schema.tql

#
# Copyright (C) 2022 OS-Threat
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Note: Large portions of this schema were originally defined by Tomas Sabat, Vaticle, 2021
#

define
stix-entity sub entity,
    abstract;

stix-object sub stix-entity,
	# Required
	owns stix-type,
	owns stix-id @key, #
	owns custom-attribute,
	plays stix-core-relationship:source,
	plays stix-core-relationship:target,
	plays obj-refs:referred, 
	plays granular-marking:object;

	stix-core-object sub stix-object, 
		# Required for SDO but Optional for SCO
		owns spec-version,

		# Optional
		plays data-marking:marked,
		plays created-by:created,

		# Common relations for SDOs and SCOs. Defined in 3.7. 
		plays derived:derived-from,
		plays derived:deriving,
		plays duplicated:original,
		plays duplicated:duplicate,
		plays related:related-to,
		plays related:related-from;

			stix-domain-object sub stix-core-object, 
				# Required
				owns created,
				owns modified, 

				# Optional
				owns revoked, 
				owns labels,
				owns confidence,
				owns langs,
				plays external-references:referenced,
				plays sighting:sighting-of,
                plays attributed-to:result,
                plays attributed-to:fault-of,

				plays indicates:indicated;

			stix-cyber-observable-object sub stix-core-object,
				owns defanged,
				plays malware-env:env,
                plays attributed-to:result,
                plays attributed-to:fault-of,
				plays extensions:sco,
				plays consist:consisted;

	stix-sub-object sub stix-entity,
		abstract, 
		owns created, 
		owns modified,
        plays stix-core-relationship:source,
        plays stix-core-relationship:target,
        plays obj-refs:referred,
        plays granular-marking:object;


##### 2 Common Data Types #####

# 2.5 External Reference
external-reference sub stix-sub-object,
	# In addition to source-name, at least one of description, url or external-id must be present§
	# Required
	owns source-name, 

	# Optional
	owns description,
	owns url-link, 
	owns external-id, 
	plays hashes:hash-owner,
	plays external-references:referencing;


# 2.7 Hash
hash sub stix-sub-object,
	owns hash-value, 
	plays hashes:hash-actual;

	md-5 sub hash;
	sha-1 sub hash; 
	sha-256 sub hash;
	sha-512 sub hash; 
	sha3-256 sub hash; 
	sha3-512 sub hash;
	ssdeep sub hash; 
	tlsh sub hash; 



# 2.11 Kill Chain Phase
kill-chain-phase sub stix-sub-object,
	owns kill-chain-name, 
	owns phase-name,
	plays kill-chain-usage:kill-chain-using,

	# inferred role player
	plays kill-chain:participating-kill-chain-phase;


##### 4 STIX™ Domain Objects #####

# Custom object
custom-object sub stix-domain-object,
	owns name, 
	owns description, 
	owns aliases, 
	owns first-seen,
	owns last-seen,
	owns objective,
	plays kill-chain-usage:kill-chain-used,
	plays delivers:delivering,
	plays targets:targetter,
	plays uses:used-by,
	plays mitigates:mitigated,
	plays uses:used;


# 4.1 
attack-pattern sub stix-domain-object,
	owns name,
	owns description,
	owns aliases,

	# Relations defined as properties in STIX
	plays kill-chain-usage:kill-chain-used,

	# Common Relations
	plays delivers:delivering,
	plays targets:targetter,
	plays uses:used-by,

	# Reverse Relations
	# plays indicates:indicated, -> Defined in SDO
	plays mitigates:mitigated,
	plays uses:used;

	# Embedded Relations
	# created-by
	# Object marking ref

# 4.2 Campaign
campaign sub stix-domain-object, 
	owns name, 
	owns description, 
	owns aliases, 
	owns first-seen,
	owns last-seen,
	owns objective, 

	# Common Relations
	plays compromises:compromising,
	plays originates-from:originating,
	plays targets:targetter,
	plays uses:used-by;

	# Reverse Relations
	# plays indicates:indicated; -> Defined in SDO
	# plays indicates:indicated; -> Defined in SDO

	# Embedded relations
	# created-by
	# Object marking

# 4.3 Course of Action
course-of-action sub stix-domain-object,
	owns name, 
	owns description, 
	owns action,

	# Common Relations
	plays investigates:investigating,
	plays mitigates:mitigator,
	plays remediation:remediating,
	plays uses:used-by;

	# Reverse Relations
	# NA

	# Embedded relations
	# created-by
	# Object marking ref

# 4.4 Grouping 
grouping sub stix-domain-object,
	owns name, 
	owns description, 
	owns context,

	# Common Relations
	# NA 

	# Reverse Relations
	# NA

	# Embedded Relations
	# created-by
	# Object markings
	plays obj-refs:object;

# 4.5 Identity
identity sub stix-domain-object,
	owns name, 
	owns description, 
	owns stix-role,
	owns identity-class,
	owns sector,  # should this perhaps be a relation?
	owns contact-information,

	# Common Relations
	plays located-at:locating,

	# Reverse Relations
	plays targets:targetted,
	plays impersonate:impersonated,

	# Embedded Relations
	plays created-by:creator,
	# Object marking ref
	
	plays sighting:where-sighted; 

	# 10.7 Identity Class Vocabulary
	individual sub identity;
	identity-group sub identity;
	system sub identity;
	organization sub identity;
	class sub identity;
	id-unknown sub identity;

# 4.6 Incident
incident sub stix-domain-object, 
	owns name, 
	owns description;

 	# Common Relations
 	# NA

 	# Reverse Relations
 	# NA

	# Embedded relations
	# created-by
	# Object Marking

# 4.7 Indicator
indicator sub stix-domain-object, 
	owns name, 
	owns description, 
	owns indicator-type,
	owns pattern, 
	owns pattern-type, 
	owns pattern-version,
	owns valid-from,
	owns valid-until,

	# Relations defined as properties in STIX
	plays kill-chain-usage:kill-chain-used,

	# Common Relations
	plays indicates:indicating,
	plays based-on:basing-on,

	# Reverse Relations
	plays investigates:investigated,
	plays mitigates:mitigated;

	# Embedded Relations
	# created-by
	# Object marking ref

# 4.8 Infrastructure 
infrastructure sub stix-domain-object,
	owns name, 
	owns description,
	owns infrastructure-types, # Should this OV be a relation to define?
	owns aliases, 
	plays kill-chain-usage:kill-chain-used, 
	owns first-seen,
	owns last-seen,

	# Common Relations
	plays communicates-with:communicating,
	plays consist:consisting,
	plays control:controlling,

	plays delivers:delivering,
	plays have:having,
	plays hosts:hosting,
	plays located-at:locating,
	plays uses:used-by,

	# Reverse Relations
	plays control:controlled,
	plays communicates-with:communicated,
	plays compromises:compromised,
	plays beacon:beaconed-to,
	plays exfiltrate:exfiltrated-to,
	plays hosts:hosted,
	# plays indicates:indicated, defined in SDO
	plays ownership:owned,
	plays targets:targetted,
	plays uses:used;

	# Object marking ref

# 4.9 Intrusion Set
intrusion-set sub stix-domain-object,
	owns name, 
	owns description, 
	owns aliases, 
	owns first-seen,
	owns last-seen,
	owns goals, 
	owns resource-level, 
	owns primary-motivation, 
	owns secondary-motivations,

	# Common Relations
	plays compromises:compromising,
	plays hosts:hosting,
	plays ownership:owning,
	plays originates-from:originating,
	plays targets:targetter,
	plays uses:used-by,
	plays uses:used,

	# Reverse Relations
	plays authored-by:authored,
	# plays indicates:indicated; Already defined in SDO

	# Embedded Relations
	# created-by
	# Object marking 

	# Inferred role player
	plays inferred-mitigation:inferred-mitigation-mitigated;

# 4.10 Location
location sub stix-domain-object,
	owns name, 
	owns description,
	owns latitude,
	owns longitude,
	owns precision,
	owns region,
	owns country,
	owns administrative-area,
	owns city,
	owns street-address,
	owns postal-code,

	# Common Relations
	# NA

	# Reverse relations
	plays located-at:located,
	plays originates-from:originated-from,
	plays targets:targetted,
	plays sighting:where-sighted;

	# Embedded Relations
	# created-by
	# Object marking

# 4.11 Malware
malware sub stix-domain-object, 
	owns name, 
	owns description, 
	owns malware-types,
	owns is-family, 
    owns aliases,
    owns first-seen,
    owns last-seen,
    owns architecture-execution-envs,
    owns implementation-languages,
    owns capabilities,
    
    # Relations defined as properties in STIX
	plays kill-chain-usage:kill-chain-used,
	plays malware-sample:malware-sample-sample-for, # ssample_refs

    # Common Relations
    plays authored-by:authoring,
    plays beacon:beaconing-to,
    plays exfiltrate:exfiltrating-to,
    plays control:controlling,
    plays download:downloading,
    plays drop:dropping,
    plays exploit:exploiting,
    plays originates-from:originating,
    plays targets:targetter,
    plays hosts:hosting,
    plays uses:used-by,
    plays variant:variant-source,
    plays communicates-with:communicating,

   	# Reverse Relations
   	plays variant:variant-target,
   	plays delivers:delivered,
   	plays mitigates:mitigated,
	plays remediation:remediated,
	plays uses:used,
	plays drop:dropped,
	plays control:controlled,
	plays characterise:characterised,
	plays av-analysis:av-analysis-analysed,
	plays static-analysis:static-analysis-analysed,
	plays dynamic-analysis:dynamic-analysis-analysed,

    plays download:downloaded,
    plays exploit:exploiting,

    # Embedded Relations
    # created-by
    # Obejct marking
    # Sample ref
	plays malware-env:object;


# 4.12 Malware Analysis
malware-analysis sub stix-domain-object,
	owns product, 
	owns version,
	owns configuration-version,
	owns module,
	owns analysis-engine-version,
	owns analysis-definition-version,
	owns submitted,
	owns analysis-started,
	owns analysis-ended,
	owns result-name,
	owns result,

	# Relations defined as properties in STIX
	# host_vm_ref, _operating_system_ref, instsalled_software_ref, analysis-sco are all defined as 
	# playing roles in the analysis relation
	plays malware-analysis-sample:malware-analysis-sample-sample-for, # sample_refs

	# Common Relations
	plays characterise:characterising,
	plays av-analysis:av-analysis-analysing,
	plays static-analysis:static-analysis-analysing,
	plays dynamic-analysis:dynamic-analysis-analysing,

	# Reverse Relations
	# NA

	# Embedded Relations
	# created-by
	# Object markingss
	# hosts-vm
	# operating-system
	# installed-software
	# analysis-sco
	# sample-ref
	plays malware-env:object;


# 4.13 Note
note sub stix-domain-object, 
	owns note-abstract, 
	owns content, 
	owns authors,

	# Relations 
	# NA

	# Embedded Relations
	# created-by
	# Object marking
	plays obj-refs:object;

# 4.14
observed-data sub stix-domain-object,
	owns first-observed, 
	owns last-observed, 
	owns number-observed,

	# Common Relations
	# NA

	# Reverse Relations
	plays based-on:basis,
	plays consist:consisted,

	plays sighting:observed, # This is for SRO 5.2 sighting

	# Embedded Relations
	# created-by
	# Object marking
	plays obj-refs:object; # Object ref

# 4.15 Opinion
opinion sub stix-domain-object, 
	owns explanation,
	owns authors,
	owns opinion-enum, 

	# Common Relations
	# NA

	# Reverse Relations
	# NA

	# Embedded relations
	# created-by
	# Object marking
	plays obj-refs:object;

# 4.16 Report
report sub stix-domain-object, 
	owns name, 
	owns description,
	owns report-type, 
	owns published, 

	# Common Relations
	# NA

	# Reverse Relations
	# NA

	# Embedded relations
	# created-by 
	# Object Marking
	plays obj-refs:object;

# 4.17
threat-actor sub stix-domain-object,
	owns name, 
	owns description, 
	owns threat-actor-type,
	owns aliases,
	owns first-seen,
	owns last-seen,
	owns stix-role,
	owns goals,
	owns sophistication,
	owns resource-level, 
	owns primary-motivation,
	owns secondary-motivations,
	owns personal-motivations,


	# Common Relations
	plays compromises:compromising,
	plays hosts:hosting,
	plays ownership:owning,
	plays impersonate:impersonating,
	plays located-at:locating,
	plays targets:targetter,
	plays uses:used-by,

	# Reverse Relations
	plays authored-by:authored;
	# plays indicates:indicated # defined in SDO

	# Embedded relations
	# created-by 
	# Object Marking

# 4.18 Tool
tool sub stix-domain-object,
	owns name,
	owns description,
	owns tool-type,
	owns aliases, 
	owns tool-version,

	# Relations defined as properties in STIX
	plays kill-chain-usage:kill-chain-used,

	# Common Relations
	plays delivers:delivering,
	plays drop:dropping,
	plays have:having,
	plays targets:targetter,
	plays uses:used-by,

	# Reverse Relations
	plays download:downloaded,
	plays drop:dropped,
	plays hosts:hosted,
	plays mitigates:mitigated,
	plays uses:used;
	# plays indicates:indicated, Already defined in SDO

	# Embedded Relations
	# created-by
	# Object Marking

# 4.19 Vulnerability
vulnerability sub stix-domain-object,
	owns name, 
	owns description,

	# Relations defined as properties in STIX
	# plays external-references:referencing, Defined in SDO

	# Common Relations
	# NA

	# Reverse Relations
 	plays targets:targetted,
 	plays exploit:exploited,
 	plays mitigates:mitigated,
 	plays remediation:remediated,
 	plays have:had;

 	#Embedded Relations
 	# created-by
 	# Object Marking

##### 5 STIX™ Relationship Objects #####

# 5.1 Specification-Defined Relatinoships Summary
stix-core-relationship sub relation,
	# Required
	owns spec-version,
	owns stix-id @key,
	owns created,
	owns modified,
	owns stix-type,

	# Optional
	owns description,
	owns revoked,
	owns labels,
	owns confidence, 
	owns langs,
	owns start-time,
	owns stop-time,
	owns relationship-type,
	owns custom-attribute,

	relates source, 
	relates target,
	plays obj-refs:referred,
	plays data-marking:marked,
	plays granular-marking:object, 
	plays external-references:referenced,
	plays created-by:created,
    plays derived:derived-from,
    plays derived:deriving,
    plays duplicated:original,
    plays duplicated:duplicate,
    plays related:related-to,
    plays related:related-from;


    # 3.7 Common Relationships
    # These are relation types that are shared by SDOs and SCOs

    derived sub stix-core-relationship,
        relates derived-from as source,
        relates deriving as target;

    duplicated sub stix-core-relationship,
        relates original as source,
        relates duplicate  as target;

    related sub stix-core-relationship,
        relates related-from as source,
        relates related-to  as target;

	# Specific Relationships from Appendix C
	delivers sub stix-core-relationship, 
		relates delivering as source, 
		relates delivered as target;

	targets sub stix-core-relationship, 
		relates targetter as source,
		relates targetted as target;

	uses sub stix-core-relationship,
		relates used-by as source,
		relates used as target;

	attributed-to sub stix-core-relationship, 
		relates result as source,
		relates fault-of as target; 
	
	compromises sub stix-core-relationship,
		relates compromising as source,
		relates compromised as target;
	
	originates-from sub stix-core-relationship,
		relates originated-from as target,
		relates originating as source;
	
	investigates sub stix-core-relationship,
		relates investigating as source,
		relates investigated as target;

	mitigates sub stix-core-relationship,
		relates mitigated as target,
		relates mitigator as source;
	
	located-at sub stix-core-relationship,
		relates located as target,
		relates locating as source;

	indicates sub stix-core-relationship, 
		relates indicating as source,
		relates indicated as target; 
	
	based-on sub stix-core-relationship,
		relates basing-on as source,
		relates basis as target;
	
	communicates-with sub stix-core-relationship,
		relates communicating as source,
		relates communicated as target;

	consist sub stix-core-relationship,
		relates consisting as source,
		relates consisted as target;

	control sub stix-core-relationship,
		relates controlling as source,
		relates controlled as target;
	
	have sub stix-core-relationship, # Could come up with a better name?
		relates having as source,
		relates had as target;
	
	hosts sub stix-core-relationship,
		relates hosting as source,
		relates hosted as target;
	
	ownership sub stix-core-relationship,
		relates owned as target,
		relates owning as source;
	
	authored-by sub stix-core-relationship,
		relates authoring as source,
		relates authored as target;

	resolve-to sub stix-core-relationship,
	    relates resolves-from as source,
	    relates resolves-to as target;

	beacon sub stix-core-relationship,
		relates beaconed-to as target,
		relates beaconing-to as source;
	
	exfiltrate sub stix-core-relationship,
		relates exfiltrated-to as target,
		relates exfiltrating-to as source;
	
	download sub stix-core-relationship,
		relates downloaded as target,
		relates downloading as source;

	drop sub stix-core-relationship,
		relates dropped as target,
		relates dropping as source;

	exploit sub stix-core-relationship,
		relates exploiting as source,
		relates exploited as target;

	variant sub stix-core-relationship,
		relates variant-source as source,
		relates variant-target as target;

	characterise sub stix-core-relationship,
		relates characterised as target,
		relates characterising as source;

	impersonate sub stix-core-relationship,
		relates impersonating as source,
		relates impersonated as target;


	analysis sub stix-core-relationship,
		relates analysing as source,
		relates analysed as target;

		av-analysis sub analysis, relates av-analysis-analysing as analysing, relates av-analysis-analysed as analysed;
		static-analysis sub analysis, relates static-analysis-analysing as analysing, relates static-analysis-analysed as analysed;
		dynamic-analysis sub analysis, relates dynamic-analysis-analysing as analysing, relates dynamic-analysis-analysed as analysed;
		analysis-of sub analysis, relates analysis-of-analysing as analysing, relates analysis-of-analysed as analysed;

	remediation sub stix-core-relationship,
		relates remediating as source,
		relates remediated as target;


# 5.2 Sighting
sighting sub stix-core-relationship, 
	owns first-seen,
	owns last-seen,
	owns sighting-count,
	owns summary,
	relates where-sighted,
	relates sighting-of as source, 
	relates observed;

##### 6 STIX™ Cyber-observable Objects #####

# 6.1 Artifact Object
artifact sub stix-cyber-observable-object,
	owns mime-type,
	owns payload-bin,
	owns url-link, 
	plays hashes:hash-owner,
	owns encryption-algorithm,
	owns decryption-key,
	plays payload-src:payload,
	plays payload-dst:payload,
	plays malware-analysis-sample:malware-analysis-sample-sco-sample,
	plays malware-sample:malware-sco-sample,
	plays raw-email-references:binary,
	plays body-raw-references:non-textual,
	plays content-file:containing-file,
	plays HTTP-body-data:contained-data;

# 6.2 Autonomous System Object
autonomous-system sub stix-cyber-observable-object,
	owns number,
	owns name,
	owns rir,
	plays belongs-to-autonomous:belongs-to-autonomous;

# 6.3 Directory Object
directory sub stix-cyber-observable-object,
	owns path, 
	owns path-enc,
	owns ctime,
	owns mtime,
	owns atime,
	plays directory-contains:directory-contains-container,
	plays directory-contains:directory-contains-contained,
	plays directory-parent:directory-parent-contained,
	plays directory-parent:directory-parent-container;

# 6.4 Domain Name Object
domain-name sub stix-cyber-observable-object,
	owns stix-value, 
	plays resolves-to-ref:from-ref,
	plays resolves-to-ref:to-ref,
	plays communicates-with:communicated,
	plays traffic-src:source,
	plays traffic-dst:destination,
	plays resolve-to:resolves-from,
	plays resolve-to:resolves-to;

# 6.5 Email Address Object
email-addr sub stix-cyber-observable-object,
	owns stix-value, 
	owns display-name,
	plays belongs:belonged,
	plays from-email:from-email-address,
	plays to-email:to-email-address,
	plays cc-email:cc-email-address,
	plays bcc-email:bcc-email-address;

# 6.6 Email Message
email-message sub stix-cyber-observable-object,
	owns is-multipart,
	owns date,
	owns content-type,
	owns message-id,
	owns subject,
	owns received-lines, # List of type string
	owns body,

	plays body-multipart:email,
	plays email-connection:email,
	plays additional-header:email,
	plays raw-email-references:email;


header-value sub stix-attribute-string;
header-key sub stix-attribute-string,
	owns header-value,
	plays additional-header:item;

email-mime-part sub stix-sub-object,
	owns body,
	owns content-type, 
	owns content-disposition, 
	plays body-multipart:mime-part,
	plays body-raw-references:containing-mime;

# 6.7 File
file sub stix-cyber-observable-object,
	plays hashes:hash-owner,
	owns size,
	owns name,
	owns name-enc,
	owns magic-number-hex,
	owns mime-type,
	owns ctime,
	owns mtime,
	owns atime, 

	plays directory-contains:directory-contains-contained,
	plays directory-parent:directory-parent-contained,
	plays content-file:containing-file,
	plays body-raw-references:non-textual,
	plays malware-analysis-sample:malware-analysis-sample-sco-sample,
	plays malware-sample:malware-sco-sample,
	plays download:downloaded,
	plays process-image:executed-image,
	plays service-dll:loaded-dll,
	plays archive-extension:file,
	plays ntfs-extension:file,
	plays pdf-extension:file,
	plays raster-image-extension:file,
	plays windows-pebinary-extension:file;

#### SCO EXTENSIONS ####

SCO-extension sub stix-sub-object,
	plays extensions:extension;

	archive-ext sub SCO-extension,
		owns comment,
		plays directory-contains:directory-contains-container,
		plays archive-extension:an-archive;

	ntfs-ext sub SCO-extension,
		owns sid, 
		plays alt-data-streams:ntfs-ext,
		plays ntfs-extension:ntfs;

	alternate-data-stream sub SCO-extension, 
		owns name, 
		plays hashes:hash-owner,
		owns size, 
		plays alt-data-streams:alt-data-stream; 

	pdf-ext sub SCO-extension,
		owns version,
		owns is-optimized,
		owns pdfid0,
		owns pdfid1,
		plays doc-info:pdf,
		plays pdf-extension:pdf;

	doc-value sub stix-attribute-string;
	doc-key sub stix-attribute-string,
		owns doc-value,
		plays doc-info:info;

	raster-image-ext sub SCO-extension,
		owns image-height,
		owns image-width,
		owns bits-per-pixel,
		plays EXIF-tags:image,
		plays raster-image-extension:image; 
	
	EXIF-value sub stix-attribute-string;
	EXIF-key sub stix-attribute-string,
		owns EXIF-value,
		plays EXIF-tags:info;


	windows-pebinary-ext sub SCO-extension, 	
		owns pe-type,
		owns imphash,
		owns machine-hex,
		owns number-of-sections,
		owns time-date-stamp,
		owns pointer-to-symbol-table-hex,
		owns number-of-symbols,
		owns size-of-optional-header,
		owns characteristics-hex,
		plays hashes:hash-owner,
		plays optional-headers:pebinary,
		plays sections:pebinary,
		plays windows-pebinary-extension:pebinary;

	windows-pe-optional-header-type sub SCO-extension, 
		owns magic-hex,
		owns major-linker-version,
		owns minor-linker-version,
		owns size-of-code,
		owns size-of-initialized-data,
		owns size-of-uninitialized-data,
		owns address-of-entry-point,
		owns base-of-code,
		owns base-of-data,
		owns image-base,
		owns section-alignment,
		owns file-alignment,
		owns major-os-version,
		owns minor-os-version,
		owns major-image-version,
		owns minor-image-version,
		owns major-subsystem-version,
		owns minor-subsystem-version,
		owns win32-version-value-hex,
		owns size-of-image,
		owns size-of-headers,
		owns checksum-hex,
		owns subsystem-hex,
		owns dll-characteristics-hex,
		owns size-of-stack-reserve,
		owns size-of-stack-commit,
		owns size-of-heap-reserve,
		owns size-of-heap-commit,
		owns loader-flags-hex,
		owns number-of-rva-and-sizes, 
		plays hashes:hash-owner,
		plays optional-headers:optional-header;

	windows-pe-section sub SCO-extension,
		owns name, 
		owns size, 
		owns entropy, 
		plays hashes:hash-owner,
		plays sections:pe-section;

# 6.8 IPv4 Address
ipv4-addr sub stix-cyber-observable-object,
	owns stix-value, 
	plays resolves-to-ref:to-ref,
	plays resolves-to-ref:from-ref,
	plays belongs:belonged,
	plays communicates-with:communicated,
	plays traffic-src:source,
	plays traffic-dst:destination,
	#plays consist:consisted,
	plays resolve-to:resolves-from,
	plays resolve-to:resolves-to;

# 6.9 IPv6 Address
ipv6-addr sub stix-cyber-observable-object,
	owns stix-value, 
	plays resolves-to-ref:to-ref,
	plays resolves-to-ref:from-ref,
	plays belongs:belonged,
	plays communicates-with:communicated,
	plays traffic-src:source,
	plays traffic-dst:destination,
	#plays consist:consisted,
	plays resolve-to:resolves-from,
	plays resolve-to:resolves-to;

# 6.10 MAC Address
mac-addr sub stix-cyber-observable-object,
	owns stix-value,
	plays resolves-to-ref:to-ref,
	plays traffic-src:source,
	plays traffic-dst:destination,
	plays resolve-to:resolves-to;

# 6.11 Mutex
mutex sub stix-cyber-observable-object,
	owns name; 

# 6.12 Network Traffic - This should really be a relation? 
network-traffic sub stix-cyber-observable-object,
	owns start, 
	owns end,
	owns is-active, 
	owns protocols, 
	owns src-port,
	owns dst-port,
	owns src-byte-count,
	owns dst-byte-count,
	owns src-packets,
	owns dst-packets,
	plays traffic-src:traffic,
	plays payload-src:payload-src-traffic,
	plays traffic-dst:traffic,
	plays payload-dst:payload-dst-traffic,
	
	plays encapsulate:encapsulate-container,
	plays encapsulate:encapsulate-contained,
	plays encapsulated:encapsulated-container,
	plays encapsulated:encapsulated-contained,
	plays malware-analysis-sample:malware-analysis-sample-sco-sample,
	plays IPFIX-store:traffic,
	plays open-connections:opened-connection,
	plays http-request-extension:traffic,
	plays icmp-extension:traffic,
	plays socket-extension:traffic,
	plays tcp-extension:traffic;

	IPFIX-value sub stix-attribute-string;
	IPFIX-key sub stix-attribute-string,
		owns IPFIX-value,
		plays IPFIX-store:item;

#### SCO EXTENSIONS Pt 2 ####
	http-request-ext sub SCO-extension,
		owns request-method,
		owns request-value,
		owns request-version,
		owns request-header,
		owns message-body-length,
		plays HTTP-header:request,
		plays HTTP-body-data:HTPP-message,
		plays http-request-extension:request;

	HTTP-value sub stix-attribute-string;
	HTTP-key sub stix-attribute-string,
		owns HTTP-value,
		plays HTTP-header:header;


	icmp-ext sub SCO-extension,
		owns icmp-type-hex,
		owns icmp-code-hex,
		plays icmp-extension:icmp;

	socket-ext sub SCO-extension, 
		owns address-family, 
		owns is-blocking,
		owns is-listening,
		owns socket-type, 
		owns socket-descriptor,
		owns socket-handle,
		plays socket-options:socket,
		plays socket-extension:socket;

	socket-value sub stix-attribute-string;
	socket-key sub stix-attribute-string,
		owns socket-value,
		plays socket-options:option;

	tcp-ext sub SCO-extension,
		owns src-flags-hex,
		owns dst-flags-hex,
		plays tcp-extension:tcp;

# 6.13 Process 
process sub stix-cyber-observable-object,
	owns is-hidden, 
	owns pid,
	owns created-time,
	owns cwd,
	owns command-line,
	plays environment-variables:process,

	plays open-connections:process,
	plays user-created-by:created,
	plays process-image:process,
	plays process-parent:parent,
	plays process-parent:process,
	plays process-child:child,
	plays process-child:process,
	plays windows-process-extension:process,
	plays windows-service-extension:process;

	environment-value sub stix-attribute-string;
	environment-key sub stix-attribute-string,
		owns environment-value,
		plays environment-variables:env-variable;

	

#### SCO EXTENSIONS Pt 3 ####
	windows-process-ext sub SCO-extension,
		owns aslr-enabled,
		owns dep-enabled,
		owns priority,
		owns owner-sid,
		owns window-title,
		owns integrity-level,
		plays startup-info:process,
		plays windows-process-extension:win-process;

	startup-value sub stix-attribute-string;
	startup-key sub stix-attribute-string,
		owns startup-value,
		plays startup-info:info;

	windows-service-ext sub SCO-extension, 
		owns service-name,
		owns description,
		owns display-name,
		owns group-name,
		owns start-type,
		owns service-type,
		owns service-status,
		plays service-dll:process,
		plays windows-service-extension:win-service;


# 6.14 Software
software sub stix-cyber-observable-object,
	owns name, 
	owns cpe, 
	owns swid,
	owns language,
	owns vendor,
	owns version;

		

# 6.15 URL
url sub stix-cyber-observable-object,
	owns stix-value,
	plays communicates-with:communicated;

# 6.16 User Account
user-account sub stix-cyber-observable-object,
	owns user-id,
	owns credential,
	owns account-login,
	owns account-type,
	owns display-name,
	owns is-service-account,
	owns can-escalate-privs,
	owns is-disabled,
	owns account-created,
	owns account-expires,
	owns credential-last-changed,
	owns account-first-login,
	owns account-last-login,
	owns is-privileged,
	plays user-created-by:creator,
	plays belongs:belongs-to,
	plays unix-account-extension:account;

	unix-account-ext sub SCO-extension, 
		owns gid,
		owns unix-group,
		owns home-dir,
		owns shell,
		plays unix-account-extension:unix;

# 6.17 Windows Registry Key
windows-registry-key sub stix-cyber-observable-object, 
	owns attribute-key, 
	owns modified-time, 
	owns number-subkeys, 
	plays reg-val:reg-key,
	plays user-created-by:created;

windows-registry-value-type sub stix-sub-object,
	owns name, 
	owns data,
	owns data-type,
	plays reg-val:reg-value;

# 6.18 X.509 Certificate
x509-certificate sub stix-cyber-observable-object, 
	owns is-self-signed, 
	plays hashes:hash-owner,
	owns version,
	owns serial-number,
	owns signature-algorithm,
	owns issuer,
	owns validity-not-before,
	owns validity-not-after,
	owns subject,
	owns subject-public-key-algorithm,
	owns subject-public-key-modulus,
	owns subject-public-key-exponent,
	plays v3-extensions:cert;

	x509-v3-extension sub SCO-extension,
		owns basic-constraints,
		owns name-constraints,
		owns policy-constraints,
		owns key-usage,
		owns extended-key-usage,
		owns subject-key-identifier,
		owns authority-key-identifier,
		owns subject-alternative-name,
		owns issuer-alternative-name,
		owns subject-directory-attributes,
		owns crl-distribution-points,
		owns inhibit-any-policy,
		owns private-key-usage-period-not-before,
		owns private-key-usage-period-not-after,
		owns certificate-policies,
		owns policy-mappings,
		plays v3-extensions:v3-extension;

	

##### 7 STIX™ Meta Objects #####


# 7.1 Language Content 

# owns spec-version

# 7.2 Data markings - this describes how data can be used/shared

marking-definition sub stix-object,
    owns created,
    owns modified,
	owns name, 
	owns spec-version,
	plays created-by:created,
	plays data-marking:marking,
	plays data-marking:marked,
	plays external-references:referencing;

	statement-marking sub marking-definition, 
		owns statement; 

	tlp-marking sub marking-definition;
		tlp-white sub tlp-marking;
		tlp-green sub tlp-marking;
		tlp-amber sub tlp-marking;
		tlp-red sub tlp-marking;



# 7.3 Extension Definition
#-----------------------------------------------------------------------------------------------------------------------
#
# Extra Pieces
#-----------------------------------------------------------------------------------------------------------------------

##### Embedded Relations #####

embedded sub relation,
	relates pointed-to, # the object being pointed to
	relates owner; # the current object

	data-marking sub embedded, 
		relates marking as pointed-to,
		relates marked as owner;

		object-marking sub data-marking; 

		granular-marking sub data-marking,
			relates object;

	created-by sub embedded, 
		relates created as owner,
		relates creator as pointed-to;

	sample sub embedded, 
		relates sample-for as owner, 
		relates sco-sample as pointed-to;

		malware-sample sub sample, relates malware-sco-sample as sco-sample, relates malware-sample-sample-for as sample-for;
		malware-analysis-sample sub sample, relates malware-analysis-sample-sco-sample as sco-sample, relates malware-analysis-sample-sample-for as sample-for;

	kill-chain-usage sub embedded,
		relates kill-chain-used as owner,
		relates kill-chain-using as pointed-to;
		

	external-references sub embedded, 
		relates referenced as owner,
		relates referencing as pointed-to;

	hashes sub embedded,
		relates hash-owner as owner,
		relates hash-actual as pointed-to;

	malware-env sub embedded,
		relates object as owner,
		relates env as pointed-to;

		operating-system sub malware-env;   # operating_system_ref
		installed-software sub malware-env; # installed_software_refs
		host-vm-ref sub malware-env;            # host_vm_ref 
		captured-objects sub malware-env;   # analysis_sco_refs 

	obj-refs sub embedded, 
		relates referred as pointed-to,
		relates object as owner;

	# file or directory containing relation
	orig-container sub embedded,
		relates container as owner,
		relates contained as pointed-to;

		directory-contains sub orig-container, relates directory-contains-container as container, relates directory-contains-contained as contained;
		# network traffic enxapsulate
		encapsulate sub orig-container, relates encapsulate-container as container, relates encapsulate-contained as contained;

	
	# reverse file or directory containing relation
	orig-contained sub embedded,
		relates contained as owner,
		relates container as pointed-to;
		
		directory-parent sub orig-contained, relates directory-parent-contained as contained, relates directory-parent-container as container;
		# network-traffic encapsulated-by
		encapsulated sub orig-contained, relates encapsulated-contained as contained, relates encapsulated-container as container;

	# IP Address or Domain Name
	resolves-to-ref sub embedded,
		relates from-ref as owner,
		relates to-ref as pointed-to;

	# User Account email address belongs to
	belongs sub embedded,
		relates belonged as owner,
		relates belongs-to as pointed-to;

	# IP belongs to autonomous system
	belongs-to-autonomous sub belongs,
		relates belongs-to-autonomous as belongs-to;

	# Email specific relations
	body-multipart sub embedded, 
		relates email as owner,
		relates mime-part as pointed-to;
 
	raw-email-references sub embedded, 
		relates email as owner,
		relates binary as pointed-to;

	
	email-connection sub embedded, 
		relates email as owner,
		relates email-address as pointed-to;

		from-email sub email-connection, relates from-email-address as email-address;
		sender-email sub email-connection, relates sender-email-address as email-address;
		to-email sub email-connection, relates to-email-address as email-address;
		cc-email sub email-connection, relates cc-email-address as email-address;
		bcc-email sub email-connection, relates bcc-email-address as email-address;
	
	additional-header sub embedded,
		relates email as owner,
		relates item as pointed-to;

	body-raw-references sub embedded,
		relates containing-mime as owner,
		relates non-textual as pointed-to;

	# file relation
	content-file sub embedded, 
		relates containing-file as owner,
		relates content as pointed-to;

	# network-traffic SCO,
	traffic-src sub embedded, 
		relates traffic as owner,
		relates source as pointed-to;

		payload-src sub traffic-src,
			relates payload as source,
			relates payload-src-traffic as traffic;

	traffic-dst sub embedded, 
		relates traffic as owner,
		relates destination as pointed-to;

		payload-dst sub traffic-dst,
			relates payload as destination,
			relates payload-dst-traffic as traffic;

	IPFIX-store sub embedded, 
		relates traffic as owner,
		relates item as pointed-to;

	# HTTP Request Extension
	HTTP_Req_Headers sub embedded, 
		relates traffic as owner,
		relates item as pointed-to;	

	# Process Object
	environment-variables sub embedded, 
		relates process as owner,
		relates env-variable as pointed-to;

	
	open-connections sub embedded,
		relates opened-connection as pointed-to,
		relates process as owner;

	
	user-created-by sub embedded,
		relates created as owner,
		relates creator as pointed-to;

	process-image sub embedded,	
		relates executed-image as pointed-to,
		relates process as owner;

	process-parent sub embedded,
		relates parent as pointed-to,
		relates process as owner;

	process-child sub embedded,
		relates child as pointed-to,
		relates process as owner;

	# Windows Registry Key-Value
	reg-val sub embedded,
		relates reg-key as owner,
		relates reg-value as pointed-to;

	

		

	# Extension-Type Embedded Relations
	#-----------------------------------------------------------------------------------------------------------------------
	extensions sub embedded, 
		relates sco as owner,
		relates extension as pointed-to;

		archive-extension sub extensions,
			relates file as sco,
			relates an-archive as extension;

		ntfs-extension sub extensions,
			relates file as sco,
			relates ntfs as extension;

		alt-data-streams sub extensions,
			relates ntfs-ext as sco,
			relates alt-data-stream as extension;

		pdf-extension sub extensions,
			relates file as sco,
			relates pdf as extension;

		doc-info sub extensions,
			relates pdf as sco,
			relates info as extension;

		raster-image-extension sub extensions,
			relates file as sco,
			relates image as extension;
			
		EXIF-tags sub extensions,
			relates image as sco,
			relates info as extension;

		windows-pebinary-extension sub extensions,
			relates file as sco,
			relates pebinary as extension;
		
		optional-headers sub extensions, 
			relates pebinary as sco,
			relates optional-header as extension;

		
		sections sub extensions, 
			relates pe-section as extension,
			relates pebinary as sco;

		# HTTP Request Extension
		http-request-extension sub extensions,
			relates traffic as sco,
			relates request as extension;

		HTTP-header sub extensions, 
			relates request as sco,
			relates header as extension;

		HTTP-body-data sub extensions,
			relates contained-data as extension,
			relates HTPP-message as sco;

		icmp-extension sub extensions,
			relates traffic as sco,
			relates icmp as extension;

		# Socket Extension
		socket-extension sub extensions,
			relates traffic as sco,
			relates socket as extension;

		socket-options sub extensions, 
			relates socket as sco,
			relates option as extension;

		tcp-extension sub extensions,
			relates traffic as sco,
			relates tcp as extension;

		# windows process Extension
		windows-process-extension sub extensions,
			relates process as sco,
			relates win-process as extension;
		
		startup-info sub extensions, 
			relates process as sco,
			relates info as extension;

		# windows service extension		
		windows-service-extension sub extensions,
			relates process as sco,
			relates win-service as extension;

		service-dll sub extensions, 
			relates loaded-dll as extension,
			relates process as sco;

		# unix account extension
		unix-account-extension sub extensions,
			relates account as sco,
			relates unix as extension;

		# windows registry extension
		v3-extensions sub extensions,
			relates cert as sco,
			relates v3-extension as extension;



## INFERRED RELATIONS ## 

kill-chain sub relation, 
	owns kill-chain-name, 
	relates participating-kill-chain-phase; 

inferred-mitigation sub mitigates,
	relates inferred-mitigation-mitigated as mitigated;


##### ATTRIBUTES #####

stix-attribute-string sub attribute, value string, abstract,
	plays data-marking:marked;

	stix-type sub stix-attribute-string;
	stix-id sub stix-attribute-string;
	stix-value sub stix-attribute-string;
	object-marking-refs sub stix-attribute-string;
	labels sub stix-attribute-string;
	langs sub stix-attribute-string;
	source-name sub stix-attribute-string;
	description sub stix-attribute-string;
	url-link sub stix-attribute-string;
	external-id sub stix-attribute-string;
	hash-value sub stix-attribute-string;

	kill-chain-name sub stix-attribute-string; 
	phase-name sub stix-attribute-string; 
	name sub stix-attribute-string; 
	sector sub stix-attribute-string; 
	contact-information sub stix-attribute-string; 
	indicator-type sub stix-attribute-string; 
	pattern sub stix-attribute-string; 
	pattern-type sub stix-attribute-string; 
	pattern-version sub stix-attribute-string; 
	

	malware-types sub stix-attribute-string; 
	architecture-execution-envs sub stix-attribute-string; 
	implementation-languages sub stix-attribute-string; 
	capabilities sub stix-attribute-string; 
	sample-refs sub stix-attribute-string; 

	 
	object sub stix-attribute-string; 

	threat-actor-type sub stix-attribute-string; 
	aliases sub stix-attribute-string; 
	stix-role sub stix-attribute-string; 
	goals sub stix-attribute-string; 
	sophistication sub stix-attribute-string; 
	resource-level sub stix-attribute-string; 
	primary-motivation sub stix-attribute-string; 
	secondary-motivations sub stix-attribute-string; 
	personal-motivations sub stix-attribute-string; 
	identity-class sub stix-attribute-string;

	summary sub stix-attribute-string; 
	spec-version sub stix-attribute-string; 
	attribute-key sub stix-attribute-string; 
#	value sub stix-attribute-string;
	number-subkeys sub stix-attribute-string; 
	objective sub stix-attribute-string;
	statement sub stix-attribute-string;
	action sub stix-attribute-string;  
	tool-type sub stix-attribute-string; # OPEN VOCAB?
	tool-version sub stix-attribute-string; 

	region sub stix-attribute-string; # open vocab TODO (10.21 Region Vocabulary)
	country sub stix-attribute-string; 
	administrative-area sub stix-attribute-string; 
	city sub stix-attribute-string; 
	street-address sub stix-attribute-string; 
	postal-code sub stix-attribute-string; 
	infrastructure-types sub stix-attribute-string;
	context sub stix-attribute-string;

	product sub stix-attribute-string;
	version sub stix-attribute-string;
	configuration-version sub stix-attribute-string;
	module sub stix-attribute-string;
	analysis-engine-version sub stix-attribute-string;
	analysis-definition-version sub stix-attribute-string;
	result-name sub stix-attribute-string;
	result sub stix-attribute-string;

	note-abstract sub stix-attribute-string;
	content sub stix-attribute-string;
	report-type sub stix-attribute-string;
	explanation sub stix-attribute-string;
	authors sub stix-attribute-string;
	opinion-enum sub stix-attribute-string;
	imphash sub stix-attribute-string;
	magic-number-hex sub stix-attribute-string;
	pe-type sub stix-attribute-string;
	name-enc sub stix-attribute-string;
	mime-type sub stix-attribute-string;
	payload-bin sub stix-attribute-string;
	encryption-algorithm sub stix-attribute-string;
	decryption-key sub stix-attribute-string;
	rir sub stix-attribute-string;
	path sub stix-attribute-string;
	path-enc sub stix-attribute-string;

	display-name sub stix-attribute-string;
	content-type sub stix-attribute-string;
	message-id sub stix-attribute-string;
	subject sub stix-attribute-string;
	received-lines sub stix-attribute-string;
	body sub stix-attribute-string;

	socket-value sub stix-attribute-string;
	socket-key sub stix-attribute-string;
	HTTP-value sub stix-attribute-string;
	HTTP-key sub stix-attribute-string;
	IPFIX-value sub stix-attribute-string;
	IPFIX-key sub stix-attribute-string;
	relationship-type sub stix-attribute-string;
	

	content-disposition sub stix-attribute-string;
	sid sub stix-attribute-string;
	is-optimized sub stix-attribute-string;
	pdfid0 sub stix-attribute-string;
	pdfid1 sub stix-attribute-string;
	exif-tags sub stix-attribute-string;

	machine-hex sub stix-attribute-string;
	pointer-to-symbol-table-hex sub stix-attribute-string;
	characteristics-hex sub stix-attribute-string;
	loader-flags-hex sub stix-attribute-string;
	dll-characteristics-hex sub stix-attribute-string;
	win32-version-value-hex sub stix-attribute-string;
	magic-hex sub stix-attribute-string;
	protocols sub stix-attribute-string;
	ipfix sub stix-attribute-string;

	icmp-type-hex sub stix-attribute-string;
	icmp-code-hex sub stix-attribute-string;
	request-method sub stix-attribute-string;
	request-value sub stix-attribute-string;
	request-version sub stix-attribute-string;
	request-header sub stix-attribute-string;
	address-family sub stix-attribute-string;
	options sub stix-attribute-string;
	socket-type sub stix-attribute-string;
	src-flags-hex sub stix-attribute-string;
	dst-flags-hex sub stix-attribute-string;

	checksum-hex sub stix-attribute-string;
	subsystem-hex sub stix-attribute-string;	
	cwd sub stix-attribute-string;
	command-line sub stix-attribute-string;
	priority sub stix-attribute-string;
	owner-sid sub stix-attribute-string;
	window-title sub stix-attribute-string;
	integrity-level sub stix-attribute-string;
	service-name sub stix-attribute-string;
	display-name sub stix-attribute-string;
	group-name sub stix-attribute-string;
	start-type sub stix-attribute-string;
	service-type sub stix-attribute-string;
	service-status sub stix-attribute-string;

	cpe sub stix-attribute-string;
	swid sub stix-attribute-string;
	language sub stix-attribute-string;
	vendor sub stix-attribute-string;
	user-id sub stix-attribute-string;
	credential sub stix-attribute-string;
	account-login sub stix-attribute-string;
	account-type sub stix-attribute-string;
	display-name sub stix-attribute-string;

	unix-group sub stix-attribute-string;
	home-dir sub stix-attribute-string;
	shell sub stix-attribute-string;
	data-type sub stix-attribute-string;
	serial-number sub stix-attribute-string;
	signature-algorithm sub stix-attribute-string;
	issuer sub stix-attribute-string;
	subject-public-key-algorithm sub stix-attribute-string;
	subject-public-key-modulus sub stix-attribute-string;

	basic-constraints sub stix-attribute-string;
	name-constraints sub stix-attribute-string;
	policy-constraints sub stix-attribute-string;
	key-usage sub stix-attribute-string;
	extended-key-usage sub stix-attribute-string;
	subject-key-identifier sub stix-attribute-string;
	authority-key-identifier sub stix-attribute-string;
	subject-alternative-name sub stix-attribute-string;
	issuer-alternative-name sub stix-attribute-string;
	subject-directory-attributes sub stix-attribute-string;
	crl-distribution-points sub stix-attribute-string;
	inhibit-any-policy sub stix-attribute-string;
	certificate-policies sub stix-attribute-string;
	policy-mappings sub stix-attribute-string;
	data sub stix-attribute-string;
	comment sub stix-attribute-string;

stix-attribute-integer sub attribute, value long, abstract,
	plays data-marking:marked;

	gid sub stix-attribute-integer;
	image-height sub stix-attribute-integer;
	image-width sub stix-attribute-integer;
	bits-per-pixel sub stix-attribute-integer;
	confidence sub stix-attribute-integer;

	number-of-sections sub stix-attribute-integer;
	number-of-symbols sub stix-attribute-integer;
	size-of-optional-header sub stix-attribute-integer;
	
	major-linker-version sub stix-attribute-integer;
	minor-linker-version sub stix-attribute-integer;
	size-of-code sub stix-attribute-integer;
	size-of-initialized-data sub stix-attribute-integer;
	size-of-uninitialized-data sub stix-attribute-integer;
	address-of-entry-point sub stix-attribute-integer;
	base-of-code sub stix-attribute-integer;
	base-of-data sub stix-attribute-integer;
	image-base sub stix-attribute-integer;
	section-alignment sub stix-attribute-integer;
	file-alignment sub stix-attribute-integer;
	major-os-version sub stix-attribute-integer;
	minor-os-version sub stix-attribute-integer;
	major-image-version sub stix-attribute-integer;
	minor-image-version sub stix-attribute-integer;
	major-subsystem-version sub stix-attribute-integer;
	minor-subsystem-version sub stix-attribute-integer;
	size-of-image sub stix-attribute-integer;
	size-of-headers sub stix-attribute-integer;
	size-of-stack-reserve sub stix-attribute-integer;
	size-of-stack-commit sub stix-attribute-integer;
	size-of-heap-reserve sub stix-attribute-integer;
	size-of-heap-commit sub stix-attribute-integer;
	number-of-rva-and-sizes sub stix-attribute-integer;
	number-observed sub stix-attribute-integer;
	size sub stix-attribute-integer; 

	src-port sub stix-attribute-integer; 
	dst-port sub stix-attribute-integer; 
	src-byte-count sub stix-attribute-integer; 
	dst-byte-count sub stix-attribute-integer; 
	src-packets sub stix-attribute-integer; 
	dst-packets sub stix-attribute-integer; 
	
	

stix-attribute-double sub attribute, value double, abstract,
	plays data-marking:marked;

	latitude sub stix-attribute-double;
	longitude sub stix-attribute-double;
	precision sub stix-attribute-double;
	
	sighting-count sub stix-attribute-double;
	number sub stix-attribute-double;
	
	entropy sub stix-attribute-double;
	message-body-length sub stix-attribute-double;
	socket-descriptor sub stix-attribute-double;
	socket-handle sub stix-attribute-double;
	pid sub stix-attribute-double;
	subject-public-key-exponent sub stix-attribute-double;

stix-attribute-boolean sub attribute, value boolean, abstract, 
	plays data-marking:marked;

	revoked sub stix-attribute-boolean;
	is-family sub stix-attribute-boolean;
	is-multipart sub stix-attribute-boolean;
	is-active sub stix-attribute-boolean;
	is-blocking sub stix-attribute-boolean;
	is-listening sub stix-attribute-boolean;
	is-hidden sub stix-attribute-boolean;
	aslr-enabled sub stix-attribute-boolean;
	dep-enabled sub stix-attribute-boolean;
	is-service-account sub stix-attribute-boolean;
	is-privileged sub stix-attribute-boolean;
	can-escalate-privs sub stix-attribute-boolean;
	is-disabled sub stix-attribute-boolean;
	is-self-signed sub stix-attribute-boolean;
	defanged sub stix-attribute-boolean;
	

stix-attribute-timestamp sub attribute, value datetime, abstract, 
	plays data-marking:marked;

	date sub stix-attribute-timestamp;
	submitted sub stix-attribute-timestamp;
	analysis-started sub stix-attribute-timestamp;
	analysis-ended sub stix-attribute-timestamp;
	published sub stix-attribute-timestamp;
	ctime sub stix-attribute-timestamp;
	mtime sub stix-attribute-timestamp;
	atime sub stix-attribute-timestamp;
	time-date-stamp sub stix-attribute-timestamp;
	start sub stix-attribute-timestamp;
	end sub stix-attribute-timestamp;
	created-time sub stix-attribute-timestamp;
	account-created sub stix-attribute-timestamp;
	account-expires sub stix-attribute-timestamp;
	credential-last-changed sub stix-attribute-timestamp;
	account-first-login sub stix-attribute-timestamp;
	account-last-login sub stix-attribute-timestamp;
	validity-not-before sub stix-attribute-timestamp;
	validity-not-after sub stix-attribute-timestamp;
	private-key-usage-period-not-before sub stix-attribute-timestamp;
	private-key-usage-period-not-after sub stix-attribute-timestamp;
	start-time sub stix-attribute-timestamp;
	stop-time sub stix-attribute-timestamp;
	created sub stix-attribute-timestamp;
	modified sub stix-attribute-timestamp;
	valid-from sub stix-attribute-timestamp; 
	valid-until sub stix-attribute-timestamp; 
	
	modified-time sub stix-attribute-timestamp; 
	first-seen sub stix-attribute-timestamp; 
	last-seen sub stix-attribute-timestamp; 
	first-observed sub stix-attribute-timestamp; 
	last-observed sub stix-attribute-timestamp;
	

custom-attribute sub attribute, value string, 
	plays data-marking:marked,
	owns attribute-type; 

attribute-type sub attribute, value string;