Analytic Schema

Analytic

Object containing the following properties:

Property	Description	Type
`id` (*)		`string`
`type` (*)		`'x-mitre-analytic'`
`spec_version` (*)	The version of the STIX specification used to represent this object.	`'2.0' \| '2.1'`
`created` (*)	The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.	`string` (ISO 8601)
`modified` (*)	The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond.	`string` (ISO 8601)
`created_by_ref` (*)		`never`
`labels`	The labels property specifies a set of terms used to meta this object.	`Array<string>`
`revoked`	The revoked property indicates whether the object has been revoked.	`boolean`
`confidence`		`number` (int, ≥1, ≤99)
`lang`	Identifies the language of the text content in this object.	`string`
`external_references` (*)	A list of external references with the first containing a valid ATT&CK ID	Array of at least 1 objects: `source_name` (): `string` `description`: `string` `url`: `string` (url*) `external_id`: `string`
`object_marking_refs` (*)		`never`
`granular_markings`	The set of granular markings that apply to this object.	Array of objects: `marking_ref` (): `string` - Represents identifiers across the CTI specifications. The format consists of the name of the top-level object being identified, followed by two dashes (--), followed by a UUIDv4. `selectors`* (*): `Array<string>`
`extensions`	Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs	Object with dynamic keys of type `string` and values of type Object with properties: `extension_type` (*): `'new-sdo' \| 'new-sco' \| 'new-sro' \| 'property-extension' \| 'toplevel-property-extension'` or `Record<string, unknown>`
`name` (*)	The name of the object.	`string` (min length: 1)
`x_mitre_attack_spec_version` (*)	The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions.	`string` (regex: `/^(0\|[1-9]\d)\.(0\|[1-9]\d)\.(0\|[1-9]\d)$/`*)
`x_mitre_version` (*)	Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects.	`string` (regex: `/^(\d{1,2})\.(\d{1,2})$/`)
`x_mitre_old_attack_id`	Old ATT&CK IDs that may have been associated with this object	`string`
`x_mitre_deprecated`	Indicates whether the object has been deprecated.	`boolean`
`x_mitre_platforms` (*)		`Array<'Field Controller/RTU/PLC/IED' \| 'Network Devices' \| 'Data Historian' \| 'Google Workspace' \| 'Office Suite' \| 'ESXi' \| 'Identity Provider' \| 'Containers' \| 'Azure AD' \| 'Engineering Workstation' \| 'Control Server' \| 'Human-Machine Interface' \| 'Windows' \| 'Linux' \| 'IaaS' \| 'None' \| 'iOS' \| 'PRE' \| 'SaaS' \| 'Input/Output Server' \| ...>` (min: 1, max: 1)
`x_mitre_detects` (*)	A tool-agnostic description of the adversary behavior chain this analytic looks for.	`string` (min length: 1)
`x_mitre_log_sources` (*)	A list of log source STIX IDs, plus the specific channel or event type, e.g., sysmon:1 or auditd:SYSCALL.	XMitreLogSourceRefs
`x_mitre_mutable_elements` (*)	Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior.	XMitreMutableElements
`x_mitre_domains` (*)	The technology domains to which the ATT&CK object belongs.	`Array<'enterprise-attack' \| 'mobile-attack' \| 'ics-attack'>` (min: 1)
`x_mitre_modified_by_ref`	The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations.	`'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'`

(*) Required.

ExtensibleAnalytic

Object containing the following properties:

Property	Description	Type
`id` (*)		`string`
`type` (*)		`'x-mitre-analytic'`
`spec_version` (*)	The version of the STIX specification used to represent this object.	`'2.0' \| '2.1'`
`created` (*)	The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.	`string` (ISO 8601)
`modified` (*)	The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond.	`string` (ISO 8601)
`created_by_ref` (*)		`never`
`labels`	The labels property specifies a set of terms used to meta this object.	`Array<string>`
`revoked`	The revoked property indicates whether the object has been revoked.	`boolean`
`confidence`		`number` (int, ≥1, ≤99)
`lang`	Identifies the language of the text content in this object.	`string`
`external_references` (*)	A list of external references with the first containing a valid ATT&CK ID	Array of at least 1 objects: `source_name` (): `string` `description`: `string` `url`: `string` (url*) `external_id`: `string`
`object_marking_refs` (*)		`never`
`granular_markings`	The set of granular markings that apply to this object.	Array of objects: `marking_ref` (): `string` - Represents identifiers across the CTI specifications. The format consists of the name of the top-level object being identified, followed by two dashes (--), followed by a UUIDv4. `selectors`* (*): `Array<string>`
`extensions`	Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs	Object with dynamic keys of type `string` and values of type Object with properties: `extension_type` (*): `'new-sdo' \| 'new-sco' \| 'new-sro' \| 'property-extension' \| 'toplevel-property-extension'` or `Record<string, unknown>`
`name` (*)	The name of the object.	`string` (min length: 1)
`x_mitre_attack_spec_version` (*)	The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions.	`string` (regex: `/^(0\|[1-9]\d)\.(0\|[1-9]\d)\.(0\|[1-9]\d)$/`*)
`x_mitre_version` (*)	Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects.	`string` (regex: `/^(\d{1,2})\.(\d{1,2})$/`)
`x_mitre_old_attack_id`	Old ATT&CK IDs that may have been associated with this object	`string`
`x_mitre_deprecated`	Indicates whether the object has been deprecated.	`boolean`
`x_mitre_platforms` (*)		`Array<'Field Controller/RTU/PLC/IED' \| 'Network Devices' \| 'Data Historian' \| 'Google Workspace' \| 'Office Suite' \| 'ESXi' \| 'Identity Provider' \| 'Containers' \| 'Azure AD' \| 'Engineering Workstation' \| 'Control Server' \| 'Human-Machine Interface' \| 'Windows' \| 'Linux' \| 'IaaS' \| 'None' \| 'iOS' \| 'PRE' \| 'SaaS' \| 'Input/Output Server' \| ...>` (min: 1, max: 1)
`x_mitre_detects` (*)	A tool-agnostic description of the adversary behavior chain this analytic looks for.	`string` (min length: 1)
`x_mitre_log_sources` (*)	A list of log source STIX IDs, plus the specific channel or event type, e.g., sysmon:1 or auditd:SYSCALL.	XMitreLogSourceRefs
`x_mitre_mutable_elements` (*)	Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior.	XMitreMutableElements
`x_mitre_domains` (*)	The technology domains to which the ATT&CK object belongs.	`Array<'enterprise-attack' \| 'mobile-attack' \| 'ics-attack'>` (min: 1)
`x_mitre_modified_by_ref`	The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations.	`'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'`

(*) Required.

XMitreLogSourcePermutationKey

String.

XMitreLogSourceRef

A reference to a log source permutation

Object containing the following properties:

Property	Type
`ref` (*)	`string`
`keys` (*)	`Array<string>` (min: 1, min: 1)

(*) Required.

XMitreLogSourceRefs

A list of log source STIX IDs, plus the specific channel or event type, e.g., sysmon:1 or auditd:SYSCALL.

Array of at least 1 XMitreLogSourceRef items.

XMitreMutableElement

Object containing the following properties:

Property	Type
`field` (*)	`string` (min length: 1)
`description` (*)	`string` (min length: 1)

(*) Required.

XMitreMutableElements

Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior.

Array of at least 1 XMitreMutableElement items.

Analytic​

ExtensibleAnalytic​

XMitreLogSourcePermutationKey​

XMitreLogSourceRef​

XMitreLogSourceRefs​

XMitreMutableElement​

XMitreMutableElements​

Analytic

ExtensibleAnalytic

XMitreLogSourcePermutationKey

XMitreLogSourceRef

XMitreLogSourceRefs

XMitreMutableElement

XMitreMutableElements