Sighting Object

Sighting A sighting indicates that a particular entity or indicator was observed in an environment and can be an indication of a current or potential threat.

Property	Type	Description	Required?
confidence	HighMedLowString		✓
count	Integer	The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.	✓
id	String	Globally unique URI identifying this object.	✓
observed_time	ObservedTime Object		✓
schema_version	String	CTIM schema version for this entity.	✓
type	SightingTypeIdentifierString		✓
context	Context Object	Context including the event type that best fits the type of the sighting.
data	SightingDataTable Object	An embedded data table for the Sighting.
description	MarkdownString	A description of object, which may be detailed.
external_ids	String List	It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
external_references	ExternalReference Object List	Specifies a list of external references which refers to non-CTIM information. Similar to `external_ids` field with major differences: - `external_ids` field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The `external_ids` field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - `external_references` field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The `external_references` field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
internal	Boolean	If `true`, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.
language	ShortStringString	The `language` field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the `language` field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The `language` field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
observables	Observable Object List	The object(s) of interest.
relations	ObservedRelation Object List	Provide any context we can about where the observable came from.
resolution	ResolutionString	Represents the disposition or actions taken on the associated threat intelligence.
revision	Integer	A monotonically increasing revision, incremented each time the object is changed.
sensor	SensorString	The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
sensor_coordinates	SensorCoordinates Object
severity	SeverityString
short_description	MedStringString	A single line, short summary of the object.
source	MedStringString	Represents the source of the intelligence that led to the creation of the entity.
source_uri	String	URI of the source of the intelligence that led to the creation of the entity.
targets	IdentitySpecification Object List	May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise. Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the `targets` field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.
timestamp	Inst (Date)	The time this object was created at, or last modified.
title	ShortStringString	A short title for this object, used as primary display and reference value.
tlp	TLPString	TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.

Reference: SightingType

Property confidence ∷ HighMedLowString

This entry is required
- Allowed Values:
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown
- Reference: HighMedLowVocab

Property context ∷ Context Object

Context including the event type that best fits the type of the sighting.

This entry is optional

Context Object Value
- Details: Context Object

Property count ∷ Integer

The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.

This entry is required
- Zero, or a positive integer.

Property data ∷ SightingDataTable Object

An embedded data table for the Sighting.

This entry is optional

SightingDataTable Object Value
- Details: SightingDataTable Object

Property description ∷ MarkdownString

A description of object, which may be detailed.

This entry is optional
- Markdown Markdown string with at most 5000 characters.

Property external_ids ∷ String List

It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information.

Similar to external_ids field with major differences:

external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems.
external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.

This entry is optional
This entry's type is sequential (allows zero or more values)

ExternalReference Object Value
- Details: ExternalReference Object

Property id ∷ String

Globally unique URI identifying this object.

This entry is required
- IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

If true, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.

This entry is optional

Property language ∷ ShortStringString

The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.

For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.

This entry is optional
- ShortString String with at most 1024 characters.

Property observables ∷ Observable Object List

The object(s) of interest.

This entry is optional
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property observed_time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from.

This entry is optional
This entry's type is sequential (allows zero or more values)

ObservedRelation Object Value
- Details: ObservedRelation Object

Property resolution ∷ ResolutionString

Represents the disposition or actions taken on the associated threat intelligence.

This entry is optional
- Resolution indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP.
- Allowed Values:
  - allowed
  - blocked
  - contained
  - detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

This entry is optional
- Zero, or a positive integer.

Property schema_version ∷ String

CTIM schema version for this entity.

This entry is required
- A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ SensorString

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

This entry is optional
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

Property sensor_coordinates ∷ SensorCoordinates Object

This entry is optional

SensorCoordinates Object Value
- Details: SensorCoordinates Object

Property severity ∷ SeverityString

This entry is optional
- Allowed Values:
  - Critical
  - High
  - Info
  - Low
  - Medium
  - None
  - Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

This entry is optional
- MedString String with at most 2048 characters.

Property source ∷ MedStringString

Represents the source of the intelligence that led to the creation of the entity.

This entry is optional
- MedString String with at most 2048 characters.

Property source_uri ∷ String

URI of the source of the intelligence that led to the creation of the entity.

This entry is optional
- A URI

Property targets ∷ IdentitySpecification Object List

May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise.

Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.

This entry is optional
This entry's type is sequential (allows zero or more values)

IdentitySpecification Object Value
- Details: IdentitySpecification Object

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value.

This entry is optional
- ShortString String with at most 1024 characters.

Property tlp ∷ TLPString

TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.

It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.

For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.

This entry is optional
- Allowed Values:
  - amber
  - green
  - red
  - white

Property type ∷ SightingTypeIdentifierString

This entry is required
- Must equal: "sighting"

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

Property	Type	Description	Required?
source_name	MedStringString	The source within which the external-reference is defined (system, registry, organization, etc.)	✓
description	MarkdownString
external_id	String	An identifier for the external reference content.
hashes	String List	Specifies a dictionary of hashes for the contents of the url.
url	String	A URL reference to an external resource.

Reference: External Reference

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters.

Property external_id ∷ String

An identifier for the external reference content.

This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

This entry is optional
This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

This entry is required
- MedString String with at most 2048 characters.

Property url ∷ String

A URL reference to an external resource.

This entry is optional
- A URI

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

SightingDataTable Object

SightingDataTable An embedded data table for sightings data.

Property	Type	Description	Required?
columns	ColumnDefinition Object List	an ordered list of column definitions	✓
rows	Anything List	an ordered list of rows	✓
row_count	Integer	The number of rows in the data table.

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

This entry is required
This entry's type is sequential (allows zero or more values)

ColumnDefinition Object Value
- Details: ColumnDefinition Object

Property row_count ∷ Integer

The number of rows in the data table.

This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

This entry is required
This entry's type is sequential (allows zero or more values)

ColumnDefinition Object

Property	Type	Description	Required?
name	String		✓
type	ColumnTypeString		✓
description	MarkdownString
required	Boolean	If `true`, the row entries for this column cannot contain `nulls`. Defaults to `true`.
short_description	String

Property description ∷ MarkdownString

This entry is optional
- Markdown Markdown string with at most 5000 characters.

Property name ∷ String

This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true.

This entry is optional

Property short_description ∷ String

This entry is optional

Property type ∷ ColumnTypeString

This entry is required
- Allowed Values:
  - integer
  - markdown
  - number
  - observable
  - string
  - url

SensorCoordinates Object

SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.

Property	Type	Required?
observables	Observable Object List	✓
type	SensorString	✓
os	String

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property os ∷ String

This entry is optional

Property type ∷ SensorString

This entry is required
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString	The type of observable.	✓
value	String	The value of the observable.	✓

Property type ∷ ObservableTypeIdentifierString

The type of observable.

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - acudid
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - cortex_agent_id
  - crowdstrike_id
  - cvm_id
  - cybereason_id
  - darktrace_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - meraki_network_id
  - meraki_node_sn
  - meraki_org_id
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_uid
  - process_username
  - processor_id
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

The value of the observable.

This entry is required

IdentitySpecification Object

IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.

Property	Type	Required?
observables	Observable Object List	✓
observed_time	ObservedTime Object	✓
type	SensorString	✓
os	String

Property observables ∷ Observable Object List

This entry is required
This entry's type is sequential (allows zero or more values)

Observable Object Value
- Details: Observable Object

Property observed_time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property os ∷ String

This entry is optional

Property type ∷ SensorString

This entry is required
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
  - endpoint
  - endpoint.digital-telephone-handset
  - endpoint.laptop
  - endpoint.pos-terminal
  - endpoint.printer
  - endpoint.sensor
  - endpoint.server
  - endpoint.smart-meter
  - endpoint.smart-phone
  - endpoint.tablet
  - endpoint.workstation
  - network
  - network.bridge
  - network.firewall
  - network.gateway
  - network.guard
  - network.hips
  - network.hub
  - network.ids
  - network.ips
  - network.modem
  - network.nic
  - network.proxy
  - network.router
  - network.security_manager
  - network.sense_making
  - network.sensor
  - network.switch
  - network.vpn
  - network.wap
  - process
  - process.aaa-server
  - process.anti-virus-scanner
  - process.connection-scanner
  - process.directory-service
  - process.dns-server
  - process.email-service
  - process.file-scanner
  - process.location-service
  - process.network-scanner
  - process.remediation-service
  - process.reputation-service
  - process.sandbox
  - process.virtualization-service
  - process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString	The type of observable.	✓
value	String	The value of the observable.	✓

Property type ∷ ObservableTypeIdentifierString

The type of observable.

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - acudid
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - cortex_agent_id
  - crowdstrike_id
  - cvm_id
  - cybereason_id
  - darktrace_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - meraki_network_id
  - meraki_node_sn
  - meraki_org_id
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_uid
  - process_username
  - processor_id
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

The value of the observable.

This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString	The type of observable.	✓
value	String	The value of the observable.	✓

Property type ∷ ObservableTypeIdentifierString

The type of observable.

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - acudid
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - cortex_agent_id
  - crowdstrike_id
  - cvm_id
  - cybereason_id
  - darktrace_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - meraki_network_id
  - meraki_node_sn
  - meraki_org_id
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_uid
  - process_username
  - processor_id
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

The value of the observable.

This entry is required

ObservedRelation Object

ObservedRelation A relation inside a Sighting.

Property	Type	Required?
origin	String	✓
related	Observable Object	✓
relation	ObservableRelationTypeString	✓
source	Observable Object	✓
origin_uri	String
relation_info	Object

Property origin ∷ String

This entry is required

Property origin_uri ∷ String

This entry is optional
- A URI

Property related ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Property relation ∷ ObservableRelationTypeString

This entry is required
- Allowed Values:
  - Allocated
  - Allocated_By
  - Attached_To
  - Bound
  - Bound_By
  - Characterized_By
  - Characterizes
  - Child_Of
  - Closed
  - Closed_By
  - Compressed
  - Compressed_By
  - Compressed_From
  - Compressed_Into
  - Connected_From
  - Connected_To
  - Contained_Within
  - Contains
  - Copied
  - Copied_By
  - Copied_From
  - Copied_To
  - Created
  - Created_By
  - Decoded
  - Decoded_By
  - Decompressed
  - Decompressed_By
  - Decrypted
  - Decrypted_By
  - Deleted
  - Deleted_By
  - Deleted_From
  - Downloaded
  - Downloaded_By
  - Downloaded_From
  - Downloaded_To
  - Dropped
  - Dropped_By
  - Encoded
  - Encoded_By
  - Encrypted
  - Encrypted_By
  - Encrypted_From
  - Encrypted_To
  - Extracted_From
  - FQDN_Of
  - Freed
  - Freed_By
  - Hooked
  - Hooked_By
  - Initialized_By
  - Initialized_To
  - Injected
  - Injected_As
  - Injected_By
  - Injected_Into
  - Installed
  - Installed_By
  - Joined
  - Joined_By
  - Killed
  - Killed_By
  - Listened_On
  - Listened_On_By
  - Loaded_From
  - Loaded_Into
  - Locked
  - Locked_By
  - Mapped_By
  - Mapped_Into
  - Merged
  - Merged_By
  - Modified_Properties_Of
  - Monitored
  - Monitored_By
  - Moved
  - Moved_By
  - Moved_From
  - Moved_To
  - Opened
  - Opened_By
  - Packed
  - Packed_By
  - Packed_From
  - Packed_Into
  - Parent_Of
  - Paused
  - Paused_By
  - Previously_Contained
  - Properties_Modified_By
  - Properties_Queried
  - Properties_Queried_By
  - Read_From
  - Read_From_By
  - Received
  - Received_By
  - Received_From
  - Received_Via_Upload
  - Redirects_To
  - Refers_To
  - Related_To
  - Renamed
  - Renamed_By
  - Renamed_From
  - Renamed_To
  - Resolved_To
  - Resumed
  - Resumed_By
  - Root_Domain_Of
  - Searched_For
  - Searched_For_By
  - Sent
  - Sent_By
  - Sent_To
  - Sent_Via_Upload
  - Set_From
  - Set_To
  - Sub-domain_Of
  - Supra-domain_Of
  - Suspended
  - Suspended_By
  - Unhooked
  - Unhooked_By
  - Unlocked
  - Unlocked_By
  - Unpacked
  - Unpacked_By
  - Uploaded
  - Uploaded_By
  - Uploaded_From
  - Uploaded_To
  - Used
  - Used_By
  - Values_Enumerated
  - Values_Enumerated_By
  - Written_To_By
  - Wrote_To

Property relation_info ∷ Object

This entry is optional

Object Value
- Details: Object

Property source ∷ Observable Object

This entry is required

Observable Object Value
- Details: Observable Object

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString	The type of observable.	✓
value	String	The value of the observable.	✓

Property type ∷ ObservableTypeIdentifierString

The type of observable.

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - acudid
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - cortex_agent_id
  - crowdstrike_id
  - cvm_id
  - cybereason_id
  - darktrace_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - meraki_network_id
  - meraki_node_sn
  - meraki_org_id
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_uid
  - process_username
  - processor_id
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

The value of the observable.

This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

Property	Type	Description	Required?
type	ObservableTypeIdentifierString	The type of observable.	✓
value	String	The value of the observable.	✓

Property type ∷ ObservableTypeIdentifierString

The type of observable.

This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
  - acudid
  - amp_computer_guid
  - certificate_common_name
  - certificate_issuer
  - certificate_serial
  - cisco_cm_id
  - cisco_mid
  - cisco_uc_id
  - cortex_agent_id
  - crowdstrike_id
  - cvm_id
  - cybereason_id
  - darktrace_id
  - device
  - domain
  - email
  - email_messageid
  - email_subject
  - file_name
  - file_path
  - hostname
  - imei
  - imsi
  - ip
  - ipv6
  - mac_address
  - md5
  - meraki_network_id
  - meraki_node_sn
  - meraki_org_id
  - ms_machine_id
  - mutex
  - ngfw_id
  - ngfw_name
  - odns_identity
  - odns_identity_label
  - orbital_node_id
  - pki_serial
  - process_args
  - process_hash
  - process_name
  - process_path
  - process_uid
  - process_username
  - processor_id
  - registry_key
  - registry_name
  - registry_path
  - s1_agent_id
  - serial_number
  - sha1
  - sha256
  - swc_device_id
  - trend_micro_id
  - url
  - user
  - user_agent

Property value ∷ String

The value of the observable.

This entry is required

Object

Property	Type	Description	Required?
Keyword	Anything		✓

Property Keyword ∷ Anything

This entry is required

Context Object

Property	Type	Description
file_create_events	FileCreateType Object List	a list of `FileCreateType`
file_delete_events	FileDeleteType Object List	a list of `FileDeleteType`
file_modify_events	FileModifyType Object List	a list of `FileModifyType`
file_move_events	FileMoveType Object List	a list of `FileMoveType`
http_events	HTTPType Object List	a list of `HTTPType`
library_load_events	LibraryLoadType Object List	a list of `LibraryLoadType`
netflow_events	NetflowType Object List	a list of `NetflowType`
process_create_events	ProcessCreateType Object List	a list of `ProcessCreate`
registry_create_events	RegistryCreateType Object List	a list of `RegistryCreateType`
registry_delete_events	RegistryDeleteType Object List	a list of `RegistryDeleteType`
registry_rename_events	RegistryRenameType Object List	a list of `RegistryRenameType`
registry_set_events	RegistrySetType Object List	a list of `RegistrySetType`

Property file_create_events ∷ FileCreateType Object List

a list of FileCreateType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileCreateType Object Value
- Details: FileCreateType Object

Property file_delete_events ∷ FileDeleteType Object List

a list of FileDeleteType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileDeleteType Object Value
- Details: FileDeleteType Object

Property file_modify_events ∷ FileModifyType Object List

a list of FileModifyType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileModifyType Object Value
- Details: FileModifyType Object

Property file_move_events ∷ FileMoveType Object List

a list of FileMoveType

This entry is optional
This entry's type is sequential (allows zero or more values)

FileMoveType Object Value
- Details: FileMoveType Object

Property http_events ∷ HTTPType Object List

a list of HTTPType

This entry is optional
This entry's type is sequential (allows zero or more values)

HTTPType Object Value
- Details: HTTPType Object

Property library_load_events ∷ LibraryLoadType Object List

a list of LibraryLoadType

This entry is optional
This entry's type is sequential (allows zero or more values)

LibraryLoadType Object Value
- Details: LibraryLoadType Object

Property netflow_events ∷ NetflowType Object List

a list of NetflowType

This entry is optional
This entry's type is sequential (allows zero or more values)

NetflowType Object Value
- Details: NetflowType Object

Property process_create_events ∷ ProcessCreateType Object List

a list of ProcessCreate

This entry is optional
This entry's type is sequential (allows zero or more values)

ProcessCreateType Object Value
- Details: ProcessCreateType Object

Property registry_create_events ∷ RegistryCreateType Object List

a list of RegistryCreateType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryCreateType Object Value
- Details: RegistryCreateType Object

Property registry_delete_events ∷ RegistryDeleteType Object List

a list of RegistryDeleteType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryDeleteType Object Value
- Details: RegistryDeleteType Object

Property registry_rename_events ∷ RegistryRenameType Object List

a list of RegistryRenameType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistryRenameType Object Value
- Details: RegistryRenameType Object

Property registry_set_events ∷ RegistrySetType Object List

a list of RegistrySetType

This entry is optional
This entry's type is sequential (allows zero or more values)

RegistrySetType Object Value
- Details: RegistrySetType Object

RegistryRenameType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
registry_old_key	ShortStringString	✓
time	ObservedTime Object	✓
type	RegistryRenameTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property registry_old_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryRenameTypeIdentifierString

This entry is required
- Must equal: "RegistryRenameEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryDeleteType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
time	ObservedTime Object	✓
type	RegistryDeleteTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString
registry_value	MedStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property registry_value ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryDeleteTypeIdentifierString

This entry is required
- Must equal: "RegistryDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistrySetType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
registry_value	MedStringString	✓
time	ObservedTime Object	✓
type	RegistrySetTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString
registry_data	LongStringString
registry_data_length	Integer

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property registry_data ∷ LongStringString

This entry is optional
- LongString String with at most 5000 characters.

Property registry_data_length ∷ Integer

This entry is optional

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property registry_value ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistrySetTypeIdentifierString

This entry is required
- Must equal: "RegistrySetEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryCreateType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
registry_key	ShortStringString	✓
time	ObservedTime Object	✓
type	RegistryCreateTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property registry_key ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ RegistryCreateTypeIdentifierString

This entry is required
- Must equal: "RegistryCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

HTTPType Object

Property	Type	Required?
host	ShortStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
traffic	Traffic Object	✓
type	HTTPTypeIdentifierString	✓
encrypted	Boolean
method	HTTPMethodString
process_guid	Integer
process_username	ShortStringString
query	LongStringString
url_port	Integer

Property encrypted ∷ Boolean

This entry is optional

Property host ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property method ∷ HTTPMethodString

This entry is optional
- Allowed Values:
  - CONNECT
  - GET
  - HEAD
  - OPTIONS
  - PATCH
  - POST
  - PUT
  - TRACE

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property query ∷ LongStringString

This entry is optional
- LongString String with at most 5000 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property traffic ∷ Traffic Object

This entry is required

Traffic Object Value
- Details: Traffic Object

Property type ∷ HTTPTypeIdentifierString

This entry is required
- Must equal: "HTTPEvent"

Property url_port ∷ Integer

This entry is optional

Traffic Object

Property	Type	Description	Required?
destination_ip	String		✓
destination_port	Integer		✓
direction	TrafficDirectionString		✓
protocol	Integer	The IP protocol id	✓
source_ip	String		✓
source_port	Integer		✓
destination_host_name	String
destination_subnet	String
source_subnet	String

Property destination_host_name ∷ String

This entry is optional

Property destination_ip ∷ String

This entry is required

Property destination_port ∷ Integer

This entry is required

Property destination_subnet ∷ String

This entry is optional

Property direction ∷ TrafficDirectionString

This entry is required
- Allowed Values:
  - incoming
  - outgoing

Property protocol ∷ Integer

The IP protocol id

This entry is required

Property source_ip ∷ String

This entry is required

Property source_port ∷ Integer

This entry is required

Property source_subnet ∷ String

This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

NetflowType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
traffic	Traffic Object	✓
type	NetflowTypeIdentifierString	✓
byte_count_in	Integer
byte_count_out	Integer
flow_time	Inst (Date)
parent_process_account	ShortStringString
parent_process_account_type	ShortStringString
parent_process_args	ShortStringString
parent_process_hash	ShortStringString
parent_process_id	Integer
parent_process_name	ShortStringString
parent_process_path	ShortStringString
process_account	ShortStringString
process_account_type	ShortStringString
process_args	ShortStringString
process_guid	Integer
process_hash	ShortStringString
process_path	ShortStringString
process_username	ShortStringString

Property byte_count_in ∷ Integer

This entry is optional

Property byte_count_out ∷ Integer

This entry is optional

Property flow_time ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_account ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_account_type ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_args ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_hash ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_id ∷ Integer

This entry is optional

Property parent_process_name ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_path ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_account ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_account_type ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_args ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_hash ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_path ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property traffic ∷ Traffic Object

This entry is required

Traffic Object Value
- Details: Traffic Object

Property type ∷ NetflowTypeIdentifierString

This entry is required
- Must equal: "NetflowEvent"

Traffic Object

Property	Type	Description	Required?
destination_ip	String		✓
destination_port	Integer		✓
direction	TrafficDirectionString		✓
protocol	Integer	The IP protocol id	✓
source_ip	String		✓
source_port	Integer		✓
destination_host_name	String
destination_subnet	String
source_subnet	String

Property destination_host_name ∷ String

This entry is optional

Property destination_ip ∷ String

This entry is required

Property destination_port ∷ Integer

This entry is required

Property destination_subnet ∷ String

This entry is optional

Property direction ∷ TrafficDirectionString

This entry is required
- Allowed Values:
  - incoming
  - outgoing

Property protocol ∷ Integer

The IP protocol id

This entry is required

Property source_ip ∷ String

This entry is required

Property source_port ∷ Integer

This entry is required

Property source_subnet ∷ String

This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileMoveType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
new_name	ShortStringString	✓
old_name	ShortStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileMoveTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property new_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property old_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileMoveTypeIdentifierString

This entry is required
- Must equal: "FileMoveEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileModifyType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileModifyTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileModifyTypeIdentifierString

This entry is required
- Must equal: "FileModifyEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileDeleteType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileDeleteTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileDeleteTypeIdentifierString

This entry is required
- Must equal: "FileDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileCreateType Object

Property	Type	Required?
file_name	ShortStringString	✓
file_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	FileCreateTypeIdentifierString	✓
failed	Boolean
process_guid	Integer
process_username	ShortStringString

Property failed ∷ Boolean

This entry is optional

Property file_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property file_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ FileCreateTypeIdentifierString

This entry is required
- Must equal: "FileCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

LibraryLoadType Object

Property	Type	Required?
dll_library_name	ShortStringString	✓
dll_library_path	MedStringString	✓
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	LibraryLoadTypeIdentifierString	✓
process_guid	Integer
process_username	ShortStringString

Property dll_library_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property dll_library_path ∷ MedStringString

This entry is required
- MedString String with at most 2048 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ LibraryLoadTypeIdentifierString

This entry is required
- Must equal: "LibraryLoadEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ProcessCreateType Object

Property	Type	Required?
process_id	Integer	✓
process_name	ShortStringString	✓
time	ObservedTime Object	✓
type	ProcessCreateTypeIdentifierString	✓
parent_creation_time	Inst (Date)
parent_process_args	MedStringString
parent_process_disposition	ShortStringString
parent_process_guid	Integer
parent_process_hash	MedStringString
parent_process_id	Integer
parent_process_name	ShortStringString
parent_process_size	Integer
parent_process_username	ShortStringString
process_args	MedStringString
process_disposition	ShortStringString
process_guid	Integer
process_hash	MedStringString
process_size	Integer
process_username	ShortStringString

Property parent_creation_time ∷ Inst (Date)

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_args ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters.

Property parent_process_disposition ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_guid ∷ Integer

This entry is optional

Property parent_process_hash ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters.

Property parent_process_id ∷ Integer

This entry is optional

Property parent_process_name ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property parent_process_size ∷ Integer

This entry is optional

Property parent_process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_args ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters.

Property process_disposition ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property process_guid ∷ Integer

This entry is optional

Property process_hash ∷ MedStringString

This entry is optional
- MedString String with at most 2048 characters.

Property process_id ∷ Integer

This entry is required

Property process_name ∷ ShortStringString

This entry is required
- ShortString String with at most 1024 characters.

Property process_size ∷ Integer

This entry is optional

Property process_username ∷ ShortStringString

This entry is optional
- ShortString String with at most 1024 characters.

Property time ∷ ObservedTime Object

This entry is required

ObservedTime Object Value
- Details: ObservedTime Object

Property type ∷ ProcessCreateTypeIdentifierString

This entry is required
- Must equal: "ProcessCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

Property	Type	Description	Required?
start_time	Inst (Date)	Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.	✓
end_time	Inst (Date)	If the observation was made over a period of time, than this field indicates the end of that period.

Reference: ValidTimeType

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period.

This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.

This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Files

sighting.md

Latest commit

History

sighting.md

File metadata and controls

Sighting Object

Property confidence ∷ HighMedLowString

Property context ∷ Context Object

Property count ∷ Integer

Property data ∷ SightingDataTable Object

Property description ∷ MarkdownString

Property external_ids ∷ String List

Property external_references ∷ ExternalReference Object List

Property id ∷ String

Property internal ∷ Boolean

Property language ∷ ShortStringString

Property observables ∷ Observable Object List

Property observed_time ∷ ObservedTime Object

Property relations ∷ ObservedRelation Object List

Property resolution ∷ ResolutionString

Property revision ∷ Integer

Property schema_version ∷ String

Property sensor ∷ SensorString

Property sensor_coordinates ∷ SensorCoordinates Object

Property severity ∷ SeverityString

Property short_description ∷ MedStringString

Property source ∷ MedStringString

Property source_uri ∷ String

Property targets ∷ IdentitySpecification Object List

Property timestamp ∷ Inst (Date)

Property title ∷ ShortStringString

Property tlp ∷ TLPString

Property type ∷ SightingTypeIdentifierString

ExternalReference Object

Property description ∷ MarkdownString

Property external_id ∷ String

Property hashes ∷ String List

Property source_name ∷ MedStringString

Property url ∷ String

ObservedTime Object

Property end_time ∷ Inst (Date)

Property start_time ∷ Inst (Date)

SightingDataTable Object

Property columns ∷ ColumnDefinition Object List

Property row_count ∷ Integer

Property rows ∷ Anything List List

ColumnDefinition Object

Property description ∷ MarkdownString

Property name ∷ String

Property required ∷ Boolean

Property short_description ∷ String

Property type ∷ ColumnTypeString

SensorCoordinates Object

Property observables ∷ Observable Object List

Property os ∷ String

Property type ∷ SensorString

Observable Object

Property type ∷ ObservableTypeIdentifierString

Property value ∷ String

IdentitySpecification Object

Property observables ∷ Observable Object List

Property observed_time ∷ ObservedTime Object

Property os ∷ String

Property type ∷ SensorString

ObservedTime Object

Property end_time ∷ Inst (Date)

Property start_time ∷ Inst (Date)

Observable Object

Property type ∷ ObservableTypeIdentifierString

Property value ∷ String

Observable Object

Property type ∷ ObservableTypeIdentifierString

Property value ∷ String

ObservedRelation Object

Property origin ∷ String

Property origin_uri ∷ String

Property related ∷ Observable Object

Property relation ∷ ObservableRelationTypeString

Property relation_info ∷ Object