Relationship Entities

Ultimately, CTIM allows us to model our threat intelligence as a hypertext graph. In this graph, each entity is a node with its own URI, and the nodes of this graph are connected via Relationships, which form its edges.

Relationship Field Summary

In addition to being derived from the base, sourceable, and describable entity definitions defined above, relationships require the following fields:

  • relationship_type - A string describing the relationship type. Standard supported relationship types are defined in the CTIM Vocabulary Schema, and the best practices for how to define entity relationships is documented below.
  • source_ref - Required ID of the source entity of the relationship. On a directed graph, this is the node the arrow begins at.
  • target_ref - Required ID of the target entity of the relationship. On a directed graph, this is the node the arrow points to.

Notes on Relationship Polarity

The polarity of relationships describes the direction that the arrow points on a directed graph: Relationships always point FROM the source_ref, and TOWARD the target_ref in the relationship.

Therefore, there are some relation_type fields which are expected to be used in certain scenarios. In our Common Relation Types document, we define, for example, that a judgment would be "based on" an indicator, but not vice versa. Relationships from Indicators do not point toward Judgements. So, to represent this relationship, we would have the judgment entity identified as the source_ref, and the indicator entity identified as the target_ref. These fields are not interchangeable, and the polarity of the relationship does matter. Read through the documentation on common relation types for more information.

Example Relationship

{
    "type":"relationship",
    "source":"Modeling Threat Intelligence in CTIM Tutorial",
    "source_uri":"",
    "source_ref":"transient:ctim-tutorial-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498",
    "target_ref":"transient:ctim-tutorial-indicator-c56de1c94c1ce862c4e6d9883393aacc58275c0c4dc4d8b48cc4db692bf11e4f",
    "relationship_type":"based-on",
    "external_ids":[
        "ctim-tutorial-relationship-2c1f3fcaf89d294bf7d038f470f6cb4a81dc1fad6ff5deeed18a41bf6fe14e4d"
    ]
}

Note: For details on the "transient:..." IDs, see Bundle Entities.