Mappings from CybOX 2.x to STIX 2.x

The following table associates the CybOX 2.x object types with their STIX 2.x cyber observable types. For each CybOX object the table also indicates if the elevator is able to convert the CybOX object to STIX 2.x.

CybOX object types not listed have no corresponding STIX 2.x cyber observable type, and therefore are not converted by the elevator.

Cybox 2.x Object Type STIX 2.x Cyber Observable Type Converted in the current version of the Elevator
Address email-addr yes
Address ipv4-addr yes
Address ipv6-addr yes
Address mac-addr yes
ArchiveFile file:archive-ext yes
Artifact artifact yes
AutonomousSystem autonomous-system yes
File directory yes
DomainName domain-name yes
DSN Query none no
EmailMessage email-message yes
File* file yes
Hostname domain-name yes
HTTPClientRequest network-traffic:http-request-ext yes
HTTPSession network-traffic yes
ICMP (v4/v6) network-traffic:icmp-ext yes
ImageFile file:raster-image-ext yes
Link none no
Mutex mutex yes
NetworkConnection network-traffic yes
NetworkSocket network-traffic:socket-ext yes
PDFFile file:pdf-ext yes
Process* process yes
Product software yes
SocketAddress network-traffic yes
Hostname domain-name yes
Port integer yes
TCP network-traffic:tcp-ext no
URI url yes
UnixUserAccount user-account:unix-account-ext yes
UserAccount/WinUserAccount user-account yes
WindowsRegistryKey window-registry-key yes
WinExecutableFile file:window-pebinary-ext yes
WinFile file:ntfs-ext no
WinProcess process:windows-process-ext yes
WinService process:windows-service-ext yes
X509Certificate x509-certificate yes
X509V3Extensions x509-certificate:x509-v3-extensions-type yes
  • Window or Unix Cybox object types handled by the basic STIX object type

CybOX 2.1 Object Types Not Representable in STIX 2.x

STIX 2.x can support these CybOX object types using Custom object (deprecated) or Extensions, but this is beyond the current scope of the Elevator.

  • API
  • ARP
  • Code
  • DNS Cache
  • DNS Query
  • DNS Record
  • Device
  • Disk Partition
  • GUI Dialogbox
  • GUI
  • GUI Window
  • Library
  • Link
  • Linux Package
  • Memory
  • Network Flow
  • Network Packet
  • Network Route Entry/Unix Network Route Entry/Win Network Route Entry
  • Network Route
  • Network Subnet
  • Pipe/Unix Pipe/Win Pipe
  • SMS Message
  • Semaphore/Win Semaphore
  • System/Win System
  • URL History
  • User Session
  • Volume/Unix Volume/Win Volume
  • Whois
  • Win Critical Section
  • Win Driver
  • Win Event Log
  • Win Event
  • Win Filemapping
  • Win Handle
  • Win Hook/Win Kernel Hook
  • Win Kernel
  • Win Mailslot
  • Win Memory Page Region
  • Win Network Share
  • Win Prefetch
  • Win System Restore
  • Win Task
  • Win Thread
  • Win Waitable Timer

Converting Network Cyber Observables

Most of the mappings between CybOX 2.x objects and STIX 2.x cyber observables are straightforward, therefore, they will not be detailed in this document. However, it would be advantageous to detail the mappings of network-traffic, a “catch-all” STIX 2.x cyber observable type for information previously represented in CybOX 2.x by:

  • NetworkConnection
  • HTTPSessionObject
  • NetworkFlowObject
  • NetworkPacket

This information is organized very differently than in CybOX 2.x. In addition, many CybOX 2.x properties are not available in the network-traffic object.

When converting network cyber observables, the elevator will often infer entries of the protocols property.

Notice that although both STIX 1.x and 2.x have object types to represent TCP packets, they are not compatible, so no conversion is made.

CybOX 2.x Type STIX 2.0 mapping
NetworkConnection network-traffic
HTTPSessionObject/HTTPSessionObject/HTTPClientRequest network-traffic/http-request-ext
NetworkFlowObject/UnidirectionalRecord/IPFIXMessage network-traffic/ipfix
NetworkPacket/InternetLayer/ICMPv(4/6) network-traffic/icmp-ext
NetworkSocket network-traffic/socket-ext