anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: add STIX 2.1 bundle schema reference

anti
2026-05-09 21:11:22 -04:00
parent de828ef07a
commit bbdb348bde
1 changed files with 313 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
stix-schema.json Normal file

@@ -0,0 +1,313 @@
{
"$comment": "DECNET STIX 2.1 bundle schema — types only, no instance data. Generated from decnet/ttp/stix_export.py + decnet/ttp/stix_custom.py. All deterministic IDs use UUIDv5 under namespace b5d2c3a1-8f4e-4d1b-9a6c-0e7f5b3d2c1a.",
"type": "bundle",
"id": "bundle--<uuid4>",
"spec_version": "2.1",
"objects": [
{
"$comment": "DECNET org identity — singleton, same ID across all bundles",
"type": "identity",
"id": "identity--<uuid5(ns, 'decnet-honeypot')>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"name": "string",
"identity_class": "organization",
"description": "string"
},
{
"$comment": "Attacker IPv4 address",
"type": "ipv4-addr",
"id": "ipv4-addr--<uuid4>",
"spec_version": "2.1",
"value": "string"
},
{
"$comment": "IP observation — first/last seen window + event count",
"type": "observed-data",
"id": "observed-data--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"first_observed": "<timestamp>",
"last_observed": "<timestamp>",
"number_observed": "integer",
"object_refs": ["ipv4-addr--<uuid4>"]
},
{
"$comment": "ThreatActor SDO — core attacker node. Tier 1 x_decnet_* scalars always present when non-null. Tier 2 extensions block present only when at least one fingerprint group is non-empty. Tier 3 x_decnet_behave_profile_ref present only when BEHAVE observations exist.",
"type": "threat-actor",
"id": "threat-actor--<uuid5(ns, attacker.uuid)>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"name": "string",
"threat_actor_types": ["string"],
"x_decnet_country_code": "string | omitted",
"x_decnet_asn": "integer | omitted",
"x_decnet_as_name": "string | omitted",
"x_decnet_behave_profile_ref": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)> | omitted",
"extensions": {
"extension-definition--<uuid5(ns, 'decnet-actor-fingerprint-v1')>": {
"$comment": "DecnetActorFingerprintExt — @CustomExtension. Both groups optional; the block is omitted entirely when both are empty.",
"extension_type": "property-extension",
"network_behavior": {
"$comment": "Sniffer/profiler rollup from AttackerBehavior. All keys optional.",
"os_guess": "string | null",
"hop_distance": "integer | null",
"retransmit_count": "integer",
"behavior_class": "string | null",
"beacon_interval_s": "float | null",
"beacon_jitter_pct": "float | null",
"tool_guesses": ["string"],
"tcp_fingerprint": {
"window": "integer | null",
"wscale": "integer | null",
"mss": "integer | null",
"options_sig": "string",
"has_sack": "boolean",
"has_timestamps": "boolean",
"tos": "integer | null",
"dscp": "integer | null",
"ecn": "integer | null",
"ipid_class": "string | null",
"isn_class": "string | null"
},
"timing_stats": {
"mean": "float",
"stdev": "float",
"min": "float",
"max": "float",
"median": "float"
},
"phase_sequence": {
"recon_end": "string(iso8601) | null",
"exfil_start": "string(iso8601) | null",
"latency": "float | null"
}
},
"protocol_fingerprints": {
"$comment": "Hash and ordering signals from AttackerBehavior (sniffer), AttackerIdentity (clusterer), and bounties table (ingester). All keys optional.",
"kex_order_raw": ["string"],
"ssh_client_banners": ["string"],
"ja3_hashes": ["string"],
"hassh_hashes": ["string"],
"tls_cert_sha256": ["string"],
"payload_simhashes": ["string"],
"c2_endpoints": [
{
"host": "string",
"port": "integer"
}
],
"jarm_hashes": ["string"],
"http_quirks": [
{
"order": ["string"],
"casing_category": "string",
"tool_guess": "string | null"
}
]
}
}
}
},
{
"$comment": "XDecnetBehaveProfile — @CustomObject SDO. One per attacker. Present only when BEHAVE observations exist for the attacker.",
"type": "x-decnet-behave-profile",
"id": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"schema_version": "integer",
"kd_digraph_simhash": "string(hex8) | null",
"observations": [
{
"primitive": "string",
"value": "string",
"confidence": "float",
"window": {
"start_ts": "float",
"end_ts": "float"
},
"source": "string",
"evidence_ref": "string | null",
"identity_ref": "string | null"
}
]
},
{
"$comment": "extension-definition SDO — schema declaration for DecnetActorFingerprintExt. Singleton; present whenever a behave-profile is in the bundle.",
"type": "extension-definition",
"id": "extension-definition--<uuid5(ns, 'decnet-actor-fingerprint-v1')>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"name": "DECNET Actor Fingerprint",
"description": "string",
"schema": "https://decnet.dev/schemas/actor-fingerprint/v1",
"version": "1.0.0",
"extension_types": ["property-extension"]
},
{
"$comment": "characterizes Relationship — links x-decnet-behave-profile back to its ThreatActor for graph traversal. Present whenever a behave-profile is in the bundle.",
"type": "relationship",
"id": "relationship--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"relationship_type": "characterizes",
"source_ref": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)>",
"target_ref": "threat-actor--<uuid5(ns, attacker.uuid)>"
},
{
"$comment": "attack-pattern SDO — one per unique MITRE technique. ID is the canonical MITRE STIX ID from the loaded enterprise-attack bundle, so consumers deduplicate against the public ATT&CK bundle.",
"type": "attack-pattern",
"id": "<canonical MITRE STIX ID>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"name": "string",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "string",
"url": "string"
}
]
},
{
"$comment": "uses Relationship — one per unique technique, source is ThreatActor",
"type": "relationship",
"id": "relationship--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"relationship_type": "uses",
"source_ref": "threat-actor--<uuid5(ns, attacker.uuid)>",
"target_ref": "attack-pattern--<canonical MITRE STIX ID>"
},
{
"$comment": "Sighting SRO — one per raw ttp_tag row (per-attacker export) or per unique command (command sightings point at threat-actor, not attack-pattern). count is always 1.",
"type": "sighting",
"id": "sighting--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"sighting_of_ref": "attack-pattern--<...> | threat-actor--<...>",
"first_seen": "<timestamp>",
"last_seen": "<timestamp>",
"count": 1,
"where_sighted_refs": ["identity--<uuid5(ns, 'decnet-honeypot')>"],
"observed_data_refs": ["observed-data--<uuid4>"]
},
{
"$comment": "file SCO — one per captured artifact. Paired with an observed-data SDO.",
"type": "file",
"id": "file--<uuid4>",
"spec_version": "2.1",
"hashes": {
"SHA-256": "string"
},
"name": "string | omitted"
},
{
"$comment": "observed-data for file artifact",
"type": "observed-data",
"id": "observed-data--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"first_observed": "<timestamp>",
"last_observed": "<timestamp>",
"number_observed": 1,
"object_refs": ["file--<uuid4>"]
},
{
"$comment": "domain-name SCO — one per SMTP target domain. Paired with an observed-data SDO.",
"type": "domain-name",
"id": "domain-name--<uuid4>",
"spec_version": "2.1",
"value": "string"
},
{
"$comment": "observed-data for SMTP target",
"type": "observed-data",
"id": "observed-data--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"first_observed": "<timestamp>",
"last_observed": "<timestamp>",
"number_observed": "integer",
"object_refs": ["domain-name--<uuid4>"]
},
{
"$comment": "process SCO — one per unique deduped command line. Paired with observed-data and a Sighting back to the ThreatActor.",
"type": "process",
"id": "process--<uuid4>",
"spec_version": "2.1",
"command_line": "string",
"is_hidden": false
},
{
"$comment": "observed-data for process/command",
"type": "observed-data",
"id": "observed-data--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"first_observed": "<timestamp>",
"last_observed": "<timestamp>",
"number_observed": 1,
"object_refs": ["process--<uuid4>"]
},
{
"$comment": "note SDO — present when threat-intel verdict exists for the attacker",
"type": "note",
"id": "note--<uuid4>",
"spec_version": "2.1",
"created": "<timestamp>",
"modified": "<timestamp>",
"created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
"abstract": "DECNET threat-intel verdict",
"content": "string",
"object_refs": ["threat-actor--<uuid5(ns, attacker.uuid)>"]
}
]
}