Relationships

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Use the relationship objects to link together two SDOs or STIX Cyber-observable Objects (SCOs) to describe how they relate to each other.

    STIX Relationship Objects (SROs) represent types of relationships between various STIX objects. The following relationship objects are available:
    • Object-Object Relationship: This object defines relationships between SDOs, except the indicator object. An example of an object-object defined relationship is that an attack pattern delivers a malware.
    • Object-Indicator Relationship: This object defines relationships between the indicator object and other SDOs. An example of an object-indicator defined relationship is that an indicator detects evidence of a campaign.
    • Object-Observable Relationship: This object defines relationships between SDOs and the observable object (SCO). An example of an object-observable defined relationship is that an infrastructure consists of cyber observable objects which provides information of a potential attack.
    Table 1. STIX Object Relationships
    Relationship Object Example Source Example Target Example Description
    Object-Object Relationships Attack-pattern Malware This relationship describes that this Attack Pattern is used to deliver this malware instance (or family).
    Object-Indicator Relationships Indicator Attack-Pattern, Campaign, Infrastructure, Intrusion-set, Malware, Threat-actor, Tool This relationship describes that the indicator can detect evidence of the related attack pattern, campaign, infrastructure, intrusion set, malware, threat actor, or tool.

    The evidence may not be direct. For example, the indicator may detect secondary evidence of the campaign such as malware that is commonly used by that particular campaign.
    Object-Observable Relationships Infrastructure Observed data This relationship describes that the indicator is created based on information from an observed data object.

    An example of an object-observable defined relationship is that an infrastructure consists of cyber observable objects which provides information of a potential attack.