Skip to the content.

MISP Attributes to STIX1 mapping

MISP Attributes are the actual raw data used by analysts to describe the IoCs and observed data related to a specific event (which could be an actual threat report, an IP watchlist, etc.)
Thus, in most of the cases, a MISP Attribute is exported to STIX as Indicator if its to_ids flag is set, or as Observable if its to_ids flag is false. But there are also some other examples where MISP attributes are exported neither as indicator nor as observable, this documentation gives all the details about the single attributes mapping into STIX objects, depending on the type of the attributes.

As we can see in the detailed Events mapping documentation, attributes within their event are exported in different STIX objects embedded in a STIX Package. Indicators and observables are also embedded in the Incident but it is not the case for TTPS for instance.
So for the rest of this documentation, in order to keep the content clear enough and to skip the irrelevant part, we will consider the followings:

Current mapping

Derived from MISP's IDS flag. If an attribute is marked for IDS exports, the confidence will be high, otherwise none
    </indicator:Confidence>
    <indicator:Producer>
        <stixCommon:Identity>
            <stixCommon:Name>MISP-Project</stixCommon:Name>
        </stixCommon:Identity>
    </indicator:Producer>
</indicator:Indicator>
```

</cybox:Properties> </cybox:Object> </cybox:ObservableType> ```

Unmapped attribute types

You may have noticed we are very far from having all the attribute types supported. This is due to the various use cases that MISP can be used for.
Nonetheless, every attribute whose type is not in the list, is exported as Custom object. Let us see some examples of custom objects exported from attributes:

The other detailed mappings

For more detailed mappings, click on one of the link below:

(Go back to the main documentation)