27T13:49:53.997Z",
"name": "Poison Ivy",
"type": "malware"
}
STIX 1.x in XML
.. code-block:: xml
Remote Access Trojan
Poison Ivy
Poison Ivy Trojan
Report
--------
The Report object in 2.0 does not contain objects, but only object references
to STIX objects that are specified elsewhere (the location of the actual
objects may not be contained in the same bundle that contains the report
object). 1.x objects with only the ``idref`` property are created for each
object reference in the STIX 2.0 report.
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+-------------------------+------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================+========================+
| ``name`` | ``Header.Title`` |
+-------------------------+------------------------+
| ``description`` | ``Header.Description`` |
+-------------------------+------------------------+
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+--------------------------------------------------------+-----------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+========================================================+=======================+
| ``object_refs`` (observed-data) | ``Observables`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (indicator) | ``Indicators`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (attack-pattern, malware, tool) | ``TTPs`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (vulnerability) | ``Exploit_Targets`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (course-of-action) | ``Courses_Of_Action`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (campaign) | ``Campaigns`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (threat-actor) | ``Threat_Actors`` |
+--------------------------------------------------------+-----------------------+
| ``object_refs`` (identity, intrusion-set, relationship)| *not converted* |
+--------------------------------------------------------+-----------------------+
| ``labels`` | ``Header.Intent`` |
+--------------------------------------------------------+-----------------------+
**STIX 2.0 Properties Mapped Using STIX 1.x Relationships**
*none*
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``published``
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2015-05-07T14:22:14.760Z",
"created_by_ref": "identity--c1b58a86-e037-4069-814d-dd0bc75539e3",
"description": "Adversary Alpha has a campaign against the ICS sector!",
"id": "report--ab11f431-4b3b-457c-835f-59920625fe65",
"labels": [
"campaign-characterization"
],
"modified": "2015-05-07T14:22:14.760Z",
"name": "Report on Adversary Alpha's Campaign against the Industrial Control Sector",
"object_refs": [
"campaign--1855cb8a-d96c-4859-a450-abb1e7c061f2",
"indciator--66647c79-5766-4ca7-ab8a-a579056e3c83"
],
"published": "2015-05-31T00:00:00.000Z",
"type": "report"
}
STIX 1.x in XML
.. code-block:: xml
Report on Adversary Alpha's Campaign against the Industrial Control Sector
Campaign Characterization
Adversary Alpha has a campaign against the ICS sector!
published: 2015-05-31 00:00:00+00:00
Threat Actor
------------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+-------------------------------------+--------------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=====================================+======================================+
| ``goals`` | ``Intended_Effects`` |
+-------------------------------------+--------------------------------------+
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+-------------------------------------+--------------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=====================================+======================================+
| ``primary_motivation`` | ``Motivation`` |
| ``secondary_motivations`` | |
| ``personal_motivations`` | |
+-------------------------------------+--------------------------------------+
| ``sophistication`` | ``Sophistication`` |
+-------------------------------------+--------------------------------------+
| ``labels`` | ``Type`` |
+-------------------------------------+--------------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+--------------------------------+---------------------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+================================+=======================================+
| ``uses`` | ``Observed_TTPs`` |
+--------------------------------+---------------------------------------+
| ``attributed-to`` (reverse) | ``Associated_Campaigns`` |
+--------------------------------+---------------------------------------+
| ``related-to`` (threat-actor) | ``Associated_Actors`` |
+--------------------------------+---------------------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``name``
- ``aliases``
- ``roles``
- ``resource_level``
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2017-01-27T13:49:54.326Z",
"id": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
"labels": [
"nation-state"
],
"modified": "2017-01-27T13:49:54.326Z",
"name": "Adversary Bravo",
"sophistication": "advanced",
"type": "threat-actor"
}
STIX 1.x in XML
.. code-block:: xml
Adversary Bravo
State Actor / Agency
Expert
Tool
-------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
+--------------------------+--------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+==========================+================================+
| ``name`` | ``Name`` (from CybOX) |
+--------------------------+--------------------------------+
| ``labels`` | ``Type`` (from CybOX) |
+--------------------------+--------------------------------+
| ``description`` | ``Description`` (from CybOX) |
+--------------------------+--------------------------------+
| ``tool_version`` | ``Version`` (from CybOX) |
+--------------------------+--------------------------------+
**STIX 2.0 Properties Translated to STIX 2.0 Properties**
+-----------------------------------+-------------------------------+
| **STIX 1.x property** | **STIX 1.x property** |
+===================================+===============================+
| ``external_references`` | ``References`` (from CybOX) |
+-----------------------------------+-------------------------------+
| ``kill_chain_phases`` | ``ttp:Kill_Chain_Phases`` |
+-----------------------------------+-------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+---------------------------------------+----------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+=======================================+============================+
| ``uses`` (attack-pattern) (reverse) | ``ttp:Related_TTPs`` |
+---------------------------------------+----------------------------+
| ``targets`` (identity) | ``ttp:Related_TTPs`` |
+---------------------------------------+----------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``ttp:Intended_Effect``
**STIX 1.x Properties Not Mapped**
- ``labels``
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"type": "tool",
"id": "tool--ce45f721-af14-4fc0-938c-000c16186418",
"created": "2015-05-15T09:00:00.000Z",
"modified": "2015-05-15T09:00:00.000Z",
"name": "cachedump",
"labels": [
"credential-exploitation"
],
"description": "This program extracts cached password hashes from a system’s registry.",
"kill_chain_phases": [
{
"kill_chain_name": "mandiant-attack-lifecycle-model",
"phase_name": "escalate-privileges"
}
]
}
STIX 1.x in XML
.. code-block:: xml
This program extracts cached password hashes from a system’s registry.
cachedump
Vulnerability
------------------
**STIX 2.0 Properties Mapped Directly to STIX 1.x Properties**
*none*
**STIX 2.0 Properties Translated to STIX 1.x Properties**
+---------------------------------------------------------+------------------------------+
| **STIX 2.0 property** | **STIX 1.x property** |
+=========================================================+==============================+
| ``external_references`` (``source_name``: ``cve``) |``CVE_ID`` |
+---------------------------------------------------------+------------------------------+
| ``external_references`` (``source_name``: ``OSVDB_ID``) | ``Reference`` |
+---------------------------------------------------------+------------------------------+
**STIX 2.0 Relationships Mapped Using STIX 1.x Relationships**
+------------------------------------------------+--------------------------------+
| **STIX 2.0 relationship type** | **STIX 1.x property** |
+================================================+================================+
| ``mitigates`` (reverse) | ``et:Potential_COAs`` |
+------------------------------------------------+--------------------------------+
| ``related-to`` (when not used for versioning) | ``et:Related_Exploit_Targets`` |
+------------------------------------------------+--------------------------------+
**STIX 2.0 Properties Recorded in the STIX 1.x Description Property**
- ``labels``
**STIX 2.0 Properties Not Mapped**
*none*
**An Example**
STIX 2.0 in JSON
.. code-block:: json
{
"created": "2014-06-20T15:16:56.986Z",
"external_references": [
{
"external_id": "CVE-2013-3893",
"source_name": "cve"
}
],
"id": "vulnerability--e77c1e36-5b43-4c5c-b8cb-7b36035f2b90",
"modified": "2017-01-27T13:49:54.310Z",
"name": "Heartbleed",
"type": "vulnerability"
}
STIX 1.x in XML
.. code-block:: xml
Heartbleed
CVE-2013-3893