A Location is an Intelligence Object primarily used to give context to other Intelligence Objects.

According to STIX Version 2.1, a Location Object represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), or latitude and longitude.

A Location Object can, for example, be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. (Reference: STIX Version 2.1)
​

The Location Object can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location.

The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the Federal government of the United States. (Reference: STIX Version 2.1)

When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. (Reference: STIX Version 2.1)

If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude should specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. (Reference: STIX Version 2.1)

Related Content

​