Skip to content

Slot: extensions

Open-ended extension payloads.

URI: stix:extensions Alias: extensions

Applicable Classes

Name Description Modifies Slot
File The File Object represents the properties of a file no
UserAccount The User Account Object represents an instance of any type of user account, i... no
MacAddr The MAC Address Object represents a single Media Access Control (MAC) address no
WindowsRegistryKey The Registry Key Object represents the properties of a Windows registry key no
Malware Malware is a type of TTP that is also known as malicious code and malicious s... no
Incident The Incident object in STIX 2 no
Grouping A Grouping object explicitly asserts that the referenced STIX Objects have a ... no
CyberObservableObject no
NetworkTraffic The Network Traffic Object represents arbitrary network traffic that originat... no
DomainName The Domain Name represents the properties of a network domain name no
Url The URL Object represents the properties of a uniform resource locator (URL) no
Core Common properties and behavior across all STIX Domain Objects and STIX Relati... no
ExtensionDefinition The STIX Extension Definition object allows producers of threat intelligence ... no
StixRelationshipObject no
Location A Location represents a geographic location no
Campaign A Campaign is a grouping of adversary behavior that describes a set of malici... no
Infrastructure Infrastructure objects describe systems, software services, and associated ph... no
MalwareAnalysis Malware Analysis captures the metadata and results of a particular analysis p... no
ObservedData Observed data conveys information that was observed on systems and networks, ... no
ThreatActor Threat Actors are actual individuals, groups, or organizations believed to be... no
MarkingDefinition The marking-definition object represents a specific marking no
Ipv4Addr The IPv4 Address Object represents one or more IPv4 addresses expressed using... no
EmailMessage The Email Message Object represents an instance of an email message no
X509Certificate The X509 Certificate Object represents the properties of an X no
Ipv6Addr The IPv6 Address Object represents one or more IPv6 addresses expressed using... no
Opinion An Opinion is an assessment of the correctness of the information in a STIX O... no
EmailAddr The Email Address Object represents a single email address no
AttackPattern Attack Patterns are a type of TTP that describe ways that adversaries attempt... no
Indicator Indicators contain a pattern that can be used to detect suspicious or malicio... no
Vulnerability A Vulnerability is a mistake in software that can be directly used by a hacke... no
Identity Identities can represent actual individuals, organizations, or groups (e no
Tool Tools are legitimate software that can be used by threat actors to perform at... no
CyberObservableCore Common properties and behavior across all Cyber Observable Objects no
CourseOfAction A Course of Action is an action taken either to prevent an attack or to respo... no
Sighting A Sighting denotes the belief that something in CTI (e no
Mutex The Mutex Object represents the properties of a mutual exclusion (mutex) obje... no
LanguageContent The language-content object represents text content for STIX Objects represen... no
Relationship The Relationship object is used to link together two SDOs in order to describ... no
Software The Software Object represents high-level properties associated with software... no
Artifact The Artifact Object permits capturing an array of bytes (8-bits), as a base64... no
StixDomainObject no
Report Reports are collections of threat intelligence focused on one or more topics,... no
Note A Note is a comment or note containing informative text to help explain the c... no
IntrusionSet An Intrusion Set is a grouped set of adversary behavior and resources with co... no
Directory The Directory Object represents the properties common to a file system direct... no
AutonomousSystem The AS object represents the properties of an Autonomous Systems (AS) no
Process The Process Object represents common properties of an instance of a computer ... no

Properties

Type and Range

Property Value
Range String
Domain Of Core, CyberObservableCore, MarkingDefinition, File

Cardinality and Requirements

Property Value
Multivalued Yes

Comments

  • jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values

Notes

  • JSON Schema uses patternProperties for extension keys; exact key validation is delegated to validator tooling.

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/stix

Mappings

Mapping Type Mapped Value
self stix:extensions
native stix:extensions
related unified_cyber_ontology:hasFacet

LinkML Source

name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation is delegated
  to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/stix
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true