Skip to main content

Group Schema

Group

Object containing the following properties:

PropertyDescriptionType
id (*)any
type (*)'intrusion-set'
spec_version (*)The version of the STIX specification used to represent this object.'2.0' | '2.1'
created (*)The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.any
modified (*)The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond.any
created_by_refThe created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous.any
labelsThe labels property specifies a set of terms used to describe this object.Array<string>
revokedThe revoked property indicates whether the object has been revoked.boolean
confidencenumber (int, ≥1, ≤99)
langIdentifies the language of the text content in this object.string
external_references (*)A list of external references which refers to non-STIX information.Array of at least 1 objects:
  • source_name: string
  • description: string
  • url: string (url)
  • external_id: string
object_marking_refsThe list of marking-definition objects to be applied to this object.Array<any>
granular_markingsThe set of granular markings that apply to this object.Array of objects:
  • marking_ref: any - Represents identifiers across the CTI specifications. The format consists of the name of the top-level object being identified, followed by two dashes (--), followed by a UUIDv4.
  • selectors: Array<string>
extensionsSpecifies any extensions of the object, as a dictionary.Object with dynamic keys of type string and values of type Object with properties:
  • extension_type: string
  • extension_properties: Object with dynamic keys of type string and values of type unknown (optional & nullable)
or Object with dynamic keys of type string and values of type unknown (optional & nullable)
name (*)The name of the object.string (min length: 1)
x_mitre_attack_spec_version (*)The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions.string
x_mitre_version (*)Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects.any
x_mitre_old_attack_idOld ATT&CK IDs that may have been associated with this objectstring
x_mitre_deprecatedIndicates whether the object has been deprecated.boolean
descriptionA description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics.string
x_mitre_domains (*)The technology domains to which the ATT&CK object belongs.Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1)
x_mitre_contributorsArray<string>
x_mitre_modified_by_refThe STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations.any
aliasesAlternative names used to identify this group. The first alias must match the object's name.Array<string>
first_seenThe time that this Intrusion Set was first seen.any
last_seenThe time that this Intrusion Set was last seen.any
goalsThe high-level goals of this Intrusion Set, namely, what are they trying to do.Array<string>
resource_levelThis property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.'individual' | 'club' | 'contest' | 'team' | 'organization' | 'government'
primary_motivationThe primary reason, motivation, or purpose behind this Intrusion Set.'accidental' | 'coercion' | 'dominance' | 'ideology' | 'notoriety' | 'organizational-gain' | 'personal-gain' | 'personal-satisfaction' | 'revenge' | 'unpredictable'
secondary_motivationsThe secondary reasons, motivations, or purposes behind this Intrusion Set.Array<'accidental' | 'coercion' | 'dominance' | 'ideology' | 'notoriety' | 'organizational-gain' | 'personal-gain' | 'personal-satisfaction' | 'revenge' | 'unpredictable'>

(*) Required.