Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

STIX Data Model

ELLIO indicators are delivered as STIX 2.1 objects. This page describes the data model, including the custom extension that carries context from ELLIO Threat Intelligence.

The TAXII feed serves the following STIX 2.1 object types:

Type Description
indicator IP threat indicator with pattern, confidence, and enrichment data
identity ELLIO Technology identity and known actor/scanner identities
relationship Links between indicators and actor identities (attributed-to)
extension-definition Schema definition for the ELLIO enrichment extension
marking-definition TLP:AMBER marking (data is for subscriber use only, not third-party sharing)

Each indicator represents a single IP address observed by ELLIO Threat Intelligence.

Field Description Example
id Deterministic STIX UUID (stable across updates) indicator--a5ad84e7-b730-5dbd-8710-a7c714bf6e76
name Classification and IP Malicious IP 203.0.113.1
pattern STIX pattern for Sentinel matching [ipv4-addr:value = '203.0.113.1']
confidence 1-100 based on recency of last observation 95
indicator_types Classification-based type malicious-activity, anomalous-activity, benign, unknown
valid_from First observation date 2026-01-15T00:00:00Z
valid_until Expiration (last_seen + 90 days) 2026-06-08T00:00:00Z
created Date of first observation 2026-01-15T00:00:00Z
modified Date of last observation 2026-03-10T00:00:00Z
labels Tags from ELLIO Threat Intelligence ["scanner", "brute-force"]
  • Non-spoofable indicators: Linear decay from 100 (seen today) to 1 (seen 100+ days ago)
  • Spoofable indicators: Always 1 (source IP is unverified)

Indicators include kill chain classifications from two frameworks:

Lockheed Martin Cyber Kill Chain: reconnaissance, delivery, exploitation, installation, command-and-control

MITRE ATT&CK Tactics: initial-access, execution, persistence, privilege-escalation, defense-evasion, credential-access, discovery, lateral-movement, collection, exfiltration, command-and-control, impact, resource-development, reconnaissance

Each indicator links to:

  • ELLIO Platform: Direct link to the IP’s detail page (https://platform.ellio.tech/dashboard/cti/ip/{ip})
  • CVE references: NVD links for associated vulnerabilities
  • MITRE ATT&CK techniques: Links to technique descriptions

Each indicator carries a custom STIX property-extension with detailed context from ELLIO Threat Intelligence. This data is stored in Sentinel’s Data column and is queryable via KQL.

Extension Definition ID: extension-definition--9fcc6545-c018-5dbe-90a8-86fc02af8b34

Schema: https://taxii-sentinel.ellio.tech/schema/extensions/enrichment/v1

Field Type Description
spoofable boolean Whether the source IP could be spoofed (no TCP handshake confirmed)
classification string malicious, promiscuous, benign, or unknown
active_days integer Number of distinct days the IP was observed within the last 90-day window
first_seen date First observation date
last_seen date Most recent observation date
tag_ids string[] Internal tag identifiers for programmatic use
src_geo object Source geolocation (country, city, coordinates)
src_asn object Source AS number and name
rdns string Reverse DNS hostname
fingerprints object Network fingerprints (MuonFP, JA4, JA3)
ports integer[] All targeted ports
non_spoofable_ports integer[] Ports with confirmed TCP handshake
spoofable_ports integer[] Ports without confirmed TCP handshake
http object Observed HTTP request details (paths, user agents)
ssh_credentials array SSH brute-force authentication attempts
dst_geo array Destination geolocations of targeted sensors
Field Type Example
country_code string CN
country_name string China
continent_code string AS
city string Beijing
latitude number 39.9042
longitude number 116.4074
Field Type Example
number integer 4134
name string CHINANET-BACKBONE

Network fingerprints observed during interactions with ELLIO sensors:

Field Description
muonfp MuonFP TCP stack fingerprint
ja4 JA4 TLS fingerprint
ja3 JA3 TLS fingerprint
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a5ad84e7-b730-5dbd-8710-a7c714bf6e76",
"created_by_ref": "identity--043070bd-a674-576c-ad22-ff5c20c9217f",
"created": "2026-01-15T00:00:00Z",
"modified": "2026-03-10T00:00:00Z",
"name": "Malicious IP 203.0.113.1",
"description": "Malicious IP 203.0.113.1 observed by ELLIO Threat Intelligence. Active 30 day(s) between 2026-01-15 and 2026-03-10. TCP handshake confirmed (non-spoofable). Tags: scanner, brute-force. Origin: Beijing, China, AS4134 CHINANET-BACKBONE. https://platform.ellio.tech/dashboard/cti/ip/203.0.113.1",
"pattern": "[ipv4-addr:value = '203.0.113.1']",
"pattern_type": "stix",
"valid_from": "2026-01-15T00:00:00Z",
"valid_until": "2026-06-08T00:00:00Z",
"confidence": 95,
"indicator_types": ["malicious-activity"],
"labels": ["scanner", "brute-force"],
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "reconnaissance"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"external_references": [
{
"source_name": "ELLIO Threat Intelligence",
"url": "https://platform.ellio.tech/dashboard/cti/ip/203.0.113.1"
},
{
"source_name": "cve",
"external_id": "CVE-2024-1234",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
},
{
"source_name": "mitre-attack",
"external_id": "T1595",
"url": "https://attack.mitre.org/techniques/T1595/"
}
],
"extensions": {
"extension-definition--9fcc6545-c018-5dbe-90a8-86fc02af8b34": {
"extension_type": "property-extension",
"spoofable": false,
"classification": "malicious",
"active_days": 30,
"first_seen": "2026-01-15",
"last_seen": "2026-03-10",
"tag_ids": ["scanner", "brute_force"],
"src_geo": {
"country_code": "CN",
"country_name": "China",
"continent_code": "AS",
"city": "Beijing",
"latitude": 39.9042,
"longitude": 116.4074
},
"src_asn": {
"number": 4134,
"name": "CHINANET-BACKBONE"
},
"rdns": "scanner.example.net",
"fingerprints": {
"muonfp": ["65535:2-1-3-1-1-4:1460:8"],
"ja4": "t13d1516h2_8daaf6152771_02713d6af862"
},
"ports": [22, 80, 443, 8080],
"non_spoofable_ports": [22, 80, 443],
"spoofable_ports": [8080],
"ssh_credentials": [
{"username": "root", "password": "admin123"}
],
"dst_geo": [
{
"country_code": "US",
"country_name": "United States",
"city": "Ashburn"
}
]
}
}
}

Known scanners and research organizations are represented as STIX identity objects linked to indicators via attributed-to relationships. This enables filtering by actor in KQL queries.

Currently attributed actors include commercial scanners (Shodan, Censys, BinaryEdge), search engine crawlers (Googlebot, Bingbot), and research organizations (Shadowserver, CERT-FR).