Relationship type compatibility tables#

The sections on this page describe the available relationship types for each source/target entity combination, and their STIX compatibility.

A relationship is an object that links two entities together:

a ‘source’ entity, and
a ‘target’ entity.

Depending on the source and target entity, certain relationship types are available for use. These relationship types have varying compatibility with STIX 2.1 and STIX 1.2.

For more information about relationship objects and STIX compatibility, see Relationships.

Attack-pattern#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
attack-pattern	delivers	malware	NO	YES	NO
attack-pattern	related-to	attack-pattern	YES	YES	NO
attack-pattern	related-to	campaign	YES	YES	NO
attack-pattern	related-to	course-of-action	YES	YES	NO
attack-pattern	related-to	eclecticiq-sighting	YES	YES	NO
attack-pattern	related-to	incident	YES	YES	NO
attack-pattern	related-to	indicator	YES	YES	NO
attack-pattern	related-to	infrastructure	YES	YES	NO
attack-pattern	related-to	intrusion-set	YES	YES	NO
attack-pattern	related-to	location	YES	YES	NO
attack-pattern	related-to	malware-analysis	YES	YES	NO
attack-pattern	related-to	report	YES	YES	NO
attack-pattern	related-to	threat-actor	YES	YES	NO
attack-pattern	related-to	ttp	YES	YES	NO
attack-pattern	targets	identity	YES	YES	NO
attack-pattern	targets	location	YES	YES	NO
attack-pattern	targets	vulnerability	YES	YES	NO
attack-pattern	uses	malware	YES	YES	NO
attack-pattern	uses	tool	YES	YES	NO

Campaign#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
campaign	associated-to	campaign	NO	NO	YES
campaign	attributed-to	intrusion-set	YES	YES	NO
campaign	attributed-to	threat-actor	YES	YES	NO
campaign	compromises	infrastructure	NO	YES	NO
campaign	originates-from	location	NO	YES	NO
campaign	related-to	campaign	YES	YES	NO
campaign	related-to	course-of-action	YES	YES	NO
campaign	related-to	eclecticiq-sighting	YES	YES	NO
campaign	related-to	incident	YES	YES	NO
campaign	related-to	indicator	YES	YES	NO
campaign	related-to	location	YES	YES	NO
campaign	related-to	malware-analysis	YES	YES	NO
campaign	related-to	report	YES	YES	NO
campaign	related-to	ttp	YES	YES	YES
campaign	targets	identity	YES	YES	YES
campaign	targets	location	NO	YES	NO
campaign	targets	vulnerability	YES	YES	NO
campaign	uses	attack-pattern	YES	YES	NO
campaign	uses	infrastructure	YES	YES	NO
campaign	uses	malware	YES	YES	NO
campaign	uses	tool	YES	YES	NO

Course-of-action#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
course-of-action	investigates	indicator	YES	YES	NO
course-of-action	mitigates	attack-pattern	YES	YES	NO
course-of-action	mitigates	indicator	NO	YES	NO
course-of-action	mitigates	malware	YES	YES	NO
course-of-action	mitigates	tool	YES	YES	NO
course-of-action	mitigates	vulnerability	YES	YES	NO
course-of-action	related-to	campaign	YES	YES	NO
course-of-action	related-to	course-of-action	YES	YES	YES
course-of-action	related-to	eclecticiq-sighting	YES	YES	NO
course-of-action	related-to	identity	YES	YES	NO
course-of-action	related-to	incident	YES	YES	NO
course-of-action	related-to	infrastructure	YES	YES	NO
course-of-action	related-to	intrusion-set	YES	YES	NO
course-of-action	related-to	location	YES	YES	NO
course-of-action	related-to	malware-analysis	YES	YES	NO
course-of-action	related-to	report	YES	YES	NO
course-of-action	related-to	threat-actor	YES	YES	NO
course-of-action	related-to	ttp	YES	YES	NO
course-of-action	remediates	malware	NO	YES	NO
course-of-action	remediates	vulnerability	NO	YES	NO

Sighting#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
eclecticiq-sighting	related-to	attack-pattern	YES	NO	NO
eclecticiq-sighting	related-to	campaign	YES	NO	NO
eclecticiq-sighting	related-to	course-of-action	YES	NO	NO
eclecticiq-sighting	related-to	eclecticiq-sighting	YES	NO	NO
eclecticiq-sighting	related-to	identity	YES	NO	NO
eclecticiq-sighting	related-to	incident	YES	NO	NO
eclecticiq-sighting	related-to	indicator	YES	NO	NO
eclecticiq-sighting	related-to	infrastructure	YES	NO	NO
eclecticiq-sighting	related-to	intrusion-set	YES	NO	NO
eclecticiq-sighting	related-to	location	YES	NO	NO
eclecticiq-sighting	related-to	malware	YES	NO	NO
eclecticiq-sighting	related-to	malware-analysis	YES	NO	NO
eclecticiq-sighting	related-to	report	YES	NO	NO
eclecticiq-sighting	related-to	threat-actor	YES	NO	NO
eclecticiq-sighting	related-to	tool	YES	NO	NO
eclecticiq-sighting	related-to	ttp	YES	NO	NO
eclecticiq-sighting	related-to	vulnerability	YES	YES	NO

Identity#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
identity	located-at	location	YES	YES	NO
identity	related-to	attack-pattern	YES	YES	NO
identity	related-to	campaign	YES	YES	NO
identity	related-to	course-of-action	YES	YES	NO
identity	related-to	eclecticiq-sighting	YES	YES	NO
identity	related-to	identity	YES	YES	NO
identity	related-to	incident	YES	YES	NO
identity	related-to	indicator	YES	YES	NO
identity	related-to	infrastructure	YES	YES	NO
identity	related-to	intrusion-set	YES	YES	NO
identity	related-to	malware	YES	YES	NO
identity	related-to	malware-analysis	YES	YES	NO
identity	related-to	report	YES	YES	NO
identity	related-to	threat-actor	YES	YES	NO
identity	related-to	tool	YES	YES	NO
identity	related-to	ttp	YES	YES	NO
identity	related-to	vulnerability	YES	YES	NO

Incident#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
incident	attributed-to	threat-actor	NO	YES	YES
incident	leveraged	ttp	YES	YES	YES
incident	related-to	attack-pattern	YES	YES	NO
incident	related-to	campaign	YES	YES	NO
incident	related-to	course-of-action	YES	YES	NO
incident	related-to	eclecticiq-sighting	YES	YES	NO
incident	related-to	identity	YES	YES	NO
incident	related-to	incident	YES	YES	YES
incident	related-to	indicator	YES	YES	YES
incident	related-to	infrastructure	YES	YES	NO
incident	related-to	intrusion-set	YES	YES	NO
incident	related-to	location	YES	YES	NO
incident	related-to	malware	YES	YES	NO
incident	related-to	malware-analysis	YES	YES	NO
incident	related-to	report	YES	YES	NO
incident	related-to	threat-actor	YES	YES	NO
incident	related-to	tool	YES	YES	NO
incident	related-to	vulnerability	YES	YES	NO

Indicator#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
indicator	indicates	attack-pattern	YES	YES	NO
indicator	indicates	campaign	YES	YES	NO
indicator	indicates	infrastructure	YES	YES	NO
indicator	indicates	intrusion-set	YES	YES	NO
indicator	indicates	malware	YES	YES	NO
indicator	indicates	threat-actor	YES	YES	NO
indicator	indicates	tool	YES	YES	NO
indicator	related-to	campaign	NO	YES	YES
indicator	related-to	eclecticiq-sighting	YES	YES	NO
indicator	related-to	identity	YES	YES	NO
indicator	related-to	incident	YES	YES	NO
indicator	related-to	indicator	YES	YES	YES
indicator	related-to	location	YES	YES	NO
indicator	related-to	malware-analysis	YES	YES	NO
indicator	related-to	report	YES	YES	NO
indicator	related-to	ttp	YES	YES	YES
indicator	related-to	vulnerability	YES	YES	NO
indicator	suggests	course-of-action	YES	NO	YES

Infrastructure#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
infrastructure	communicates-with	infrastructure	NO	YES	NO
infrastructure	consists-of	infrastructure	NO	YES	NO
infrastructure	controls	infrastructure	NO	YES	NO
infrastructure	controls	malware	NO	YES	NO
infrastructure	delivers	malware	NO	YES	NO
infrastructure	has	vulnerability	YES	YES	NO
infrastructure	hosts	malware	NO	YES	NO
infrastructure	hosts	tool	YES	YES	NO
infrastructure	located-at	location	YES	YES	NO
infrastructure	related-to	attack-pattern	YES	YES	NO
infrastructure	related-to	campaign	YES	YES	NO
infrastructure	related-to	course-of-action	YES	YES	NO
infrastructure	related-to	eclecticiq-sighting	YES	YES	NO
infrastructure	related-to	identity	YES	YES	NO
infrastructure	related-to	incident	YES	YES	NO
infrastructure	related-to	indicator	YES	YES	NO
infrastructure	related-to	infrastructure	YES	YES	NO
infrastructure	related-to	intrusion-set	YES	YES	NO
infrastructure	related-to	malware	YES	YES	NO
infrastructure	related-to	malware-analysis	YES	YES	NO
infrastructure	related-to	report	YES	YES	NO
infrastructure	related-to	threat-actor	YES	YES	NO
infrastructure	related-to	ttp	YES	YES	NO
infrastructure	uses	infrastructure	NO	YES	NO

Intrusion-set#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
intrusion-set	attributed-to	threat-actor	YES	YES	NO
intrusion-set	compromises	infrastructure	NO	YES	NO
intrusion-set	hosts	infrastructure	NO	YES	NO
intrusion-set	originates-from	location	NO	YES	NO
intrusion-set	owns	infrastructure	NO	YES	NO
intrusion-set	related-to	campaign	YES	YES	NO
intrusion-set	related-to	course-of-action	YES	YES	NO
intrusion-set	related-to	eclecticiq-sighting	YES	YES	NO
intrusion-set	related-to	incident	YES	YES	NO
intrusion-set	related-to	indicator	YES	YES	NO
intrusion-set	related-to	intrusion-set	YES	YES	NO
intrusion-set	related-to	location	YES	YES	NO
intrusion-set	related-to	malware-analysis	YES	YES	NO
intrusion-set	related-to	report	YES	YES	NO
intrusion-set	related-to	ttp	YES	YES	NO
intrusion-set	targets	identity	YES	YES	NO
intrusion-set	targets	location	NO	YES	NO
intrusion-set	targets	vulnerability	YES	YES	NO
intrusion-set	uses	attack-pattern	YES	YES	NO
intrusion-set	uses	infrastructure	YES	YES	NO
intrusion-set	uses	malware	YES	YES	NO
intrusion-set	uses	tool	YES	YES	NO

Location#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
location	related-to	attack-pattern	YES	YES	NO
location	related-to	campaign	YES	YES	NO
location	related-to	course-of-action	YES	YES	NO
location	related-to	eclecticiq-sighting	YES	YES	NO
location	related-to	identity	YES	YES	NO
location	related-to	incident	YES	YES	NO
location	related-to	indicator	YES	YES	NO
location	related-to	infrastructure	YES	YES	NO
location	related-to	intrusion-set	YES	YES	NO
location	related-to	location	YES	YES	NO
location	related-to	malware	YES	YES	NO
location	related-to	malware-analysis	YES	YES	NO
location	related-to	report	YES	YES	NO
location	related-to	threat-actor	YES	YES	NO
location	related-to	tool	YES	YES	NO
location	related-to	ttp	YES	YES	NO
location	related-to	vulnerability	YES	YES	NO

Malware#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
malware	authored-by	intrusion-set	YES	YES	NO
malware	authored-by	threat-actor	YES	YES	NO
malware	beacons-to	infrastructure	NO	YES	NO
malware	controls	malware	NO	YES	NO
malware	downloads	malware	NO	YES	NO
malware	downloads	tool	NO	YES	NO
malware	drops	malware	NO	YES	NO
malware	drops	tool	NO	YES	NO
malware	exfiltrates-to	infrastructure	NO	YES	NO
malware	exploits	vulnerability	YES	YES	NO
malware	originates-from	location	NO	YES	NO
malware	related-to	campaign	YES	YES	NO
malware	related-to	course-of-action	YES	YES	NO
malware	related-to	eclecticiq-sighting	YES	YES	NO
malware	related-to	incident	YES	YES	NO
malware	related-to	location	YES	YES	NO
malware	related-to	malware-analysis	YES	YES	NO
malware	related-to	report	YES	YES	NO
malware	related-to	ttp	YES	YES	NO
malware	targets	identity	YES	YES	NO
malware	targets	infrastructure	NO	YES	NO
malware	targets	location	NO	YES	NO
malware	targets	vulnerability	NO	YES	NO
malware	uses	attack-pattern	YES	YES	NO
malware	uses	infrastructure	YES	YES	NO
malware	uses	malware	YES	YES	NO
malware	uses	tool	YES	YES	NO
malware	variant-of	malware	NO	YES	NO

Malware-analysis#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
malware-analysis	analysis-of	malware	YES	YES	NO
malware-analysis	characterizes	malware	NO	YES	NO
malware-analysis	dynamic-analysis-of	malware	NO	YES	NO
malware-analysis	related-to	attack-pattern	YES	YES	NO
malware-analysis	related-to	campaign	YES	YES	NO
malware-analysis	related-to	course-of-action	YES	YES	NO
malware-analysis	related-to	eclecticiq-sighting	YES	YES	NO
malware-analysis	related-to	identity	YES	YES	NO
malware-analysis	related-to	incident	YES	YES	NO
malware-analysis	related-to	indicator	YES	YES	NO
malware-analysis	related-to	infrastructure	YES	YES	NO
malware-analysis	related-to	intrusion-set	YES	YES	NO
malware-analysis	related-to	location	YES	YES	NO
malware-analysis	related-to	malware-analysis	YES	YES	NO
malware-analysis	related-to	report	YES	YES	NO
malware-analysis	related-to	threat-actor	YES	YES	NO
malware-analysis	related-to	tool	YES	YES	NO
malware-analysis	related-to	ttp	YES	YES	NO
malware-analysis	related-to	vulnerability	YES	YES	NO
malware-analysis	static-analysis-of	malware	NO	YES	NO

Report#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
report	related-to	attack-pattern	YES	YES	NO
report	related-to	campaign	YES	YES	YES
report	related-to	course-of-action	YES	YES	NO
report	related-to	eclecticiq-sighting	YES	YES	NO
report	related-to	identity	YES	YES	NO
report	related-to	incident	YES	YES	NO
report	related-to	indicator	YES	YES	NO
report	related-to	infrastructure	YES	YES	NO
report	related-to	intrusion-set	YES	YES	NO
report	related-to	location	YES	YES	NO
report	related-to	malware	YES	YES	NO
report	related-to	malware-analysis	YES	YES	NO
report	related-to	report	YES	YES	YES
report	related-to	threat-actor	YES	YES	NO
report	related-to	tool	YES	YES	NO
report	related-to	vulnerability	YES	YES	NO
report	reports	campaign	NO	YES	YES
report	reports	course-of-action	NO	YES	YES
report	reports	incident	NO	YES	YES
report	reports	indicator	NO	YES	YES
report	reports	threat-actor	NO	NO	YES
report	reports	ttp	YES	NO	YES
report	reports	vulnerability	NO	YES	YES

Threat-actor#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
threat-actor	associated-to	campaign	NO	YES	YES
threat-actor	associated-to	threat-actor	YES	YES	YES
threat-actor	attributed-to	identity	NO	YES	NO
threat-actor	compromises	infrastructure	NO	YES	NO
threat-actor	hosts	infrastructure	NO	YES	NO
threat-actor	impersonates	identity	NO	YES	NO
threat-actor	located-at	location	NO	YES	NO
threat-actor	observed	ttp	YES	YES	YES
threat-actor	owns	infrastructure	NO	YES	NO
threat-actor	related-to	campaign	YES	YES	YES
threat-actor	related-to	course-of-action	YES	YES	NO
threat-actor	related-to	eclecticiq-sighting	YES	YES	NO
threat-actor	related-to	incident	YES	YES	NO
threat-actor	related-to	indicator	YES	YES	NO
threat-actor	related-to	intrusion-set	YES	YES	NO
threat-actor	related-to	location	YES	YES	NO
threat-actor	related-to	malware-analysis	YES	YES	NO
threat-actor	related-to	report	YES	YES	NO
threat-actor	targets	identity	YES	YES	NO
threat-actor	targets	location	NO	YES	NO
threat-actor	targets	vulnerability	YES	YES	NO
threat-actor	uses	attack-pattern	YES	YES	NO
threat-actor	uses	infrastructure	YES	YES	NO
threat-actor	uses	malware	YES	YES	NO
threat-actor	uses	tool	YES	YES	NO

Tool#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
tool	delivers	malware	YES	YES	NO
tool	drops	malware	NO	YES	NO
tool	has	vulnerability	NO	YES	NO
tool	related-to	attack-pattern	YES	YES	NO
tool	related-to	campaign	YES	YES	NO
tool	related-to	course-of-action	YES	YES	NO
tool	related-to	eclecticiq-sighting	YES	YES	NO
tool	related-to	identity	YES	YES	NO
tool	related-to	incident	YES	YES	NO
tool	related-to	indicator	YES	YES	NO
tool	related-to	intrusion-set	YES	YES	NO
tool	related-to	location	YES	YES	NO
tool	related-to	malware	YES	YES	NO
tool	related-to	malware-analysis	YES	YES	NO
tool	related-to	report	YES	YES	NO
tool	related-to	threat-actor	YES	YES	NO
tool	related-to	tool	YES	YES	NO
tool	related-to	ttp	YES	YES	NO
tool	targets	identity	YES	YES	NO
tool	targets	infrastructure	NO	YES	NO
tool	targets	location	YES	YES	NO
tool	targets	vulnerability	YES	YES	NO
tool	uses	infrastructure	YES	YES	NO

TTP#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
ttp	exploits	vulnerability	YES	YES	YES
ttp	related-to	attack-pattern	YES	YES	NO
ttp	related-to	campaign	YES	YES	NO
ttp	related-to	course-of-action	YES	YES	NO
ttp	related-to	eclecticiq-sighting	YES	YES	NO
ttp	related-to	identity	YES	YES	NO
ttp	related-to	incident	YES	YES	NO
ttp	related-to	indicator	YES	YES	NO
ttp	related-to	infrastructure	YES	YES	NO
ttp	related-to	intrusion-set	YES	YES	NO
ttp	related-to	location	YES	YES	NO
ttp	related-to	malware	YES	YES	NO
ttp	related-to	malware-analysis	YES	YES	NO
ttp	related-to	report	YES	YES	NO
ttp	related-to	threat-actor	YES	YES	NO
ttp	related-to	tool	YES	YES	NO
ttp	related-to	ttp	YES	YES	YES

Vulnerability#

Source entity	Relationship type	Target entity	Default suggestion	STIX 2.1 compatible	STIX 1.2 compatible
vulnerability	related-to	attack-pattern	YES	YES	NO
vulnerability	related-to	campaign	YES	YES	NO
vulnerability	related-to	course-of-action	YES	YES	YES
vulnerability	related-to	eclecticiq-sighting	YES	YES	NO
vulnerability	related-to	identity	YES	YES	NO
vulnerability	related-to	incident	YES	YES	NO
vulnerability	related-to	indicator	YES	YES	NO
vulnerability	related-to	infrastructure	YES	YES	NO
vulnerability	related-to	intrusion-set	YES	YES	NO
vulnerability	related-to	location	YES	YES	NO
vulnerability	related-to	malware	YES	YES	NO
vulnerability	related-to	malware-analysis	YES	YES	NO
vulnerability	related-to	report	YES	YES	NO
vulnerability	related-to	threat-actor	YES	YES	NO
vulnerability	related-to	tool	YES	YES	NO
vulnerability	related-to	ttp	YES	YES	NO
vulnerability	related-to	vulnerability	YES	YES	YES