{
  "type": "extension-definition",
  "id": "extension-definition--93370194-c964-570f-9802-9d1154e5525d",
  "spec_version": "2.1",
  "created_by_ref": "identity--4ee77ba4-f956-5d27-aeb1-cbfeb4c8f8d5",
  "created": "2026-05-11T00:00:00.000Z",
  "modified": "2026-05-28T00:00:00.000Z",
  "name": "Agent Threat Rules (ATR) STIX Extension",
  "description": "Defines the x-atr-rule custom STIX Domain Object for representing AI agent detection rules. Each x-atr-rule instance carries a deterministic rule identifier (e.g. ATR-2026-00548), one of ten attack-class categories (prompt-injection, tool-poisoning, context-exfiltration, agent-manipulation, privilege-escalation, excessive-autonomy, data-poisoning, model-abuse, model-security, skill-compromise), severity, the v1.1 detection method (pattern / signature / semantic / behavioral / trace), runtime profile (deterministic / assisted), method-specific detection payloads (signature_indicators, semantic_judge, trace_detection), adversarial probe bindings (probe_id_refs), and external mappings to OWASP LLM/Agentic/AST Top 10, MITRE ATLAS/ATT&CK, EU AI Act, NIST AI RMF, NIST CSF 2.0, ISO/IEC 42001, ETSI TS 104 223, and OSCAL assessment objectives. ATR rules are the open-source detection vocabulary published at github.com/Agent-Threat-Rule/agent-threat-rules under MIT and adopted as a MISP taxonomy at MISP/misp-taxonomies#323 and a MISP galaxy at MISP/misp-galaxy#1207. This extension lets STIX consumers represent ATR rules natively in CTI pipelines without lossy translation through indicator or attack-pattern objects.",
  "schema": "https://raw.githubusercontent.com/Agent-Threat-Rule/agent-threat-rules/main/spec/stix-extension/x-atr-rule-schema.json",
  "version": "1.1.0",
  "extension_types": [
    "new-sdo"
  ],
  "external_references": [
    {
      "source_name": "agent-threat-rules",
      "description": "ATR canonical repository",
      "url": "https://github.com/Agent-Threat-Rule/agent-threat-rules"
    },
    {
      "source_name": "atr-spec",
      "description": "ATR Core Specification v1.0.0 (Draft)",
      "url": "https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/SPEC.md"
    },
    {
      "source_name": "atr-method-spec",
      "description": "ATR Method Extensions v1.1.0 (Draft) — five-plane detection model",
      "url": "https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/spec/atr-method-v1.1.md"
    },
    {
      "source_name": "misp-taxonomies",
      "description": "ATR MISP taxonomy adoption",
      "url": "https://github.com/MISP/misp-taxonomies/pull/323"
    },
    {
      "source_name": "misp-galaxy",
      "description": "ATR MISP galaxy adoption",
      "url": "https://github.com/MISP/misp-galaxy/pull/1207"
    },
    {
      "source_name": "stix-2.1",
      "description": "STIX 2.1 specification, Section 7.3 Extension Definition",
      "url": "https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html"
    },
    {
      "source_name": "openinference",
      "description": "OpenInference semantic conventions — the ingest format for trace-method rules per atr-method-v1.1.md §8.2",
      "url": "https://github.com/Arize-ai/openinference"
    }
  ]
}
