ArtifactObjectTypeArtifact Object Schema

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.

The type field specifies the general type of the artifact contained in this Defined Object.

The content_type field is optional and specifies the Internet Media Type of the artifact contained in this Defined Object.

The content_type_version field is optional and specifies the content type version of the artifact contained in this Defined Object.

The suspected_malicious field is optional and conveys whether the content of the Raw_Artifact is believed to be malicious.

The Hashes field is optional and specifies hashes for the Raw_Artifact content.

The Packaging field is optional and characterizes packaging layers (e.g. compression, encryption, encoding) applied to the original content to generate the content of the Raw_Artifact field of this Object. The ordering of entries in this sequence implicitly denotes the ordering of packaging layer operations applied.

The Raw_Artifact field contains the raw content of a cyber artifact (rather than simply analysis of that artifact). It is conveyed within a string-based field and should be further enclosed in a CDATA section within the string-based field.

The Raw_Artifact_Reference field contains a reference to an external instance of the raw content of a cyber artifact (rather than simply analysis of that artifact).