(registered 2018-07-05, last updated 2020-04-23)

Media type name: application

Media subtype name: stix+json

Required parameters: None

Optional parameters: version

   This parameter is used to designate the specification version of 
   STIX that is being used during HTTP content negotiation. Example: 
   "application/stix+json;version=2.1". The parameter value is of th 
   form 'n.m', where n is the major version and m the minor version, 
   both unsigned integer values.

Encoding considerations: binary

   Encoding considerations are identical to those specified for the 
   "application/json" media type. See [RFC8259].

Security considerations:Security considerations relating to the 
   generation and consumption of STIX messages are similar to 
   application/json and are discussed in section 12 of [RFC8259].

   Unicode is used to represent text such as descriptions in the 
   format. The considerations documented by Unicode Technical Report 
   #36: Unicode Security Considerations UnicodeTR#36 should be taken 
   into account.

   The STIX standard does not itself specify a transport mechanism 
   for STIX documents. It is expected that TAXII is often used (which
   uses TLS via HTTPS). As there is no transport mechanism specified,
   it is up to the users of this to use an appropriately secured 
   transport method. For example, TLS, JSON Web Encryption [RFC7516] 
   and/or JSON Web Signature [RFC7515] can provide such mechanisms.

   Documents of "application/stix+json" are STIX based Cyber Threat 
   Intelligence (CTI) documents. The documents may contain active or 
   executable content as well as URLs, IP addresses, and domain names
   that are known or suspected to be malicious. Systems should thus 
   take appropriate precautions before decoding any of this content, 
   either for persistent storage or execution purposes. Such 
   precautions may include measures such as de-fanging, sandboxing, 
   or other measures. The samples included in STIX documents are 
   reference samples only, and there is no provision or expectation 
   in the specification that they will be loaded and/or executed. 
   There are provisions in the specification to encrypt these samples
   so that even if a tool decodes the data, a further active step 
   must be done before the payload will be "live". It is highly 
   recommended that all active code be armored in this manner.

   STIX specifies the use of hashing and encryption mechanisms for 
   some data types. A cryptography expert should be consulted when 
   choosing which hashing or encryption algorithms to use to ensure 
   that they do not have any security issues.

   STIX provides a graph-based data model. As such, STIX 
   implementations should implement protections against graph queries
   that can potentially consume a significant amount of resources and
   prevent the implementation from functioning in a normal way.

   This specification also describes "STIX Patterning", a mechanism 
   to describe and evaluate a search/match for data observed on 
   systems and networks. Patterning is a grammar itself and includes 
   PCRE regular expressions. Care should be taken when parsing and 
   evaluating the grammar (particularly when evaluating PCRE from 
   unknown or untrusted sources) as they can potentially consume a 
   significant amount of resources.

Privacy considerations: These considerations are, in part, derived 
   from Section 10 of the Resource-Oriented Lightweight Information 
   Exchange [RFC8322].

   Documents may include highly confidential, personal (PII), and/or 
   classified information. There are methods in the standard for 
   marking elements of the document such that the consumer knows of 
   these limitations. These markings may not always be used. For 
   example, an out-of-band agreement may cover and restrict sharing. 
   Just because a document is not marked as containing information 
   that should not be shared does not mean that a document is free 
   for sharing. It may be the case that a legal agreement has been 
   entered into between the parties sharing documents, and that each 
   party understands and follows their obligations under that 
   agreement as well as any applicable laws or regulations.

   Adoption of the information-sharing approach described in this 
   document will enable users to more easily perform correlations 
   across separate, and potentially unrelated, cybersecurity 
   information providers. A client may succeed in assembling a data 
   set that would not have been permitted within the context of the
   authorization policies of either provider when considered 
   individually. Thus, providers may face a risk of an attacker 
   obtaining an access that constitutes an undetected separation of 
   duties (SOD) violation. It is important to note that this risk is 
   not unique to this specification, and a similar potential for 
   abuse exists with any other cybersecurity information-sharing 
   protocol.

Interoperability considerations: The STIX specification specifies the
   format of conforming messages and the interpretation thereof. In 
   addition, the OASIS Cyber Threat Intelligence (CTI) Technical 
   Committee has defined interoperability tests to ensure conforming 
   products and solutions can exchange STIX documents.

Published specification:

   STIX Version 2.1 OASIS Committee Specification 01

   http://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html

   Cited in the "OASIS Standards" document:

   https://www.oasis-open.org/standards#oasiscommiteespecs, from

   https://www.oasis-open.org/standards#stix2.1

Applications which use this media: Structured Threat Information 
   Expression (STIX) is a language and serialization format used to 
   exchange cyber threat intelligence (CTI) such as Threat Actors, 
   Campaigns, Intrusion Sets, Attack Patterns, Indicators of 
   Compromise, etc. STIX enables organizations to share CTI with one 
   another in a consistent and machine-readable manner, allowing 
   security communities to better understand what computer-based 
   attacks they are most likely to see and to anticipate and/or 
   respond to those attacks faster and more effectively. STIX is 
   designed to improve many different capabilities, such as 
   collaborative threat analysis, automated threat exchange, 
   automated detection and response, and more.

Fragment identifier considerations: None

Restrictions on usage: None

Additional information:

   1. Deprecated alias names for this type:   
      application/vnd.oasis.stix+json

   2. Magic number(s): n/a [RFC8259]

   3. File extension(s): stix

   4. Macintosh file type code: TEXT [RFC8259]

   5. Object Identifiers: None

Person and email to contact for further information: Chet Ensign
   (chet.ensign&oasis-open.org)

Intended usage: COMMON

Author:

   OASIS Cyber Threat Intelligence (CTI) Technical Committee;

   URI reference: http://www.oasis-open.org/committees/cti/.

Change controller: OASIS