From bbdb348bdef393b5da90e0b054f7d56c0ed5d30f Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sat, 9 May 2026 21:11:22 -0400
Subject: [PATCH] docs: add STIX 2.1 bundle schema reference

---
 stix-schema.json | 313 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 313 insertions(+)
 create mode 100644 stix-schema.json

diff --git a/stix-schema.json b/stix-schema.json
new file mode 100644
index 0000000..7b05685
--- /dev/null
+++ b/stix-schema.json
@@ -0,0 +1,313 @@
+{
+  "$comment": "DECNET STIX 2.1 bundle schema — types only, no instance data. Generated from decnet/ttp/stix_export.py + decnet/ttp/stix_custom.py. All deterministic IDs use UUIDv5 under namespace b5d2c3a1-8f4e-4d1b-9a6c-0e7f5b3d2c1a.",
+
+  "type": "bundle",
+  "id": "bundle--<uuid4>",
+  "spec_version": "2.1",
+  "objects": [
+
+    {
+      "$comment": "DECNET org identity — singleton, same ID across all bundles",
+      "type": "identity",
+      "id": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "name": "string",
+      "identity_class": "organization",
+      "description": "string"
+    },
+
+    {
+      "$comment": "Attacker IPv4 address",
+      "type": "ipv4-addr",
+      "id": "ipv4-addr--<uuid4>",
+      "spec_version": "2.1",
+      "value": "string"
+    },
+
+    {
+      "$comment": "IP observation — first/last seen window + event count",
+      "type": "observed-data",
+      "id": "observed-data--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "first_observed": "<timestamp>",
+      "last_observed": "<timestamp>",
+      "number_observed": "integer",
+      "object_refs": ["ipv4-addr--<uuid4>"]
+    },
+
+    {
+      "$comment": "ThreatActor SDO — core attacker node. Tier 1 x_decnet_* scalars always present when non-null. Tier 2 extensions block present only when at least one fingerprint group is non-empty. Tier 3 x_decnet_behave_profile_ref present only when BEHAVE observations exist.",
+      "type": "threat-actor",
+      "id": "threat-actor--<uuid5(ns, attacker.uuid)>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "name": "string",
+      "threat_actor_types": ["string"],
+
+      "x_decnet_country_code": "string | omitted",
+      "x_decnet_asn": "integer | omitted",
+      "x_decnet_as_name": "string | omitted",
+
+      "x_decnet_behave_profile_ref": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)> | omitted",
+
+      "extensions": {
+        "extension-definition--<uuid5(ns, 'decnet-actor-fingerprint-v1')>": {
+          "$comment": "DecnetActorFingerprintExt — @CustomExtension. Both groups optional; the block is omitted entirely when both are empty.",
+          "extension_type": "property-extension",
+
+          "network_behavior": {
+            "$comment": "Sniffer/profiler rollup from AttackerBehavior. All keys optional.",
+            "os_guess": "string | null",
+            "hop_distance": "integer | null",
+            "retransmit_count": "integer",
+            "behavior_class": "string | null",
+            "beacon_interval_s": "float | null",
+            "beacon_jitter_pct": "float | null",
+            "tool_guesses": ["string"],
+            "tcp_fingerprint": {
+              "window": "integer | null",
+              "wscale": "integer | null",
+              "mss": "integer | null",
+              "options_sig": "string",
+              "has_sack": "boolean",
+              "has_timestamps": "boolean",
+              "tos": "integer | null",
+              "dscp": "integer | null",
+              "ecn": "integer | null",
+              "ipid_class": "string | null",
+              "isn_class": "string | null"
+            },
+            "timing_stats": {
+              "mean": "float",
+              "stdev": "float",
+              "min": "float",
+              "max": "float",
+              "median": "float"
+            },
+            "phase_sequence": {
+              "recon_end": "string(iso8601) | null",
+              "exfil_start": "string(iso8601) | null",
+              "latency": "float | null"
+            }
+          },
+
+          "protocol_fingerprints": {
+            "$comment": "Hash and ordering signals from AttackerBehavior (sniffer), AttackerIdentity (clusterer), and bounties table (ingester). All keys optional.",
+            "kex_order_raw": ["string"],
+            "ssh_client_banners": ["string"],
+            "ja3_hashes": ["string"],
+            "hassh_hashes": ["string"],
+            "tls_cert_sha256": ["string"],
+            "payload_simhashes": ["string"],
+            "c2_endpoints": [
+              {
+                "host": "string",
+                "port": "integer"
+              }
+            ],
+            "jarm_hashes": ["string"],
+            "http_quirks": [
+              {
+                "order": ["string"],
+                "casing_category": "string",
+                "tool_guess": "string | null"
+              }
+            ]
+          }
+        }
+      }
+    },
+
+    {
+      "$comment": "XDecnetBehaveProfile — @CustomObject SDO. One per attacker. Present only when BEHAVE observations exist for the attacker.",
+      "type": "x-decnet-behave-profile",
+      "id": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "schema_version": "integer",
+      "kd_digraph_simhash": "string(hex8) | null",
+      "observations": [
+        {
+          "primitive": "string",
+          "value": "string",
+          "confidence": "float",
+          "window": {
+            "start_ts": "float",
+            "end_ts": "float"
+          },
+          "source": "string",
+          "evidence_ref": "string | null",
+          "identity_ref": "string | null"
+        }
+      ]
+    },
+
+    {
+      "$comment": "extension-definition SDO — schema declaration for DecnetActorFingerprintExt. Singleton; present whenever a behave-profile is in the bundle.",
+      "type": "extension-definition",
+      "id": "extension-definition--<uuid5(ns, 'decnet-actor-fingerprint-v1')>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "name": "DECNET Actor Fingerprint",
+      "description": "string",
+      "schema": "https://decnet.dev/schemas/actor-fingerprint/v1",
+      "version": "1.0.0",
+      "extension_types": ["property-extension"]
+    },
+
+    {
+      "$comment": "characterizes Relationship — links x-decnet-behave-profile back to its ThreatActor for graph traversal. Present whenever a behave-profile is in the bundle.",
+      "type": "relationship",
+      "id": "relationship--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "relationship_type": "characterizes",
+      "source_ref": "x-decnet-behave-profile--<uuid5(ns, attacker.uuid)>",
+      "target_ref": "threat-actor--<uuid5(ns, attacker.uuid)>"
+    },
+
+    {
+      "$comment": "attack-pattern SDO — one per unique MITRE technique. ID is the canonical MITRE STIX ID from the loaded enterprise-attack bundle, so consumers deduplicate against the public ATT&CK bundle.",
+      "type": "attack-pattern",
+      "id": "<canonical MITRE STIX ID>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "name": "string",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "external_id": "string",
+          "url": "string"
+        }
+      ]
+    },
+
+    {
+      "$comment": "uses Relationship — one per unique technique, source is ThreatActor",
+      "type": "relationship",
+      "id": "relationship--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "relationship_type": "uses",
+      "source_ref": "threat-actor--<uuid5(ns, attacker.uuid)>",
+      "target_ref": "attack-pattern--<canonical MITRE STIX ID>"
+    },
+
+    {
+      "$comment": "Sighting SRO — one per raw ttp_tag row (per-attacker export) or per unique command (command sightings point at threat-actor, not attack-pattern). count is always 1.",
+      "type": "sighting",
+      "id": "sighting--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "sighting_of_ref": "attack-pattern--<...> | threat-actor--<...>",
+      "first_seen": "<timestamp>",
+      "last_seen": "<timestamp>",
+      "count": 1,
+      "where_sighted_refs": ["identity--<uuid5(ns, 'decnet-honeypot')>"],
+      "observed_data_refs": ["observed-data--<uuid4>"]
+    },
+
+    {
+      "$comment": "file SCO — one per captured artifact. Paired with an observed-data SDO.",
+      "type": "file",
+      "id": "file--<uuid4>",
+      "spec_version": "2.1",
+      "hashes": {
+        "SHA-256": "string"
+      },
+      "name": "string | omitted"
+    },
+
+    {
+      "$comment": "observed-data for file artifact",
+      "type": "observed-data",
+      "id": "observed-data--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "first_observed": "<timestamp>",
+      "last_observed": "<timestamp>",
+      "number_observed": 1,
+      "object_refs": ["file--<uuid4>"]
+    },
+
+    {
+      "$comment": "domain-name SCO — one per SMTP target domain. Paired with an observed-data SDO.",
+      "type": "domain-name",
+      "id": "domain-name--<uuid4>",
+      "spec_version": "2.1",
+      "value": "string"
+    },
+
+    {
+      "$comment": "observed-data for SMTP target",
+      "type": "observed-data",
+      "id": "observed-data--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "first_observed": "<timestamp>",
+      "last_observed": "<timestamp>",
+      "number_observed": "integer",
+      "object_refs": ["domain-name--<uuid4>"]
+    },
+
+    {
+      "$comment": "process SCO — one per unique deduped command line. Paired with observed-data and a Sighting back to the ThreatActor.",
+      "type": "process",
+      "id": "process--<uuid4>",
+      "spec_version": "2.1",
+      "command_line": "string",
+      "is_hidden": false
+    },
+
+    {
+      "$comment": "observed-data for process/command",
+      "type": "observed-data",
+      "id": "observed-data--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "first_observed": "<timestamp>",
+      "last_observed": "<timestamp>",
+      "number_observed": 1,
+      "object_refs": ["process--<uuid4>"]
+    },
+
+    {
+      "$comment": "note SDO — present when threat-intel verdict exists for the attacker",
+      "type": "note",
+      "id": "note--<uuid4>",
+      "spec_version": "2.1",
+      "created": "<timestamp>",
+      "modified": "<timestamp>",
+      "created_by_ref": "identity--<uuid5(ns, 'decnet-honeypot')>",
+      "abstract": "DECNET threat-intel verdict",
+      "content": "string",
+      "object_refs": ["threat-actor--<uuid5(ns, attacker.uuid)>"]
+    }
+
+  ]
+}