Skip to content

Issue 47: implement the stix 21 windows integrity level enumeration #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Issue 47: implement the stix 21 windows integrity level enumeration #103

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b01b0bb
Implement class for STIX Windows Integrity Level Enumeration
brett-heffelfinger Jun 6, 2025
1a9dff4
Instantiate WindowsIntegrityLevel instances
brett-heffelfinger Jun 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions ontologies/vocabs.ttl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,21 @@ gist:ThreatActorType
rdfs:subClassOf gist:StixCategoryObject ;
.

gist:WindowsIntegrityLevel
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Belongs in TBox

a owl:Class ;
rdfs:subClassOf gist:StixCategoryObject ;
skos:definition """STIX 2.1 description:
The Windows integrity level enumeration is currently used in the following STIX Cyber-observable Object(s):
● Process (Windows Process extension)


Comment on lines +176 to +178
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange - a single bullet and two blank lines. Its a poor definition. I wonder if we should have a gist:stixDefinition (sub-property of skos:definition) and use it similar to how we use stixTerm. It would be a lot of work though to come up with good definitions. Here is a stab:

skos:definition "A category indicating the trustworthiness of an object  in the Windows environment."^^xsd:string ;

Windows integrity levels are a security feature and represent the trustworthiness of an object."""^^xsd:string ;
skos:example ""^^xsd:string ;
skos:note "This is described in STIX as an enumeration but no order of the enumeration is given."^^xsd:string ;
skos:prefLabel "Windows™ Integrity Level Enumeration"^^xsd:string ;
gist:stixTerm "windows-integrity-level-enum"^^xsd:string ;
.

gist:_AccountType_facebook
a gist:AccountType ;
rdfs:label "Facebook"^^xsd:string ;
Expand Down Expand Up @@ -2473,6 +2488,38 @@ There is not enough information available to determine the type of threat actor.
skos:prefLabel "unknown"^^xsd:string ;
.

gist:_WindowsIntegrityLevel_high
a gist:WindowsIntegrityLevel ;
skos:definition """STIX 2.1 description:
A high level of integrity."""^^xsd:string ;
skos:prefLabel "High Integrity Level"^^xsd:string ;
gist:stixTerm "high"^^xsd:string ;
.

gist:_WindowsIntegrityLevel_low
a gist:WindowsIntegrityLevel ;
skos:definition """STIX 2.1 description:
A low level of integrity."""^^xsd:string ;
skos:prefLabel "Low Integrity Level"^^xsd:string ;
gist:stixTerm "low"^^xsd:string ;
.

gist:_WindowsIntegrityLevel_medium
a gist:WindowsIntegrityLevel ;
skos:definition """STIX 2.1 description:
A medium level of integrity."""^^xsd:string ;
skos:prefLabel "Medium Integrity Level"^^xsd:string ;
gist:stixTerm "medium"^^xsd:string ;
.

gist:_WindowsIntegrityLevel_system
a gist:WindowsIntegrityLevel ;
skos:definition """STIX 2.1 description:
A system level of integrity."""^^xsd:string ;
skos:prefLabel "System Integrity Level"^^xsd:string ;
gist:stixTerm "system"^^xsd:string ;
.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IRI - prefLabel mismatch. Should be more like:

gist:_WindowsIntegrityLevel_high
	a gist:WindowsIntegrityLevel ;
	skos:definition """STIX 2.1 description: 
A high level of integrity."""^^xsd:string ;
	skos:prefLabel "high"^^xsd:string ; <==
	gist:stixTerm "high"^^xsd:string ;
	.

Do like the others, for consistency.
Also, this make stixTerm repetetive, not sure what policy to adopt for this case.

gist:stixTerm
a owl:AnnotationProperty ;
.
Expand Down