Skip to the content.

MISP Attributes to STIX 2.0 mapping

MISP Attributes are the actual raw data used by analysts to describe the IoCs and observed data related to a specific event (which could be an actual threat report, an IP watchlist, etc.) Thus, in most of the cases, a MISP Attribute is exported to STIX as Indicator if its to_ids flag is set, or as Observable if its to_ids flag is false. But there are also some other examples where MISP attributes are exported neither as indicator nor as observable, this documentation gives all the details about the single attributes mapping into STIX objects, depending on the type of the attributes.

As we can see in the detailed Events mapping documentation, attributes within their event are exported in different STIX 2.0 objects embedded in a STIX Bundle. Those objects’ references are also embedded within the report object_refs field.
For the rest of this documentation, we will then, in order to keep the content clear enough and to skip the irrelevant part, consider the followings:

Current mapping

Unmapped attribute types

You may have noticed we are very far from having all the attribute types supported. This is due to the various use cases that MISP can be used for.
Nonetheless, every attribute whose type is not in the list, is exported as Custom object.
With the following examples, btc and iban are attribute types that are not mapped, where the other ones:

Let us see those examples of custom objects exported from attributes:

The other detailed mappings

For more detailed mappings, click on one of the link below:

(Go back to the main documentation)