Types of Threat Data
CTIX normalizes and converts the data received in the application into the following threat data objects:
Indicator: Indicator contains a pattern that can be used to detect suspicious or malicious cyber activity.
Malware: Malware is malicious software or a malicious piece of code.
Vulnerability: Vulnerability is a mistake in the software that can be directly used by a hacker to gain access to a system or network.
Threat Actor: Threat actors include any actual individuals, groups, or organizations that are operating with malicious intent.
Attack Pattern: Attack pattern describes ways that adversaries use to compromise targets.
Campaign: Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
Course of Action: Course of action contains a set of recommendations on the actions that they might take in response to an attack or an event.
Identity: Identity defines actual individuals, organizations, groups, classes of individuals, organizations, systems, or groups that may or may not be involved in an event.
Intrusion set: Intrusion set defines a grouped set of adversarial behaviors and resources with common properties that are orchestrated by a single organization or an entity.
Location: Location represents a geographical location.
Malware Analysis: Malware Analysis represents the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.
Observed Data: Observed data conveys information about any cyber security related entities such as files, systems, and networks using the STIX Cyber-Observable Objects (SCOs).
Opinion: Opinion represents an assessment of the correctness of the information in a STIX Object produced by a different entity.
Tool: Tools are any legitimate software used by threat actors to perform any attacks.
Report: Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
Custom Object: Custom objects are information that can not be characterized by any other defined STIX object types.
Observable: Observables represent any stateful properties or measurable events pertinent to the operation of computers and networks.
Incident: Incident objects capture information about something that has already happened and help in tracking threat intel history over time.