STIX Data Model

ELLIO indicators are delivered as STIX 2.1 objects. This page describes the data model, including the custom extension that carries rich context from the ELLIO Deception Network.

Object Types

The TAXII feed serves the following STIX 2.1 object types:

Type	Description
`indicator`	IP threat indicator with pattern, confidence, and enrichment data
`identity`	ELLIO Technology identity and known actor/scanner identities
`relationship`	Links between indicators and actor identities (`attributed-to`)
`extension-definition`	Schema definition for the ELLIO enrichment extension
`marking-definition`	TLP:AMBER marking (data is for subscriber use only, not third-party sharing)

Indicator Structure

Each indicator represents a single IP address observed by the ELLIO Deception Network.

Core Fields

Field	Description	Example
`id`	Deterministic STIX UUID (stable across updates)	`indicator--a5ad84e7-b730-5dbd-8710-a7c714bf6e76`
`name`	Classification and IP	`Malicious IP 203.0.113.1`
`pattern`	STIX pattern for Sentinel matching	`[ipv4-addr:value = '203.0.113.1']`
`confidence`	1-100 based on recency of last observation	`95`
`indicator_types`	Classification-based type	`malicious-activity`, `anomalous-activity`, `benign`, `unknown`
`valid_from`	First observation date	`2026-01-15T00:00:00Z`
`valid_until`	Expiration (last_seen + 90 days)	`2026-06-08T00:00:00Z`
`created`	Date of first observation	`2026-01-15T00:00:00Z`
`modified`	Date of last observation	`2026-03-10T00:00:00Z`
`labels`	Tags from the ELLIO Deception Network	`["scanner", "brute-force"]`

Confidence Scoring

Non-spoofable indicators: Linear decay from 100 (seen today) to 1 (seen 100+ days ago)
Spoofable indicators: Always 1 (source IP is unverified)

Kill Chain Phases

Indicators include kill chain classifications from two frameworks:

Lockheed Martin Cyber Kill Chain: reconnaissance, delivery, exploitation, installation, command-and-control

MITRE ATT&CK Tactics: initial-access, execution, persistence, privilege-escalation, defense-evasion, credential-access, discovery, lateral-movement, collection, exfiltration, command-and-control, impact, resource-development, reconnaissance

External References

Each indicator links to:

ELLIO Platform: Direct link to the IP's detail page (https://platform.ellio.tech/dashboard/cti/ip/{ip})
CVE references: NVD links for associated vulnerabilities
MITRE ATT&CK techniques: Links to technique descriptions

ELLIO Enrichment Extension

Each indicator carries a custom STIX property-extension with detailed context from the ELLIO Deception Network. This data is stored in Sentinel's Data column and is queryable via KQL.

Extension Definition ID: extension-definition--9fcc6545-c018-5dbe-90a8-86fc02af8b34

Schema: https://taxii-sentinel.ellio.tech/schema/extensions/enrichment/v1

Extension Fields

Field	Type	Description
`spoofable`	boolean	Whether the source IP could be spoofed (no TCP handshake confirmed)
`classification`	string	`malicious`, `promiscuous`, `benign`, or `unknown`
`active_days`	integer	Number of distinct days the IP was observed within the last 90-day window
`first_seen`	date	First observation date
`last_seen`	date	Most recent observation date
`tag_ids`	string[]	Internal tag identifiers for programmatic use
`src_geo`	object	Source geolocation (country, city, coordinates)
`src_asn`	object	Source AS number and name
`rdns`	string	Reverse DNS hostname
`fingerprints`	object	Network fingerprints (MuonFP, JA4, JA3)
`ports`	integer[]	All targeted ports
`non_spoofable_ports`	integer[]	Ports with confirmed TCP handshake
`spoofable_ports`	integer[]	Ports without confirmed TCP handshake
`http`	object	Observed HTTP request details (paths, user agents)
`ssh_credentials`	array	SSH brute-force authentication attempts
`dst_geo`	array	Destination geolocations of targeted sensors

Source Geolocation (`src_geo`)

Field	Type	Example
`country_code`	string	`CN`
`country_name`	string	`China`
`continent_code`	string	`AS`
`city`	string	`Beijing`
`latitude`	number	`39.9042`
`longitude`	number	`116.4074`

Source ASN (`src_asn`)

Field	Type	Example
`number`	integer	`4134`
`name`	string	`CHINANET-BACKBONE`

Network Fingerprints (`fingerprints`)

Network fingerprints observed during interactions with ELLIO sensors:

Field	Description
`muonfp`	MuonFP TCP stack fingerprint
`ja4`	JA4 TLS fingerprint
`ja3`	JA3 TLS fingerprint

Example Indicator

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--a5ad84e7-b730-5dbd-8710-a7c714bf6e76",
  "created_by_ref": "identity--043070bd-a674-576c-ad22-ff5c20c9217f",
  "created": "2026-01-15T00:00:00Z",
  "modified": "2026-03-10T00:00:00Z",
  "name": "Malicious IP 203.0.113.1",
  "description": "Malicious IP 203.0.113.1 observed by ELLIO Deception Network. Active 30 day(s) between 2026-01-15 and 2026-03-10. TCP handshake confirmed (non-spoofable). Tags: scanner, brute-force. Origin: Beijing, China, AS4134 CHINANET-BACKBONE. https://platform.ellio.tech/dashboard/cti/ip/203.0.113.1",
  "pattern": "[ipv4-addr:value = '203.0.113.1']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T00:00:00Z",
  "valid_until": "2026-06-08T00:00:00Z",
  "confidence": 95,
  "indicator_types": ["malicious-activity"],
  "labels": ["scanner", "brute-force"],
  "object_marking_refs": [
    "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
  ],
  "kill_chain_phases": [
    {
      "kill_chain_name": "lockheed-martin-cyber-kill-chain",
      "phase_name": "reconnaissance"
    },
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "reconnaissance"
    }
  ],
  "external_references": [
    {
      "source_name": "ELLIO Deception Network",
      "url": "https://platform.ellio.tech/dashboard/cti/ip/203.0.113.1"
    },
    {
      "source_name": "cve",
      "external_id": "CVE-2024-1234",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
    },
    {
      "source_name": "mitre-attack",
      "external_id": "T1595",
      "url": "https://attack.mitre.org/techniques/T1595/"
    }
  ],
  "extensions": {
    "extension-definition--9fcc6545-c018-5dbe-90a8-86fc02af8b34": {
      "extension_type": "property-extension",
      "spoofable": false,
      "classification": "malicious",
      "active_days": 30,
      "first_seen": "2026-01-15",
      "last_seen": "2026-03-10",
      "tag_ids": ["scanner", "brute_force"],
      "src_geo": {
        "country_code": "CN",
        "country_name": "China",
        "continent_code": "AS",
        "city": "Beijing",
        "latitude": 39.9042,
        "longitude": 116.4074
      },
      "src_asn": {
        "number": 4134,
        "name": "CHINANET-BACKBONE"
      },
      "rdns": "scanner.example.net",
      "fingerprints": {
        "muonfp": ["65535:2-1-3-1-1-4:1460:8"],
        "ja4": "t13d1516h2_8daaf6152771_02713d6af862"
      },
      "ports": [22, 80, 443, 8080],
      "non_spoofable_ports": [22, 80, 443],
      "spoofable_ports": [8080],
      "ssh_credentials": [
        {"username": "root", "password": "admin123"}
      ],
      "dst_geo": [
        {
          "country_code": "US",
          "country_name": "United States",
          "city": "Ashburn"
        }
      ]
    }
  }
}

Actor Attribution

Known scanners and research organizations are represented as STIX identity objects linked to indicators via attributed-to relationships. This enables filtering by actor in KQL queries.

Currently attributed actors include commercial scanners (Shodan, Censys, BinaryEdge), search engine crawlers (Googlebot, Bingbot), and research organizations (Shadowserver, CERT-FR).

Object Types​

Indicator Structure​

Core Fields​

Confidence Scoring​

Kill Chain Phases​

External References​

ELLIO Enrichment Extension​

Extension Fields​

Source Geolocation (src_geo)​

Source ASN (src_asn)​

Network Fingerprints (fingerprints)​

Example Indicator​

Actor Attribution​