twigs / core data model / indicator

Technical information that indicates compromise

Fields

Name Type Description
type string Hardcoded value to indicate what type of construct this is
id string Globally unique identifier for this construct.
revision integer The revision number of this construct. MUST be omitted if this is the first version, otherwise required.
created_at string Time at which this construct was created.
external_ids array <object> A list of external identifiers by which this construct may be known.
source string The source of this ID, i.e. name of an external system.
id string ID itself
link string A link to this construct in the external system
producer_ref string ID to the information source that produced this content
marking_refs array <string> The set of markings to be applied to this construct
structured_markings array <structured-marking> The set of L2 markings to be applied to this construct
controlled_structures array <string> A list of JSONPath statements, rooted at the top-level object that the structured_markings key is contained in, that the marking_refs apply to.
marking_refs array <string> The set of markings applied to the fields selected by the controlled_structures.
pattern one of: twigs, snort, snort-so, yara The pattern used to identify the presence of this indicator
type ["twigs"] Type of pattern
properties object A list of properties that are applied in the condition
conditions string The string conditions for when this indicator should match
type ["snort"] Type of pattern
rules array <object> The set of snort rules to match this indicator
type ["snort-so"] Type of pattern
rule_stub string The plain text rule stub
rule_binary external A structure to represent external data (e.g. binary, XML)
content_type string MIME type of the external data
charset string For content that has an encoding, the charset of the encoded content
content string The content itself. Content must either be base64 encoded and base64 must be set to true or it must be escaped per JSON string escape rules.
type ["yara"] Type of pattern
rules array <object> The set of YARA rules to match this indicator
start_time date-time The time at which this indicator should be considered valid. If omitted, unknown.
end_time date-time The time at which this indicator should no longer be considered valid. If omitted, unknown or ongoing.
impact impact The impact to operations of the TTP(s) that this indicator detects were they to be realized (individually)
level integer The estimated severity of the impact.
intended_effects array <["Military Advantage", "Economic Advantage", "Political Advantage", "Intellectual Property Theft", "Identify Theft", "Brand Damage", "Degredation of Service", "Denial and Deception", "Destruction", "Disruption", "Exposure", "Extortion", "Fraud", "Harassment", "Watch the World Burn"]>
description string A prose description of the impact.
credibility integer The credibility of this statement, using the Admirality scale

Relationships

Relationship Name Target Type
indicatedmalware, attack-pattern, exploit, victim-targeting, malicious-tool, malicious-infrastructure, persona, campaign, threat-actor
suggestedcourse-of-action
kill-chain-phasekill-chain-phase
relatedindicator
duplicate-ofindicator