Class: ThreatActor
Threat actor is responsible for the observed malicious activity.
URI: ocsf:ThreatActor
classDiagram
class ThreatActor
click ThreatActor href "../ThreatActor/"
Object <|-- ThreatActor
click Object href "../Object/"
ThreatActor : name
ThreatActor : type
ThreatActor : type_id
ThreatActor --> "0..1 _recommended_" ThreatActorTypeIdEnum : type_id
click ThreatActorTypeIdEnum href "../ThreatActorTypeIdEnum/"
Inheritance
- OcsfObject
- Object
- ThreatActor
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| name | 1 String |
The name of the threat actor | direct |
| type | 0..1 String |
The classification of the threat actor based on their motivations, | direct |
| type_id | 0..1 recommended ThreatActorTypeIdEnum |
The normalized datastore resource type identifier | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Osint | threat_actor | range | ThreatActor |
In Subsets
Aliases
- Threat Actor
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:ThreatActor |
| native | ocsf:ThreatActor |
| exact | stix:ThreatActor |
| close | attack:Group |
LinkML Source
Direct
name: ThreatActor
description: Threat actor is responsible for the observed malicious activity.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Threat Actor
exact_mappings:
- stix:ThreatActor
close_mappings:
- attack:Group
is_a: Object
slots:
- name
- type
- type_id
slot_usage:
name:
name: name
description: The name of the threat actor.
required: true
type:
name: type
description: 'The classification of the threat actor based on their motivations,
capabilities, or affiliations. Common types include nation-state actors,
cybercriminal groups, hacktivists, or insider threats.'
type_id:
name: type_id
description: The normalized datastore resource type identifier.
range: ThreatActorTypeIdEnum
recommended: true
Induced
name: ThreatActor
description: Threat actor is responsible for the observed malicious activity.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Threat Actor
exact_mappings:
- stix:ThreatActor
close_mappings:
- attack:Group
is_a: Object
slot_usage:
name:
name: name
description: The name of the threat actor.
required: true
type:
name: type
description: 'The classification of the threat actor based on their motivations,
capabilities, or affiliations. Common types include nation-state actors,
cybercriminal groups, hacktivists, or insider threats.'
type_id:
name: type_id
description: The normalized datastore resource type identifier.
range: ThreatActorTypeIdEnum
recommended: true
attributes:
name:
name: name
description: The name of the threat actor.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: ThreatActor
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
required: true
type:
name: type
description: 'The classification of the threat actor based on their motivations,
capabilities, or affiliations. Common types include nation-state actors,
cybercriminal groups, hacktivists, or insider threats.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: ThreatActor
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The normalized datastore resource type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: ThreatActor
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: ThreatActorTypeIdEnum
recommended: true