Data Component Schema
DataComponent
Data components represent specific types of information within a data source that can be used for detection.
They are defined as x-mitre-data-component objects extending the generic
STIX Domain Object pattern.
Object containing the following properties:
| Property | Description | Type |
|---|---|---|
id (*) | string | |
type (*) | 'x-mitre-data-component' | |
spec_version (*) | The version of the STIX specification used to represent this object. | '2.1' |
created (*) | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
modified (*) | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond. | string (ISO 8601) |
created_by_ref (*) | The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. | string |
labels | The labels property specifies a set of terms used to meta this object. | Array<string (_min length: 1_)> (min: 1) |
revoked | The revoked property indicates whether the object has been revoked. | boolean |
confidence | Identifies the confidence that the creator has in the correctness of their data. | number (int, ≥1, ≤99) |
lang | Identifies the language of the text content in this object. | string (min length: 1) |
external_references | A list of external references which refers to non-STIX information | Array of at least 1 objects:
|
object_marking_refs (*) | The list of marking-definition objects to be applied to this object. | Array<string (_startsWith: marking-definition--_)> |
granular_markings | The set of granular markings that apply to this object. | Array of objects:
|
extensions | Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs | Object with dynamic keys of type string (min length: 1) and values of type Object with properties:
string (min length: 1) and values of type unknown |
name (*) | The name of the object. | string (min length: 1) |
x_mitre_attack_spec_version (*) | The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions. | string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/) |
x_mitre_version (*) | Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects. | string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/) |
x_mitre_old_attack_id | Old ATT&CK IDs that may have been associated with this object | string (min length: 1) |
x_mitre_deprecated | Indicates whether the object has been deprecated. | boolean |
description (*) | A description of the object. | string (min length: 1) |
x_mitre_domains (*) | The technology domains to which the ATT&CK object belongs. | Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1) |
x_mitre_modified_by_ref (*) | The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations. | 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5' |
x_mitre_data_source_ref | DEPRECATED in v3.3.0. Will be removed in v4.0.0. STIX ID of the data source this component is a part of. | XMitreDataSourceRef |
x_mitre_log_sources | The log_source object defines platform-specific collection configurations embedded within data components:Uniqueness constraints: - Each (name, channel) tuple must be unique within a data component's x_mitre_log_sources array- Log sources are scoped to their containing data component Example: A data component for 'Process Creation' might contain log sources for: - Windows: (name: "sysmon", channel: "1") - Linux: (name: "auditd", channel: "SYSCALL") - macOS: (name: "unified_logs", channel: "process") | XMitreLogSources |
(*) Required.
XMitreDataSourceRef
DEPRECATED in v3.3.0. Will be removed in v4.0.0. STIX ID of the data source this component is a part of.
String.
XMitreLogSources
The log_source object defines platform-specific collection configurations embedded within data components:
Uniqueness constraints:
- Each
(name, channel)tuple must be unique within a data component'sx_mitre_log_sourcesarray - Log sources are scoped to their containing data component
Example: A data component for 'Process Creation' might contain log sources for:
- Windows: (name: "sysmon", channel: "1")
- Linux: (name: "auditd", channel: "SYSCALL")
- macOS: (name: "unified_logs", channel: "process")
Array of objects containing the following properties:
| Property | Description | Type |
|---|---|---|
name (*) | Log source identifier (e.g., "sysmon", "auditd") | string (min length: 1) |
channel (*) | Specific log channel or event type (e.g., "1" for Sysmon Process Creation) | string (min length: 1) |
(*) Required.