Core Data Model

The core data model defines the building blocks for cyber threat intelligence. It consists of a set of top-level objects representing concepts in CTI and defines relationships between those objects.

Component Description
asset Something of value owned by an organization
attack-pattern Techniques used to execute a cyber attack
campaign Sustained attack with a defined intent
configuration A system configuration that might lead to compromise
course-of-action Defensive actions taken in response to threats
exploit Action or process to achieve an attack
identity A person or organization
incident Occurrence of a cyber attack
indicator Technical information that indicates compromise
kill-chain Categorization of the phases of an attack
malicious-infrastructure Attacker backend resources used to execute attacks
malicious-tool A piece of software used directly by an attacker
malware Software designed with a malicious purpose and installed without the user being aware
observation A observation of potentially malicious activity
opinion An opinion about another object
persona False identity used to perpetrate an attack
relationship A relationship between any other top-level constructs
report A collection of intelligence with a common theme
threat-actor An individual or group with malicious intent
victim-targeting The types of victims that a particular threat targets
vulnerability A flaw in software that opens it up to attack
weakness A type of flaw in software


Messages define data exchanges targeted at specific use cases. They leverage the data model to define the content.

Message Description
announcement A bundle of STIX content not explicitly solicited by another party.


These sample documents are meant to be illustrative. The "idiom" examples align with idioms from

Name Category
block_network_traffic idioms
c2_ip_list idioms
c2_ip_list_indicator idioms
campaigns_v_actors idioms
cves_in_exploit_target idioms
file_hash_reputation idioms
kill_chain idioms
simple campaign
simple attack-pattern
simple course-of-action
simple configuration