STIX 2.0 Proposal14 : Flatten list layers in Package (#382) - STIXProject/specifications GitHub Wiki

Issue Summary

Currently STIXType contains list types (e.g. IndicatorsType) for each top-level construct that are nothing but containers for 1..* instances of that type.

This is an unnecessary layer of complexity.

Proposed

Propose flattening these to simply be of the contained object type with a 0..* multiplicity.

Proposed Model

Examples

Example #1: simple package containing a single threat actor, a single relationship and three TTPs

JSON Serialization example snippets

Example #1:

{
	"id": "example:package-8e7f6d70-2978-40fe-8f91-1b0e5914126d",
	"type": "package",
	"timestamp": {"value": "2015-12-21T21:54:19.000000+00:00"},
	"threat_actors": [
		{
			"id": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
			"type": "threat-actor",
			"timestamp": {"value": "2015-12-21T21:54:19.000000+00:00"},
			"name": "Black Vine"
		}
	],
	"ttps": [
		{
			"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
			"type": "malware-instance",
			"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
			"name": "Sakurel Malware",
			"malware_instance_type": {
				"value": "Remote Access Trojan",
				"vocab": "malware-type-vocab-1.0"
			}
		}, {
			"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
			"type": "infrastructure",
			"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
			"title": "Sakurel Command & Control Server",
			"infrastructure_type": {
				"value": "Hosting",
				"vocab": "attacker-infrastructure-type-vocab-1.0"
			},
			"observable_characterization": "observable pattern characterizing the infrastructure would go here"
		}, {
			"id": "example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d",
			"type": "victim-targeting",
			"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
			"title": "Targeting of Healthcare Sector",
			"specification": "CIQ content for sector would go here. Still to be determined how to do this in JSON."
		}
	],
	"relationships": [
		{
			"id": "example:rel-3b9edb33-5379-4566-8deb-9db1eba074d8",
			"type": "related-ttp",
			"timestamp": {"value": "2015-12-21T19:59:12.000000+00:00"},
			"confidence": {
				"value": {
					"value": "High",
					"vocab": "high-medium-low-vocab-1.0"
				}
			},
			"from": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
			"to": [
				"example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be", "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be", "example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d"
			],
			"relationship_nature": {
				"value": "Observed TTP"
			}
		}
	]
}

JSON Schema Serialization snippets

Open Questions