Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Main schema stix_core.xsd
Namespace http://stix.mitre.org/stix-1
Annotations
 
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element stix:STIX_Package
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIX_Package field contains a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.
Diagram
Diagram stix_core_xsd.tmp#STIXType_id stix_core_xsd.tmp#STIXType_idref stix_core_xsd.tmp#STIXType_version stix_core_xsd.tmp#STIXType_STIX_Header stix_core_xsd.tmp#STIXType_Observables stix_core_xsd.tmp#STIXType_Indicators stix_core_xsd.tmp#STIXType_TTPs stix_core_xsd.tmp#STIXType_Exploit_Targets stix_core_xsd.tmp#STIXType_Incidents stix_core_xsd.tmp#STIXType_Courses_Of_Action stix_core_xsd.tmp#STIXType_Campaigns stix_core_xsd.tmp#STIXType_Threat_Actors stix_core_xsd.tmp#STIXType
Type stix:STIXType
Children stix:Campaigns, stix:Courses_Of_Action, stix:Exploit_Targets, stix:Incidents, stix:Indicators, stix:Observables, stix:STIX_Header, stix:TTPs, stix:Threat_Actors
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this STIX Package.
idref xs:QName optional 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
version stix:STIXPackageVersionEnum optional 
Specifies the relevant STIX schema version for this content.
Source
 
<xs:element name="STIX_Package" type="stix:STIXType">
  <xs:annotation>
    <xs:documentation>The STIX_Package field contains a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:STIX_Header
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIX_Header field provides information characterizing this package of STIX content.
Diagram
Diagram stix_core_xsd.tmp#STIXHeaderType_Title stix_core_xsd.tmp#STIXHeaderType_Package_Intent stix_core_xsd.tmp#STIXHeaderType_Description stix_core_xsd.tmp#STIXHeaderType_Handling stix_core_xsd.tmp#STIXHeaderType_Information_Source stix_core_xsd.tmp#STIXHeaderType
Type stix:STIXHeaderType
Children stix:Description, stix:Handling, stix:Information_Source, stix:Package_Intent, stix:Title
Source
 
<xs:element name="STIX_Header" type="stix:STIXHeaderType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The STIX_Header field provides information characterizing this package of STIX content.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Title
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Title field provides a simple title for this STIX Package.
Diagram
Diagram
Type xs:string
Source
 
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this STIX Package.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Package_Intent
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Package_Intent field characterizes the intended purpose or use for this package of STIX content.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Package_Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Package_Intent field characterizes the intended purpose or use for this package of STIX content. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Description
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Description field provides a description of this package of STIX content.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides a description of this package of STIX content.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Handling
Namespace http://stix.mitre.org/stix-1
Annotations
 
Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
 
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Information_Source
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Contributors stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributors, stixCommon:Identity, stixCommon:References, stixCommon:Time, stixCommon:Tools
Source
 
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Observables
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber observables.
Diagram
Diagram cybox_core_xsd.tmp#ObservablesType_cybox_major_version cybox_core_xsd.tmp#ObservablesType_cybox_minor_version cybox_core_xsd.tmp#ObservablesType_cybox_update_version cybox_core_xsd.tmp#ObservablesType_Observable_Package_Source cybox_core_xsd.tmp#Observable cybox_core_xsd.tmp#ObservablesType_Pools cybox_core_xsd.tmp#ObservablesType
Type cybox:ObservablesType
Children cybox:Observable, cybox:Observable_Package_Source, cybox:Pools
Attributes
QName Type Use Annotation
cybox_major_version xs:string required 
The cybox_major_version field specifies the major version of the CybOX language utlized for this set of Observables.
cybox_minor_version xs:string required 
The cybox_minor_version field specifies the minor version of the CybOX language utlized for this set of Observables.
cybox_update_version xs:string optional 
The cybox_update_version field specifies the update version of the CybOX language utlized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
 
<xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber observables.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Indicators
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Indicators.
Diagram
Diagram stix_core_xsd.tmp#IndicatorsType_Indicator stix_core_xsd.tmp#IndicatorsType
Type stix:IndicatorsType
Children stix:Indicator
Source
 
<xs:element name="Indicators" type="stix:IndicatorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Indicators.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:IndicatorsType / stix:Indicator
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat Indicator.

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.0/indicator.xsd.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType
Type stixCommon:IndicatorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a unique ID for this Indicator.
idref xs:QName optional 
Specifies a reference to the ID of an Indicator specified elsewhere.
Source
 
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat Indicator. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.0/indicator.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:TTPs
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.
Diagram
Diagram stix_core_xsd.tmp#TTPsType_TTP stix_core_xsd.tmp#TTPsType_Kill_Chains stix_core_xsd.tmp#TTPsType
Type stix:TTPsType
Children stix:Kill_Chains, stix:TTP
Source
 
<xs:element name="TTPs" type="stix:TTPsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:TTPsType / stix:TTP
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat adversary Tactic, Technique or Procedure.

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.0/ttp.xsd.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType
Type stixCommon:TTPBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional 
Specifies a globally unique identifier of a TTP item specified elsewhere.
Source
 
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat adversary Tactic, Technique or Procedure. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.0/ttp.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:TTPsType / stix:Kill_Chains
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.
Diagram
Diagram stix_common_xsd.tmp#KillChainsType_Kill_Chain stix_common_xsd.tmp#KillChainsType
Type stixCommon:KillChainsType
Children stixCommon:Kill_Chain
Source
 
<xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Exploit_Targets
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more potential targets for exploitation.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetsType_Exploit_Target stix_common_xsd.tmp#ExploitTargetsType
Type stixCommon:ExploitTargetsType
Children stixCommon:Exploit_Target
Source
 
<xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more potential targets for exploitation.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Incidents
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Incidents.
Diagram
Diagram stix_core_xsd.tmp#IncidentsType_Incident stix_core_xsd.tmp#IncidentsType
Type stix:IncidentsType
Children stix:Incident
Source
 
<xs:element name="Incidents" type="stix:IncidentsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Incidents.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:IncidentsType / stix:Incident
Namespace http://stix.mitre.org/stix-1
Annotations
 
Identifies or characterizes a single cyber threat Incident.

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.0/incident.xsd.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType
Type stixCommon:IncidentBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional 
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
Source
 
<xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a single cyber threat Incident. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.0/incident.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Courses_Of_Action
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes Courses of Action to be taken in regards to one of more cyber threats.
Diagram
Diagram stix_core_xsd.tmp#CoursesOfActionType_Course_Of_Action stix_core_xsd.tmp#CoursesOfActionType
Type stix:CoursesOfActionType
Children stix:Course_Of_Action
Source
 
<xs:element name="Courses_Of_Action" type="stix:CoursesOfActionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:CoursesOfActionType / stix:Course_Of_Action
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats. 

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.0/course_of_action.xsd.
Diagram
Diagram stix_common_xsd.tmp#CourseOfActionBaseType_id stix_common_xsd.tmp#CourseOfActionBaseType_idref stix_common_xsd.tmp#CourseOfActionBaseType
Type stixCommon:CourseOfActionBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this COA.
idref xs:QName optional 
Specifies a globally unique identifier of a COA specified elsewhere.
Source
 
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.0/course_of_action.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Campaigns
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Campaigns.
Diagram
Diagram stix_core_xsd.tmp#CampaignsType_Campaign stix_core_xsd.tmp#CampaignsType
Type stix:CampaignsType
Children stix:Campaign
Source
 
<xs:element name="Campaigns" type="stix:CampaignsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Campaigns.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:CampaignsType / stix:Campaign
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat Campaign.

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.0/campaign.xsd.
Diagram
Diagram stix_common_xsd.tmp#CampaignBaseType_id stix_common_xsd.tmp#CampaignBaseType_idref stix_common_xsd.tmp#CampaignBaseType
Type stixCommon:CampaignBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this cyber threat Campaign.
idref xs:QName optional 
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
Source
 
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat Campaign. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.0/campaign.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Threat_Actors
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber Threat Actors.
Diagram
Diagram stix_core_xsd.tmp#ThreatActorsType_Threat_Actor stix_core_xsd.tmp#ThreatActorsType
Type stix:ThreatActorsType
Children stix:Threat_Actor
Source
 
<xs:element name="Threat_Actors" type="stix:ThreatActorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber Threat Actors.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:ThreatActorsType / stix:Threat_Actor
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber Threat Actor.

This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.0/threat_actor.xsd.
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType
Type stixCommon:ThreatActorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional 
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
Source
 
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber Threat Actor. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.0/threat_actor.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type stix:STIXType
Namespace http://stix.mitre.org/stix-1
Annotations
 
STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.
Diagram
Diagram stix_core_xsd.tmp#STIXType_id stix_core_xsd.tmp#STIXType_idref stix_core_xsd.tmp#STIXType_version stix_core_xsd.tmp#STIXType_STIX_Header stix_core_xsd.tmp#STIXType_Observables stix_core_xsd.tmp#STIXType_Indicators stix_core_xsd.tmp#STIXType_TTPs stix_core_xsd.tmp#STIXType_Exploit_Targets stix_core_xsd.tmp#STIXType_Incidents stix_core_xsd.tmp#STIXType_Courses_Of_Action stix_core_xsd.tmp#STIXType_Campaigns stix_core_xsd.tmp#STIXType_Threat_Actors
Used by
Children stix:Campaigns, stix:Courses_Of_Action, stix:Exploit_Targets, stix:Incidents, stix:Indicators, stix:Observables, stix:STIX_Header, stix:TTPs, stix:Threat_Actors
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this STIX Package.
idref xs:QName optional 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
version stix:STIXPackageVersionEnum optional 
Specifies the relevant STIX schema version for this content.
Source
 
<xs:complexType name="STIXType">
  <xs:annotation>
    <xs:documentation>STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="STIX_Header" type="stix:STIXHeaderType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The STIX_Header field provides information characterizing this package of STIX content.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber observables.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Indicators" type="stix:IndicatorsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Indicators.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="TTPs" type="stix:TTPsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more potential targets for exploitation.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incidents" type="stix:IncidentsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Incidents.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Courses_Of_Action" type="stix:CoursesOfActionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Campaigns" type="stix:CampaignsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Campaigns.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Threat_Actors" type="stix:ThreatActorsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber Threat Actors.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this STIX Package.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="version" type="stix:STIXPackageVersionEnum">
    <xs:annotation>
      <xs:documentation>Specifies the relevant STIX schema version for this content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stix:STIXHeaderType
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIXHeaderType provides a structure for characterizing a package of STIX content.
Diagram
Diagram stix_core_xsd.tmp#STIXHeaderType_Title stix_core_xsd.tmp#STIXHeaderType_Package_Intent stix_core_xsd.tmp#STIXHeaderType_Description stix_core_xsd.tmp#STIXHeaderType_Handling stix_core_xsd.tmp#STIXHeaderType_Information_Source
Used by
Children stix:Description, stix:Handling, stix:Information_Source, stix:Package_Intent, stix:Title
Source
 
<xs:complexType name="STIXHeaderType">
  <xs:annotation>
    <xs:documentation>The STIXHeaderType provides a structure for characterizing a package of STIX content.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Title" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Title field provides a simple title for this STIX Package.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Package_Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Package_Intent field characterizes the intended purpose or use for this package of STIX content. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides a description of this package of STIX content.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:IndicatorsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#IndicatorsType_Indicator
Used by
Children stix:Indicator
Source
 
<xs:complexType name="IndicatorsType">
  <xs:sequence>
    <xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat Indicator. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.0/indicator.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:TTPsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#TTPsType_TTP stix_core_xsd.tmp#TTPsType_Kill_Chains
Used by
Children stix:Kill_Chains, stix:TTP
Source
 
<xs:complexType name="TTPsType">
  <xs:sequence>
    <xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat adversary Tactic, Technique or Procedure. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.0/ttp.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:IncidentsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#IncidentsType_Incident
Used by
Children stix:Incident
Source
 
<xs:complexType name="IncidentsType">
  <xs:sequence>
    <xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Identifies or characterizes a single cyber threat Incident. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.0/incident.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:CoursesOfActionType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#CoursesOfActionType_Course_Of_Action
Used by
Children stix:Course_Of_Action
Source
 
<xs:complexType name="CoursesOfActionType">
  <xs:sequence>
    <xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.0/course_of_action.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:CampaignsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#CampaignsType_Campaign
Used by
Children stix:Campaign
Source
 
<xs:complexType name="CampaignsType">
  <xs:sequence>
    <xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat Campaign. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.0/campaign.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:ThreatActorsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#ThreatActorsType_Threat_Actor
Used by
Children stix:Threat_Actor
Source
 
<xs:complexType name="ThreatActorsType">
  <xs:sequence>
    <xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber Threat Actor. This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.0/threat_actor.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Simple Type stix:STIXPackageVersionEnum
Namespace http://stix.mitre.org/stix-1
Annotations
 
An enumeration of all versions of STIX package types valid in the current release of STIX.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration 1.0
enumeration 1.0.1
Used by
Source
 
<xs:simpleType name="STIXPackageVersionEnum">
  <xs:annotation>
    <xs:documentation>An enumeration of all versions of STIX package types valid in the current release of STIX.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="1.0"/>
    <xs:enumeration value="1.0.1"/>
  </xs:restriction>
</xs:simpleType>
Attribute stix:STIXType / @id
Namespace No namespace
Annotations
 
Specifies a globally unique identifier for this STIX Package.
Type xs:QName
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this STIX Package.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stix:STIXType / @idref
Namespace No namespace
Annotations
 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
Type xs:QName
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stix:STIXType / @version
Namespace No namespace
Annotations
 
Specifies the relevant STIX schema version for this content.
Type stix:STIXPackageVersionEnum
Facets
enumeration 1.0
enumeration 1.0.1
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="version" type="stix:STIXPackageVersionEnum">
  <xs:annotation>
    <xs:documentation>Specifies the relevant STIX schema version for this content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.