External STIX 2.1 to MISP Attributes mapping
When importing external STIX 2.1 content (bundles not produced by MISP) into MISP, Indicator objects are parsed to produce MISP attributes with the to_ids flag set, while Observed Data objects (with their referenced SCOs) or standalone SCOs produce MISP attributes with the to_ids flag unset.
External STIX objects are mapped to the closest MISP attribute type via heuristics.
Current mapping
- AS
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--50e99804-b9b5-4ea9-9ea8-25dbdd0f19f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Suspicious autonomous system", "description": "Autonomous system associated with malicious activity.", "pattern": "[autonomous-system:number = 666]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "50e99804-b9b5-4ea9-9ea8-25dbdd0f19f9", "type": "AS", "value": "AS666", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "object_relation": "asn", "comment": "Autonomous system associated with malicious activity." } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--1bf81a4f-0e70-4a34-944b-7e46f67ff7a7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-11-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-11-25T16:22:00Z", "number_observed": 1, "object_refs": [ "autonomous-system--cd890f31-5825-4fea-85ca-0b3ab3872926" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--cd890f31-5825-4fea-85ca-0b3ab3872926", "number": 50588 } ] - MISP
{ "uuid": "cd890f31-5825-4fea-85ca-0b3ab3872926", "type": "AS", "value": "AS50588", "category": "Network activity", "to_ids": false, "timestamp": "1606321320", "first_seen": "2020-10-25T16:22:00+00:00", "last_seen": "2020-11-25T16:22:00+00:00", "disable_correlation": false, "comment": "Observed Data ID: observed-data--1bf81a4f-0e70-4a34-944b-7e46f67ff7a7" } - STIX - Observable
{ "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--cd890f31-5825-4fea-85ca-0b3ab3872926", "number": 50588 } - MISP
{ "uuid": "cd890f31-5825-4fea-85ca-0b3ab3872926", "type": "AS", "value": "AS50588", "category": "Network activity", "to_ids": false, "disable_correlation": false }
- STIX - Indicator
- domain
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "domain-name--f93cb275-0366-4ecc-abf0-a17928d1e177" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "circl.lu" } ] - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "domain", "value": "circl.lu", "category": "Network activity", "to_ids": false, "timestamp": "1603642920", "disable_correlation": false, "comment": "Observed Data ID: observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d" } - STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--6fdbd93d-bda2-4a06-b5c7-fd13c3082d6e", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Monitored domain", "description": "Domain name under active threat investigation.", "pattern": "[domain-name:value = 'circl.lu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "6fdbd93d-bda2-4a06-b5c7-fd13c3082d6e", "type": "domain", "value": "circl.lu", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "object_relation": "domain", "comment": "Domain name under active threat investigation." } - STIX - Observable
{ "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "circl.lu" } - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "domain", "value": "circl.lu", "category": "Network activity", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data
- email
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--1bf81a4f-0e70-4a34-944b-7e46f67ff7a7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-11-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-11-25T16:22:00Z", "number_observed": 1, "object_refs": [ "email-addr--cd890f31-5825-4fea-85ca-0b3ab3872926" ] }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--cd890f31-5825-4fea-85ca-0b3ab3872926", "value": "donald.duck@gmail.com" } ] - MISP
{ "uuid": "cd890f31-5825-4fea-85ca-0b3ab3872926", "type": "email", "value": "donald.duck@gmail.com", "category": "Social network", "to_ids": false, "timestamp": "1606321320", "first_seen": "2020-10-25T16:22:00+00:00", "last_seen": "2020-11-25T16:22:00+00:00", "disable_correlation": false, "comment": "Observed Data ID: observed-data--1bf81a4f-0e70-4a34-944b-7e46f67ff7a7" } - STIX - Observable
{ "type": "email-addr", "spec_version": "2.1", "id": "email-addr--cd890f31-5825-4fea-85ca-0b3ab3872926", "value": "donald.duck@gmail.com" } - MISP
{ "uuid": "cd890f31-5825-4fea-85ca-0b3ab3872926", "type": "email", "value": "donald.duck@gmail.com", "category": "Social network", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data
- email-dst
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--36d4345a-5cad-400a-a0ab-5f0bc47b1584", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Suspicious email address", "description": "Email address associated with phishing campaigns.", "pattern": "[email-addr:value = 'donald.duck@disney.com' AND email-addr:display_name = 'Donald Duck']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "36d4345a-5cad-400a-a0ab-5f0bc47b1584", "type": "email-dst", "value": "donald.duck@disney.com", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "object_relation": "to", "comment": "Email address associated with phishing campaigns." }
- STIX - Indicator
- ip-dst
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "ipv4-addr--f93cb275-0366-4ecc-abf0-a17928d1e177" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "185.194.93.14" } ] - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "ip-dst", "value": "185.194.93.14", "category": "Network activity", "to_ids": false, "timestamp": "1603642920", "disable_correlation": false, "comment": "Observed Data ID: observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d" } - STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--c43ea7e7-36fd-42f4-a554-4cf8eb20ac44", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Suspicious IP address", "description": "IP address associated with known threat infrastructure.", "pattern": "[ipv4-addr:value = '185.194.93.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "c43ea7e7-36fd-42f4-a554-4cf8eb20ac44", "type": "ip-dst", "value": "185.194.93.14", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "object_relation": "ip", "comment": "IP address associated with known threat infrastructure." } - STIX - Observable
{ "type": "ipv6-addr", "spec_version": "2.1", "id": "ipv6-addr--5e384ae7-672c-4250-9cda-3b4da964451a", "value": "2001:4860:4860::8888" } - MISP
{ "uuid": "5e384ae7-672c-4250-9cda-3b4da964451a", "type": "ip-dst", "value": "2001:4860:4860::8888", "category": "Network activity", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data
- mac-address
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "mac-addr--f93cb275-0366-4ecc-abf0-a17928d1e177" ] }, { "type": "mac-addr", "spec_version": "2.1", "id": "mac-addr--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "d2:fb:49:24:37:18" } ] - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "mac-address", "value": "d2:fb:49:24:37:18", "category": "Network activity", "to_ids": false, "timestamp": "1603642920", "disable_correlation": false, "comment": "Observed Data ID: observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d" } - STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--e947ce95-9ba7-4837-b191-a1357e50e292", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Monitored MAC address", "description": "MAC address associated with a compromised device.", "pattern": "[mac-addr:value = 'd2:fb:49:24:37:18']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "e947ce95-9ba7-4837-b191-a1357e50e292", "type": "mac-address", "value": "d2:fb:49:24:37:18", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "comment": "MAC address associated with a compromised device." } - STIX - Observable
{ "type": "mac-addr", "spec_version": "2.1", "id": "mac-addr--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "d2:fb:49:24:37:18" } - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "mac-address", "value": "d2:fb:49:24:37:18", "category": "Network activity", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data
- mutex
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "mutex--f93cb275-0366-4ecc-abf0-a17928d1e177" ] }, { "type": "mutex", "spec_version": "2.1", "id": "mutex--f93cb275-0366-4ecc-abf0-a17928d1e177", "name": "sensitive_resource_lock" } ] - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "mutex", "value": "sensitive_resource_lock", "category": "Artifacts dropped", "to_ids": false, "timestamp": "1603642920", "disable_correlation": false, "comment": "Observed Data ID: observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d" } - STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--0cb1bfdf-a8db-4cfb-bc11-3e3842f9cd76", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Malware mutex indicator", "description": "Mutex name used by known malware families.", "pattern": "[mutex:name = 'sensitive_resource_lock']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "0cb1bfdf-a8db-4cfb-bc11-3e3842f9cd76", "type": "mutex", "value": "sensitive_resource_lock", "category": "Artifacts dropped", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "comment": "Mutex name used by known malware families." } - STIX - Observable
{ "type": "mutex", "spec_version": "2.1", "id": "mutex--f93cb275-0366-4ecc-abf0-a17928d1e177", "name": "sensitive_resource_lock" } - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "mutex", "value": "sensitive_resource_lock", "category": "Artifacts dropped", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data
- url
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "url--f93cb275-0366-4ecc-abf0-a17928d1e177" ] }, { "type": "url", "spec_version": "2.1", "id": "url--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "https://circl.lu/team/" } ] - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "url", "value": "https://circl.lu/team/", "category": "Network activity", "to_ids": false, "timestamp": "1603642920", "disable_correlation": false, "comment": "Observed Data ID: observed-data--3451329f-2525-4bcb-9659-7bd0e6f1eb0d" } - STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--b068f6dd-59f1-4bd3-b2e1-66d8b870ec45", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2024-10-25T16:22:00.000Z", "modified": "2024-10-25T16:22:00.000Z", "name": "Monitored URL", "description": "URL associated with threat intelligence investigation.", "pattern": "[url:value = 'https://circl.lu/team/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-10-25T16:22:00Z" } - MISP
{ "uuid": "b068f6dd-59f1-4bd3-b2e1-66d8b870ec45", "type": "url", "value": "https://circl.lu/team/", "category": "Network activity", "to_ids": true, "timestamp": "1729873320", "disable_correlation": false, "object_relation": "url", "comment": "URL associated with threat intelligence investigation." } - STIX - Observable
{ "type": "url", "spec_version": "2.1", "id": "url--f93cb275-0366-4ecc-abf0-a17928d1e177", "value": "https://circl.lu/team/" } - MISP
{ "uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", "type": "url", "value": "https://circl.lu/team/", "category": "Network activity", "to_ids": false, "disable_correlation": false }
- STIX - Observed Data