Analytic Schema
Analytic
Analytics contain platform-specific detection logic and represent the implementation details of a detection strategy.
They are defined as x-mitre-analytic objects extending the generic
STIX Domain Object pattern.
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | string | |
type (*) | 'x-mitre-analytic' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref (*) | string | |
labels | The labels property specifies a set of terms used to meta this object. | Array of at least 1 XMitreLogSourcePermutationName items |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | Identifies the confidence that the creator has in the correctness of their data. | number (int, ≥1, ≤99) |
lang | Identifies the language of the text content in this object. | XMitreLogSourcePermutationName |
external_references (*) | A list of external references with the first containing a valid ATT&CK ID | Array of at least 1 objects:
|
object_marking_refs (*) | Array<string (_startsWith: marking-definition--_)> | |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type XMitreLogSourcePermutationName and values of type Object with properties:
unknown |
name (*) | The name of the object. | XMitreLogSourcePermutationName |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string (min length: 1) |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | XMitreLogSourcePermutationName |
x_mitre_platforms (*) | Target platform for this Analytic. | Array<'Field Controller/RTU/PLC/IED' | 'Network Devices' | 'Data Historian' | 'Google Workspace' | 'Office Suite' | 'ESXi' | 'Identity Provider' | 'Containers' | 'Azure AD' | 'Engineering Workstation' | 'Control Server' | 'Human-Machine Interface' | 'Windows' | 'Linux' | 'IaaS' | 'None' | 'iOS' | 'PRE' | 'SaaS' | 'Input/Output Server' | ...> (min: 1, max: 1) |
x_mitre_log_source_references | A list of log source references, which are delineated by a Data Component STIX ID and the (name, channel) that is being targeted. | XMitreLogSourceReferences |
x_mitre_mutable_elements | Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior. | XMitreMutableElements |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
(*) Required.
XMitreLogSourcePermutationName
String which has a minimum length of 1.
XMitreLogSourceReference
The log_source_reference object links analytics to specific data components with log source details
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
x_mitre_data_component_ref (*) | string | |
name (*) | Log source name from the associated data component's x_mitre_log_sources array | XMitreLogSourcePermutationName |
channel (*) | Log source channel from the data component's x_mitre_log_sources array | XMitreLogSourcePermutationName |
(*) Required.
XMitreLogSourceReferences
A list of log source references, which are delineated by a Data Component STIX ID and the (name, channel) that is being targeted.
Array of at least 1 XMitreLogSourceReference items.
XMitreMutableElement
The mutable_element object defines tunable parameters within analytics
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
field (*) | Name of the detection field that can be tuned | XMitreLogSourcePermutationName |
description (*) | Rationale for tunability and environment-specific considerations | XMitreLogSourcePermutationName |
(*) Required.
XMitreMutableElements
Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior.
Array of at least 1 XMitreMutableElement items.