Relationship type compatibility tables#

The sections on this page describe the available relationship types for each source/target entity combination, and their STIX compatibility.

A relationship is an object that links two entities together:

  • a ‘source’ entity, and

  • a ‘target’ entity.

Depending on the source and target entity, certain relationship types are available for use. These relationship types have varying compatibility with STIX 2.1 and STIX 1.2.

For more information about relationship objects and STIX compatibility, see Relationships.

Attack-pattern#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

attack-pattern

delivers

malware

NO

YES

NO

attack-pattern

related-to

attack-pattern

YES

YES

NO

attack-pattern

related-to

campaign

YES

YES

NO

attack-pattern

related-to

course-of-action

YES

YES

NO

attack-pattern

related-to

eclecticiq-sighting

YES

YES

NO

attack-pattern

related-to

incident

YES

YES

NO

attack-pattern

related-to

indicator

YES

YES

NO

attack-pattern

related-to

infrastructure

YES

YES

NO

attack-pattern

related-to

intrusion-set

YES

YES

NO

attack-pattern

related-to

location

YES

YES

NO

attack-pattern

related-to

malware-analysis

YES

YES

NO

attack-pattern

related-to

report

YES

YES

NO

attack-pattern

related-to

threat-actor

YES

YES

NO

attack-pattern

related-to

ttp

YES

YES

NO

attack-pattern

targets

identity

YES

YES

NO

attack-pattern

targets

location

YES

YES

NO

attack-pattern

targets

vulnerability

YES

YES

NO

attack-pattern

uses

malware

YES

YES

NO

attack-pattern

uses

tool

YES

YES

NO

Campaign#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

campaign

associated-to

campaign

NO

NO

YES

campaign

attributed-to

intrusion-set

YES

YES

NO

campaign

attributed-to

threat-actor

YES

YES

NO

campaign

compromises

infrastructure

NO

YES

NO

campaign

originates-from

location

NO

YES

NO

campaign

related-to

campaign

YES

YES

NO

campaign

related-to

course-of-action

YES

YES

NO

campaign

related-to

eclecticiq-sighting

YES

YES

NO

campaign

related-to

incident

YES

YES

NO

campaign

related-to

indicator

YES

YES

NO

campaign

related-to

location

YES

YES

NO

campaign

related-to

malware-analysis

YES

YES

NO

campaign

related-to

report

YES

YES

NO

campaign

related-to

ttp

YES

YES

YES

campaign

targets

identity

YES

YES

YES

campaign

targets

location

NO

YES

NO

campaign

targets

vulnerability

YES

YES

NO

campaign

uses

attack-pattern

YES

YES

NO

campaign

uses

infrastructure

YES

YES

NO

campaign

uses

malware

YES

YES

NO

campaign

uses

tool

YES

YES

NO

Course-of-action#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

course-of-action

investigates

indicator

YES

YES

NO

course-of-action

mitigates

attack-pattern

YES

YES

NO

course-of-action

mitigates

indicator

NO

YES

NO

course-of-action

mitigates

malware

YES

YES

NO

course-of-action

mitigates

tool

YES

YES

NO

course-of-action

mitigates

vulnerability

YES

YES

NO

course-of-action

related-to

campaign

YES

YES

NO

course-of-action

related-to

course-of-action

YES

YES

YES

course-of-action

related-to

eclecticiq-sighting

YES

YES

NO

course-of-action

related-to

identity

YES

YES

NO

course-of-action

related-to

incident

YES

YES

NO

course-of-action

related-to

infrastructure

YES

YES

NO

course-of-action

related-to

intrusion-set

YES

YES

NO

course-of-action

related-to

location

YES

YES

NO

course-of-action

related-to

malware-analysis

YES

YES

NO

course-of-action

related-to

report

YES

YES

NO

course-of-action

related-to

threat-actor

YES

YES

NO

course-of-action

related-to

ttp

YES

YES

NO

course-of-action

remediates

malware

NO

YES

NO

course-of-action

remediates

vulnerability

NO

YES

NO

Sighting#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

eclecticiq-sighting

related-to

attack-pattern

YES

NO

NO

eclecticiq-sighting

related-to

campaign

YES

NO

NO

eclecticiq-sighting

related-to

course-of-action

YES

NO

NO

eclecticiq-sighting

related-to

eclecticiq-sighting

YES

NO

NO

eclecticiq-sighting

related-to

identity

YES

NO

NO

eclecticiq-sighting

related-to

incident

YES

NO

NO

eclecticiq-sighting

related-to

indicator

YES

NO

NO

eclecticiq-sighting

related-to

infrastructure

YES

NO

NO

eclecticiq-sighting

related-to

intrusion-set

YES

NO

NO

eclecticiq-sighting

related-to

location

YES

NO

NO

eclecticiq-sighting

related-to

malware

YES

NO

NO

eclecticiq-sighting

related-to

malware-analysis

YES

NO

NO

eclecticiq-sighting

related-to

report

YES

NO

NO

eclecticiq-sighting

related-to

threat-actor

YES

NO

NO

eclecticiq-sighting

related-to

tool

YES

NO

NO

eclecticiq-sighting

related-to

ttp

YES

NO

NO

eclecticiq-sighting

related-to

vulnerability

YES

YES

NO

Identity#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

identity

located-at

location

YES

YES

NO

identity

related-to

attack-pattern

YES

YES

NO

identity

related-to

campaign

YES

YES

NO

identity

related-to

course-of-action

YES

YES

NO

identity

related-to

eclecticiq-sighting

YES

YES

NO

identity

related-to

identity

YES

YES

NO

identity

related-to

incident

YES

YES

NO

identity

related-to

indicator

YES

YES

NO

identity

related-to

infrastructure

YES

YES

NO

identity

related-to

intrusion-set

YES

YES

NO

identity

related-to

malware

YES

YES

NO

identity

related-to

malware-analysis

YES

YES

NO

identity

related-to

report

YES

YES

NO

identity

related-to

threat-actor

YES

YES

NO

identity

related-to

tool

YES

YES

NO

identity

related-to

ttp

YES

YES

NO

identity

related-to

vulnerability

YES

YES

NO

Incident#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

incident

attributed-to

threat-actor

NO

YES

YES

incident

leveraged

ttp

YES

YES

YES

incident

related-to

attack-pattern

YES

YES

NO

incident

related-to

campaign

YES

YES

NO

incident

related-to

course-of-action

YES

YES

NO

incident

related-to

eclecticiq-sighting

YES

YES

NO

incident

related-to

identity

YES

YES

NO

incident

related-to

incident

YES

YES

YES

incident

related-to

indicator

YES

YES

YES

incident

related-to

infrastructure

YES

YES

NO

incident

related-to

intrusion-set

YES

YES

NO

incident

related-to

location

YES

YES

NO

incident

related-to

malware

YES

YES

NO

incident

related-to

malware-analysis

YES

YES

NO

incident

related-to

report

YES

YES

NO

incident

related-to

threat-actor

YES

YES

NO

incident

related-to

tool

YES

YES

NO

incident

related-to

vulnerability

YES

YES

NO

Indicator#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

indicator

indicates

attack-pattern

YES

YES

NO

indicator

indicates

campaign

YES

YES

NO

indicator

indicates

infrastructure

YES

YES

NO

indicator

indicates

intrusion-set

YES

YES

NO

indicator

indicates

malware

YES

YES

NO

indicator

indicates

threat-actor

YES

YES

NO

indicator

indicates

tool

YES

YES

NO

indicator

related-to

campaign

NO

YES

YES

indicator

related-to

eclecticiq-sighting

YES

YES

NO

indicator

related-to

identity

YES

YES

NO

indicator

related-to

incident

YES

YES

NO

indicator

related-to

indicator

YES

YES

YES

indicator

related-to

location

YES

YES

NO

indicator

related-to

malware-analysis

YES

YES

NO

indicator

related-to

report

YES

YES

NO

indicator

related-to

ttp

YES

YES

YES

indicator

related-to

vulnerability

YES

YES

NO

indicator

suggests

course-of-action

YES

NO

YES

Infrastructure#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

infrastructure

communicates-with

infrastructure

NO

YES

NO

infrastructure

consists-of

infrastructure

NO

YES

NO

infrastructure

controls

infrastructure

NO

YES

NO

infrastructure

controls

malware

NO

YES

NO

infrastructure

delivers

malware

NO

YES

NO

infrastructure

has

vulnerability

YES

YES

NO

infrastructure

hosts

malware

NO

YES

NO

infrastructure

hosts

tool

YES

YES

NO

infrastructure

located-at

location

YES

YES

NO

infrastructure

related-to

attack-pattern

YES

YES

NO

infrastructure

related-to

campaign

YES

YES

NO

infrastructure

related-to

course-of-action

YES

YES

NO

infrastructure

related-to

eclecticiq-sighting

YES

YES

NO

infrastructure

related-to

identity

YES

YES

NO

infrastructure

related-to

incident

YES

YES

NO

infrastructure

related-to

indicator

YES

YES

NO

infrastructure

related-to

infrastructure

YES

YES

NO

infrastructure

related-to

intrusion-set

YES

YES

NO

infrastructure

related-to

malware

YES

YES

NO

infrastructure

related-to

malware-analysis

YES

YES

NO

infrastructure

related-to

report

YES

YES

NO

infrastructure

related-to

threat-actor

YES

YES

NO

infrastructure

related-to

ttp

YES

YES

NO

infrastructure

uses

infrastructure

NO

YES

NO

Intrusion-set#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

intrusion-set

attributed-to

threat-actor

YES

YES

NO

intrusion-set

compromises

infrastructure

NO

YES

NO

intrusion-set

hosts

infrastructure

NO

YES

NO

intrusion-set

originates-from

location

NO

YES

NO

intrusion-set

owns

infrastructure

NO

YES

NO

intrusion-set

related-to

campaign

YES

YES

NO

intrusion-set

related-to

course-of-action

YES

YES

NO

intrusion-set

related-to

eclecticiq-sighting

YES

YES

NO

intrusion-set

related-to

incident

YES

YES

NO

intrusion-set

related-to

indicator

YES

YES

NO

intrusion-set

related-to

intrusion-set

YES

YES

NO

intrusion-set

related-to

location

YES

YES

NO

intrusion-set

related-to

malware-analysis

YES

YES

NO

intrusion-set

related-to

report

YES

YES

NO

intrusion-set

related-to

ttp

YES

YES

NO

intrusion-set

targets

identity

YES

YES

NO

intrusion-set

targets

location

NO

YES

NO

intrusion-set

targets

vulnerability

YES

YES

NO

intrusion-set

uses

attack-pattern

YES

YES

NO

intrusion-set

uses

infrastructure

YES

YES

NO

intrusion-set

uses

malware

YES

YES

NO

intrusion-set

uses

tool

YES

YES

NO

Location#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

location

related-to

attack-pattern

YES

YES

NO

location

related-to

campaign

YES

YES

NO

location

related-to

course-of-action

YES

YES

NO

location

related-to

eclecticiq-sighting

YES

YES

NO

location

related-to

identity

YES

YES

NO

location

related-to

incident

YES

YES

NO

location

related-to

indicator

YES

YES

NO

location

related-to

infrastructure

YES

YES

NO

location

related-to

intrusion-set

YES

YES

NO

location

related-to

location

YES

YES

NO

location

related-to

malware

YES

YES

NO

location

related-to

malware-analysis

YES

YES

NO

location

related-to

report

YES

YES

NO

location

related-to

threat-actor

YES

YES

NO

location

related-to

tool

YES

YES

NO

location

related-to

ttp

YES

YES

NO

location

related-to

vulnerability

YES

YES

NO

Malware#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

malware

authored-by

intrusion-set

YES

YES

NO

malware

authored-by

threat-actor

YES

YES

NO

malware

beacons-to

infrastructure

NO

YES

NO

malware

controls

malware

NO

YES

NO

malware

downloads

malware

NO

YES

NO

malware

downloads

tool

NO

YES

NO

malware

drops

malware

NO

YES

NO

malware

drops

tool

NO

YES

NO

malware

exfiltrates-to

infrastructure

NO

YES

NO

malware

exploits

vulnerability

YES

YES

NO

malware

originates-from

location

NO

YES

NO

malware

related-to

campaign

YES

YES

NO

malware

related-to

course-of-action

YES

YES

NO

malware

related-to

eclecticiq-sighting

YES

YES

NO

malware

related-to

incident

YES

YES

NO

malware

related-to

location

YES

YES

NO

malware

related-to

malware-analysis

YES

YES

NO

malware

related-to

report

YES

YES

NO

malware

related-to

ttp

YES

YES

NO

malware

targets

identity

YES

YES

NO

malware

targets

infrastructure

NO

YES

NO

malware

targets

location

NO

YES

NO

malware

targets

vulnerability

NO

YES

NO

malware

uses

attack-pattern

YES

YES

NO

malware

uses

infrastructure

YES

YES

NO

malware

uses

malware

YES

YES

NO

malware

uses

tool

YES

YES

NO

malware

variant-of

malware

NO

YES

NO

Malware-analysis#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

malware-analysis

analysis-of

malware

YES

YES

NO

malware-analysis

characterizes

malware

NO

YES

NO

malware-analysis

dynamic-analysis-of

malware

NO

YES

NO

malware-analysis

related-to

attack-pattern

YES

YES

NO

malware-analysis

related-to

campaign

YES

YES

NO

malware-analysis

related-to

course-of-action

YES

YES

NO

malware-analysis

related-to

eclecticiq-sighting

YES

YES

NO

malware-analysis

related-to

identity

YES

YES

NO

malware-analysis

related-to

incident

YES

YES

NO

malware-analysis

related-to

indicator

YES

YES

NO

malware-analysis

related-to

infrastructure

YES

YES

NO

malware-analysis

related-to

intrusion-set

YES

YES

NO

malware-analysis

related-to

location

YES

YES

NO

malware-analysis

related-to

malware-analysis

YES

YES

NO

malware-analysis

related-to

report

YES

YES

NO

malware-analysis

related-to

threat-actor

YES

YES

NO

malware-analysis

related-to

tool

YES

YES

NO

malware-analysis

related-to

ttp

YES

YES

NO

malware-analysis

related-to

vulnerability

YES

YES

NO

malware-analysis

static-analysis-of

malware

NO

YES

NO

Report#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

report

related-to

attack-pattern

YES

YES

NO

report

related-to

campaign

YES

YES

YES

report

related-to

course-of-action

YES

YES

NO

report

related-to

eclecticiq-sighting

YES

YES

NO

report

related-to

identity

YES

YES

NO

report

related-to

incident

YES

YES

NO

report

related-to

indicator

YES

YES

NO

report

related-to

infrastructure

YES

YES

NO

report

related-to

intrusion-set

YES

YES

NO

report

related-to

location

YES

YES

NO

report

related-to

malware

YES

YES

NO

report

related-to

malware-analysis

YES

YES

NO

report

related-to

report

YES

YES

YES

report

related-to

threat-actor

YES

YES

NO

report

related-to

tool

YES

YES

NO

report

related-to

vulnerability

YES

YES

NO

report

reports

campaign

NO

YES

YES

report

reports

course-of-action

NO

YES

YES

report

reports

incident

NO

YES

YES

report

reports

indicator

NO

YES

YES

report

reports

threat-actor

NO

NO

YES

report

reports

ttp

YES

NO

YES

report

reports

vulnerability

NO

YES

YES

Threat-actor#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

threat-actor

associated-to

campaign

NO

YES

YES

threat-actor

associated-to

threat-actor

YES

YES

YES

threat-actor

attributed-to

identity

NO

YES

NO

threat-actor

compromises

infrastructure

NO

YES

NO

threat-actor

hosts

infrastructure

NO

YES

NO

threat-actor

impersonates

identity

NO

YES

NO

threat-actor

located-at

location

NO

YES

NO

threat-actor

observed

ttp

YES

YES

YES

threat-actor

owns

infrastructure

NO

YES

NO

threat-actor

related-to

campaign

YES

YES

YES

threat-actor

related-to

course-of-action

YES

YES

NO

threat-actor

related-to

eclecticiq-sighting

YES

YES

NO

threat-actor

related-to

incident

YES

YES

NO

threat-actor

related-to

indicator

YES

YES

NO

threat-actor

related-to

intrusion-set

YES

YES

NO

threat-actor

related-to

location

YES

YES

NO

threat-actor

related-to

malware-analysis

YES

YES

NO

threat-actor

related-to

report

YES

YES

NO

threat-actor

targets

identity

YES

YES

NO

threat-actor

targets

location

NO

YES

NO

threat-actor

targets

vulnerability

YES

YES

NO

threat-actor

uses

attack-pattern

YES

YES

NO

threat-actor

uses

infrastructure

YES

YES

NO

threat-actor

uses

malware

YES

YES

NO

threat-actor

uses

tool

YES

YES

NO

Tool#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

tool

delivers

malware

YES

YES

NO

tool

drops

malware

NO

YES

NO

tool

has

vulnerability

NO

YES

NO

tool

related-to

attack-pattern

YES

YES

NO

tool

related-to

campaign

YES

YES

NO

tool

related-to

course-of-action

YES

YES

NO

tool

related-to

eclecticiq-sighting

YES

YES

NO

tool

related-to

identity

YES

YES

NO

tool

related-to

incident

YES

YES

NO

tool

related-to

indicator

YES

YES

NO

tool

related-to

intrusion-set

YES

YES

NO

tool

related-to

location

YES

YES

NO

tool

related-to

malware

YES

YES

NO

tool

related-to

malware-analysis

YES

YES

NO

tool

related-to

report

YES

YES

NO

tool

related-to

threat-actor

YES

YES

NO

tool

related-to

tool

YES

YES

NO

tool

related-to

ttp

YES

YES

NO

tool

targets

identity

YES

YES

NO

tool

targets

infrastructure

NO

YES

NO

tool

targets

location

YES

YES

NO

tool

targets

vulnerability

YES

YES

NO

tool

uses

infrastructure

YES

YES

NO

TTP#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

ttp

exploits

vulnerability

YES

YES

YES

ttp

related-to

attack-pattern

YES

YES

NO

ttp

related-to

campaign

YES

YES

NO

ttp

related-to

course-of-action

YES

YES

NO

ttp

related-to

eclecticiq-sighting

YES

YES

NO

ttp

related-to

identity

YES

YES

NO

ttp

related-to

incident

YES

YES

NO

ttp

related-to

indicator

YES

YES

NO

ttp

related-to

infrastructure

YES

YES

NO

ttp

related-to

intrusion-set

YES

YES

NO

ttp

related-to

location

YES

YES

NO

ttp

related-to

malware

YES

YES

NO

ttp

related-to

malware-analysis

YES

YES

NO

ttp

related-to

report

YES

YES

NO

ttp

related-to

threat-actor

YES

YES

NO

ttp

related-to

tool

YES

YES

NO

ttp

related-to

ttp

YES

YES

YES

Vulnerability#

Source entity

Relationship type

Target entity

Default suggestion

STIX 2.1 compatible

STIX 1.2 compatible

vulnerability

related-to

attack-pattern

YES

YES

NO

vulnerability

related-to

campaign

YES

YES

NO

vulnerability

related-to

course-of-action

YES

YES

YES

vulnerability

related-to

eclecticiq-sighting

YES

YES

NO

vulnerability

related-to

identity

YES

YES

NO

vulnerability

related-to

incident

YES

YES

NO

vulnerability

related-to

indicator

YES

YES

NO

vulnerability

related-to

infrastructure

YES

YES

NO

vulnerability

related-to

intrusion-set

YES

YES

NO

vulnerability

related-to

location

YES

YES

NO

vulnerability

related-to

malware

YES

YES

NO

vulnerability

related-to

malware-analysis

YES

YES

NO

vulnerability

related-to

report

YES

YES

NO

vulnerability

related-to

threat-actor

YES

YES

NO

vulnerability

related-to

tool

YES

YES

NO

vulnerability

related-to

ttp

YES

YES

NO

vulnerability

related-to

vulnerability

YES

YES

YES