Mappings from CybOX 2.x to STIX 2.x¶
The following table associates the CybOX 2.x object types with their STIX 2.x cyber observable types. For each CybOX object the table also indicates if the elevator is able to convert the CybOX object to STIX 2.x.
CybOX object types not listed have no corresponding STIX 2.x cyber observable type, and therefore are not converted by the elevator.
Cybox 2.x Object Type | STIX 2.x Cyber Observable Type | Converted in the current version of the Elevator |
---|---|---|
Address |
email-addr |
yes |
Address |
ipv4-addr |
yes |
Address |
ipv6-addr |
yes |
Address |
mac-addr |
yes |
ArchiveFile |
file:archive-ext |
yes |
Artifact |
artifact |
yes |
AutonomousSystem |
autonomous-system |
yes |
File |
directory |
yes |
DomainName |
domain-name |
yes |
DSN Query |
none | no |
EmailMessage |
email-message |
yes |
File * |
file |
yes |
Hostname |
domain-name |
yes |
HTTPClientRequest |
network-traffic:http-request-ext |
yes |
HTTPSession |
network-traffic |
yes |
ICMP (v4 /v6 ) |
network-traffic:icmp-ext |
yes |
ImageFile |
file:raster-image-ext |
yes |
Link |
none | no |
Mutex |
mutex |
yes |
NetworkConnection |
network-traffic |
yes |
NetworkSocket |
network-traffic:socket-ext |
yes |
PDFFile |
file:pdf-ext |
yes |
Process * |
process |
yes |
Product |
software |
yes |
SocketAddress |
network-traffic |
yes |
Hostname |
domain-name |
yes |
Port |
integer |
yes |
TCP |
network-traffic:tcp-ext |
no |
URI |
url |
yes |
UnixUserAccount |
user-account:unix-account-ext |
yes |
UserAccount/WinUserAccount |
user-account |
yes |
WindowsRegistryKey |
window-registry-key |
yes |
WinExecutableFile |
file:window-pebinary-ext |
yes |
WinFile |
file:ntfs-ext |
no |
WinProcess |
process:windows-process-ext |
yes |
WinService |
process:windows-service-ext |
yes |
X509Certificate |
x509-certificate |
yes |
X509V3Extensions |
x509-certificate:x509-v3-extensions-type |
yes |
- Window or Unix Cybox object types handled by the basic STIX object type
CybOX 2.1 Object Types Not Representable in STIX 2.x¶
STIX 2.x can support these CybOX object types using Custom object (deprecated) or Extensions, but this is beyond the current scope of the Elevator.
API
ARP
Code
DNS Cache
DNS Query
DNS Record
Device
Disk Partition
GUI Dialogbox
GUI
GUI Window
Library
Link
Linux Package
Memory
Network Flow
Network Packet
Network Route Entry/Unix Network Route Entry/Win Network Route Entry
Network Route
Network Subnet
Pipe/Unix Pipe/Win Pipe
SMS Message
Semaphore/Win Semaphore
System/Win System
URL History
User Session
Volume/Unix Volume/Win Volume
Whois
Win Critical Section
Win Driver
Win Event Log
Win Event
Win Filemapping
Win Handle
Win Hook/Win Kernel Hook
Win Kernel
Win Mailslot
Win Memory Page Region
Win Network Share
Win Prefetch
Win System Restore
Win Task
Win Thread
Win Waitable Timer
Converting Network Cyber Observables¶
Most of the mappings between CybOX 2.x objects and STIX 2.x cyber
observables are straightforward, therefore, they will not be detailed in
this document. However, it would be advantageous to detail the mappings
of network-traffic
, a “catch-all” STIX 2.x cyber observable type for
information previously represented in CybOX 2.x by:
NetworkConnection
HTTPSessionObject
NetworkFlowObject
NetworkPacket
This information is organized very differently than
in CybOX 2.x. In addition, many CybOX 2.x properties are not available
in the network-traffic
object.
When converting network cyber observables, the elevator will often infer entries of the protocols
property.
Notice that although both STIX 1.x and 2.x have object types to represent TCP packets, they are not compatible, so no conversion is made.
CybOX 2.x Type | STIX 2.0 mapping |
---|---|
NetworkConnection |
network-traffic |
HTTPSessionObject/HTTPSessionObject/HTTPClientRequest |
network-traffic/http-request-ext |
NetworkFlowObject/UnidirectionalRecord/IPFIXMessage |
network-traffic/ipfix |
NetworkPacket/InternetLayer/ICMPv(4/6) |
network-traffic/icmp-ext |
NetworkSocket |
network-traffic/socket-ext |