Relationships Objects

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:4分

    • Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.

    STIX Relationship Objects (SROs) represent types of relationships between various STIX objects. The following relationship objects are available:
    • Observable-Observable Relationship: This object defines relationships between observables.
    • Object-Object Relationship: This object defines relationships between SDOs, except the indicator object. An example of an object-object defined relationship is that an attack pattern delivers a malware.
    • Object-Observable Relationship: This object defines relationships between SDOs and the observable object (SCO). An example of an object-observable defined relationship is that an infrastructure consists of cyber observable objects which provides information of a potential attack.
    • Object-indicator Relationship: This object defines relationships between SDOs and the indicator object.
    • Indicator-Indicator Relationships: This object defines relationships between indicator objects.
    • Indicator-Observable Relationship: This object defines relationships between the indicator object and other SDOs. An example of an object-indicator defined relationship is that an indicator detects evidence of a campaign.
    表 : 1. Object Relationships
    Relationship Object Example Source Example Target Example Description
    Observable-Observable Relationships IP address, domain name This relationship describes between the observables.
    Object-Object Relationships Attack-pattern Malware This relationship describes that this Attack Pattern is used to deliver this malware instance (or family).
    Object-Observable Relationships This relationship describes between the objects and observables.
    Object-Indicator Relationships Indicator Attack-Pattern, Campaign, Infrastructure, Intrusion-set, Malware, Threat-actor, Tool This relationship describes that the indicator can detect evidence of the related attack pattern, campaign, infrastructure, intrusion set, malware, threat actor, or tool.

    The evidence may not be direct. For example, the indicator may detect secondary evidence of the campaign such as malware that is commonly used by that particular campaign.
    Indicator -Indicator Relationships Infrastructure Observed data This relationship describes that the indicator is created based on information from an observed data object.

    An example of an object-observable defined relationship is that an infrastructure consists of cyber observable objects which provides information of a potential attack.
    Indicator-Observable This relationship describes between the indicators and observables.