Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Main schema stix_core.xsd
Namespace http://stix.mitre.org/stix-1
Annotations
 
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element stix:STIX_Package
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIX_Package field contains a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.
Diagram
Diagram stix_core_xsd.tmp#STIXType_id stix_core_xsd.tmp#STIXType_idref stix_core_xsd.tmp#STIXType_timestamp stix_core_xsd.tmp#STIXType_version stix_core_xsd.tmp#STIXType_STIX_Header stix_core_xsd.tmp#STIXType_Observables stix_core_xsd.tmp#STIXType_Indicators stix_core_xsd.tmp#STIXType_TTPs stix_core_xsd.tmp#STIXType_Exploit_Targets stix_core_xsd.tmp#STIXType_Incidents stix_core_xsd.tmp#STIXType_Courses_Of_Action stix_core_xsd.tmp#STIXType_Campaigns stix_core_xsd.tmp#STIXType_Threat_Actors stix_core_xsd.tmp#STIXType_Reports stix_core_xsd.tmp#STIXType_Related_Packages stix_core_xsd.tmp#STIXType
Type stix:STIXType
Children stix:Campaigns, stix:Courses_Of_Action, stix:Exploit_Targets, stix:Incidents, stix:Indicators, stix:Observables, stix:Related_Packages, stix:Reports, stix:STIX_Header, stix:TTPs, stix:Threat_Actors
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this STIX Package.
idref xs:QName optional 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
version stix:STIXPackageVersionEnum optional 
Specifies the relevant STIX schema version for this content.
Source
 
<xs:element name="STIX_Package" type="stix:STIXType">
  <xs:annotation>
    <xs:documentation>The STIX_Package field contains a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:STIX_Header
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIX_Header field provides information characterizing this package of STIX content.
Diagram
Diagram stix_core_xsd.tmp#STIXHeaderType_Title stix_core_xsd.tmp#STIXHeaderType_Package_Intent stix_core_xsd.tmp#STIXHeaderType_Description stix_core_xsd.tmp#STIXHeaderType_Short_Description stix_core_xsd.tmp#STIXHeaderType_Profiles stix_core_xsd.tmp#STIXHeaderType_Handling stix_core_xsd.tmp#STIXHeaderType_Information_Source stix_core_xsd.tmp#STIXHeaderType
Type stix:STIXHeaderType
Children stix:Description, stix:Handling, stix:Information_Source, stix:Package_Intent, stix:Profiles, stix:Short_Description, stix:Title
Source
 
<xs:element name="STIX_Header" type="stix:STIXHeaderType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The STIX_Header field provides information characterizing this package of STIX content.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Title
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Title field provides a simple title for this STIX Package.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Diagram
Diagram
Type xs:string
Source
 
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this STIX Package.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Package_Intent
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Package_Intent field characterizes the intended purpose(s) or use(s) for this package of STIX content.
 
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional 
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional 
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
 
<xs:element name="Package_Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Package_Intent field characterizes the intended purpose(s) or use(s) for this package of STIX content.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Description
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Description field provides a description of this package of STIX content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional 
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Description field provides a description of this package of STIX content.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Short_Description
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Short_Description field provides a short description of this package of STIX content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional 
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Short_Description field provides a short description of this package of STIX content.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Profiles
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Profiles field provides a list of profiles that the STIX_Package conforms to.
Diagram
Diagram stix_common_xsd.tmp#ProfilesType_Profile stix_common_xsd.tmp#ProfilesType
Type stixCommon:ProfilesType
Children stixCommon:Profile
Source
 
<xs:element name="Profiles" type="stixCommon:ProfilesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Profiles field provides a list of profiles that the STIX_Package conforms to.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Handling
Namespace http://stix.mitre.org/stix-1
Annotations
 
Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
 
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXHeaderType / stix:Information_Source
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.
 
This Information_Source field applies both to the package metadata in the STIX_Header as well as individually to the contents of the STIX_Package (unless overriden by their own Information_Source field).
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
 
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.</xs:documentation>
    <xs:documentation>This Information_Source field applies both to the package metadata in the STIX_Header as well as individually to the contents of the STIX_Package (unless overriden by their own Information_Source field).</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Observables
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber observables.
 
DEPRECATION NOTICE: The use of the @idref attribute on observables at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Observables in this list should only be embedded, not referenced.
Diagram
Diagram cybox_core_xsd.tmp#ObservablesType_cybox_major_version cybox_core_xsd.tmp#ObservablesType_cybox_minor_version cybox_core_xsd.tmp#ObservablesType_cybox_update_version cybox_core_xsd.tmp#ObservablesType_Observable_Package_Source cybox_core_xsd.tmp#Observable cybox_core_xsd.tmp#ObservablesType_Pools cybox_core_xsd.tmp#ObservablesType
Type cybox:ObservablesType
Children cybox:Observable, cybox:Observable_Package_Source, cybox:Pools
Attributes
QName Type Use Annotation
cybox_major_version xs:string required 
The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.
cybox_minor_version xs:string required 
The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.
cybox_update_version xs:string optional 
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
 
<xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber observables.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on observables at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Observables in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Indicators
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Indicators.
 
DEPRECATION NOTICE: The use of the @idref attribute on indicators at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Indicators in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#IndicatorsType_Indicator stix_core_xsd.tmp#IndicatorsType
Type stix:IndicatorsType
Children stix:Indicator
Source
 
<xs:element name="Indicators" type="stix:IndicatorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Indicators.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on indicators at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Indicators in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:IndicatorsType / stix:Indicator
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat Indicator.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType_timestamp stix_common_xsd.tmp#IndicatorBaseType
Type stixCommon:IndicatorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a unique ID for this Indicator.
idref xs:QName optional 
Specifies a reference to the ID of an Indicator specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat Indicator.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:TTPs
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.
 
DEPRECATION NOTICE: The use of the @idref attribute on TTPs at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. TTPs in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#TTPsType_TTP stix_core_xsd.tmp#TTPsType_Kill_Chains stix_core_xsd.tmp#TTPsType
Type stix:TTPsType
Children stix:Kill_Chains, stix:TTP
Source
 
<xs:element name="TTPs" type="stix:TTPsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on TTPs at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. TTPs in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:TTPsType / stix:TTP
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat adversary Tactic, Technique or Procedure.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType_timestamp stix_common_xsd.tmp#TTPBaseType
Type stixCommon:TTPBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional 
Specifies a globally unique identifier of a TTP item specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat adversary Tactic, Technique or Procedure.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:TTPsType / stix:Kill_Chains
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.
Diagram
Diagram stix_common_xsd.tmp#KillChainsType_Kill_Chain stix_common_xsd.tmp#KillChainsType
Type stixCommon:KillChainsType
Children stixCommon:Kill_Chain
Source
 
<xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Exploit_Targets
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more potential targets for exploitation.
 
DEPRECATION NOTICE: The use of the @idref attribute on exploit targets at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Exploit targets in this list should only be embedded, not referenced.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetsType_Exploit_Target stix_common_xsd.tmp#ExploitTargetsType
Type stixCommon:ExploitTargetsType
Children stixCommon:Exploit_Target
Source
 
<xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more potential targets for exploitation.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on exploit targets at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Exploit targets in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Incidents
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Incidents.
 
DEPRECATION NOTICE: The use of the @idref attribute on incidents at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Incidents in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#IncidentsType_Incident stix_core_xsd.tmp#IncidentsType
Type stix:IncidentsType
Children stix:Incident
Source
 
<xs:element name="Incidents" type="stix:IncidentsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Incidents.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on incidents at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Incidents in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:IncidentsType / stix:Incident
Namespace http://stix.mitre.org/stix-1
Annotations
 
Identifies or characterizes a single cyber threat Incident.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType_timestamp stix_common_xsd.tmp#IncidentBaseType
Type stixCommon:IncidentBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional 
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a single cyber threat Incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Courses_Of_Action
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes Courses of Action to be taken in regards to one of more cyber threats.
 
DEPRECATION NOTICE: The use of the @idref attribute on courses of action at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Courses of action in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#CoursesOfActionType_Course_Of_Action stix_core_xsd.tmp#CoursesOfActionType
Type stix:CoursesOfActionType
Children stix:Course_Of_Action
Source
 
<xs:element name="Courses_Of_Action" type="stix:CoursesOfActionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on courses of action at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Courses of action in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:CoursesOfActionType / stix:Course_Of_Action
Namespace http://stix.mitre.org/stix-1
Annotations
 
The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.
Diagram
Diagram stix_common_xsd.tmp#CourseOfActionBaseType_id stix_common_xsd.tmp#CourseOfActionBaseType_idref stix_common_xsd.tmp#CourseOfActionBaseType_timestamp stix_common_xsd.tmp#CourseOfActionBaseType
Type stixCommon:CourseOfActionBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this COA.
idref xs:QName optional 
Specifies a globally unique identifier of a COA specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Campaigns
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Campaigns.
 
DEPRECATION NOTICE: The use of the @idref attribute on campaigns at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Campaigns in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#CampaignsType_Campaign stix_core_xsd.tmp#CampaignsType
Type stix:CampaignsType
Children stix:Campaign
Source
 
<xs:element name="Campaigns" type="stix:CampaignsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Campaigns.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on campaigns at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Campaigns in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:CampaignsType / stix:Campaign
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat Campaign.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.
Diagram
Diagram stix_common_xsd.tmp#CampaignBaseType_id stix_common_xsd.tmp#CampaignBaseType_idref stix_common_xsd.tmp#CampaignBaseType_timestamp stix_common_xsd.tmp#CampaignBaseType
Type stixCommon:CampaignBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this cyber threat Campaign.
idref xs:QName optional 
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the  Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat Campaign.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Threat_Actors
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber Threat Actors.
 
DEPRECATION NOTICE: The use of the @idref attribute on threat actors at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Threat actors in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#ThreatActorsType_Threat_Actor stix_core_xsd.tmp#ThreatActorsType
Type stix:ThreatActorsType
Children stix:Threat_Actor
Source
 
<xs:element name="Threat_Actors" type="stix:ThreatActorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber Threat Actors.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on threat actors at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Threat actors in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:ThreatActorsType / stix:Threat_Actor
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber Threat Actor.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType_timestamp stix_common_xsd.tmp#ThreatActorBaseType
Type stixCommon:ThreatActorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional 
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber Threat Actor.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Reports
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes one or more cyber threat Reports.
 
DEPRECATION NOTICE: The use of the @idref attribute on reports at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Reports in this list should only be embedded, not referenced.
Diagram
Diagram stix_core_xsd.tmp#ReportsType_Report stix_core_xsd.tmp#ReportsType
Type stix:ReportsType
Children stix:Report
Source
 
<xs:element name="Reports" type="stix:ReportsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes one or more cyber threat Reports.</xs:documentation>
    <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on reports at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Reports in this list should only be embedded, not referenced.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:ReportsType / stix:Report
Namespace http://stix.mitre.org/stix-1
Annotations
 
Characterizes a single cyber threat Report.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.
Diagram
Diagram stix_common_xsd.tmp#ReportBaseType_id stix_common_xsd.tmp#ReportBaseType_idref stix_common_xsd.tmp#ReportBaseType_timestamp stix_common_xsd.tmp#ReportBaseType
Type stixCommon:ReportBaseType
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this Report.
idref xs:QName optional 
Specifies a globally unique identifier of a Report specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this Report should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a Report. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Report. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Report defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
 
<xs:element name="Report" type="stixCommon:ReportBaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Characterizes a single cyber threat Report.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stix:STIXType / stix:Related_Packages
Namespace http://stix.mitre.org/stix-1
Annotations
Diagram
Type stix:RelatedPackagesType
Type hierarchy
Children stix:Related_Package
Attributes
Source
Element stix:RelatedPackagesType / stix:Related_Package
Namespace http://stix.mitre.org/stix-1
Annotations
Diagram
Type stix:RelatedPackageType
Type hierarchy
Children stix:Package, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
Element stix:RelatedPackageType / stix:Package
Namespace http://stix.mitre.org/stix-1
Annotations
 
A reference to or representation of the related Package.
 
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.
Diagram
Diagram stix_core_xsd.tmp#STIXType_id stix_core_xsd.tmp#STIXType_idref stix_core_xsd.tmp#STIXType_timestamp stix_core_xsd.tmp#STIXType_version stix_core_xsd.tmp#STIXType_STIX_Header stix_core_xsd.tmp#STIXType_Observables stix_core_xsd.tmp#STIXType_Indicators stix_core_xsd.tmp#STIXType_TTPs stix_core_xsd.tmp#STIXType_Exploit_Targets stix_core_xsd.tmp#STIXType_Incidents stix_core_xsd.tmp#STIXType_Courses_Of_Action stix_core_xsd.tmp#STIXType_Campaigns stix_core_xsd.tmp#STIXType_Threat_Actors stix_core_xsd.tmp#STIXType_Reports stix_core_xsd.tmp#STIXType_Related_Packages stix_core_xsd.tmp#STIXType
Type stix:STIXType
Children stix:Campaigns, stix:Courses_Of_Action, stix:Exploit_Targets, stix:Incidents, stix:Indicators, stix:Observables, stix:Related_Packages, stix:Reports, stix:STIX_Header, stix:TTPs, stix:Threat_Actors
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this STIX Package.
idref xs:QName optional 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
version stix:STIXPackageVersionEnum optional 
Specifies the relevant STIX schema version for this content.
Source
 
<xs:element name="Package" type="stix:STIXType">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related Package.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type stix:STIXType
Namespace http://stix.mitre.org/stix-1
Annotations
 
STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.
Diagram
Diagram stix_core_xsd.tmp#STIXType_id stix_core_xsd.tmp#STIXType_idref stix_core_xsd.tmp#STIXType_timestamp stix_core_xsd.tmp#STIXType_version stix_core_xsd.tmp#STIXType_STIX_Header stix_core_xsd.tmp#STIXType_Observables stix_core_xsd.tmp#STIXType_Indicators stix_core_xsd.tmp#STIXType_TTPs stix_core_xsd.tmp#STIXType_Exploit_Targets stix_core_xsd.tmp#STIXType_Incidents stix_core_xsd.tmp#STIXType_Courses_Of_Action stix_core_xsd.tmp#STIXType_Campaigns stix_core_xsd.tmp#STIXType_Threat_Actors stix_core_xsd.tmp#STIXType_Reports stix_core_xsd.tmp#STIXType_Related_Packages
Used by
Children stix:Campaigns, stix:Courses_Of_Action, stix:Exploit_Targets, stix:Incidents, stix:Indicators, stix:Observables, stix:Related_Packages, stix:Reports, stix:STIX_Header, stix:TTPs, stix:Threat_Actors
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this STIX Package.
idref xs:QName optional 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
version stix:STIXPackageVersionEnum optional 
Specifies the relevant STIX schema version for this content.
Source
 
<xs:complexType name="STIXType">
  <xs:annotation>
    <xs:documentation>STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="STIX_Header" type="stix:STIXHeaderType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The STIX_Header field provides information characterizing this package of STIX content.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber observables.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on observables at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Observables in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Indicators" type="stix:IndicatorsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Indicators.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on indicators at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Indicators in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="TTPs" type="stix:TTPsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on TTPs at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. TTPs in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more potential targets for exploitation.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on exploit targets at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Exploit targets in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incidents" type="stix:IncidentsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Incidents.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on incidents at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Incidents in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Courses_Of_Action" type="stix:CoursesOfActionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on courses of action at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Courses of action in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Campaigns" type="stix:CampaignsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Campaigns.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on campaigns at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Campaigns in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Threat_Actors" type="stix:ThreatActorsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber Threat Actors.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on threat actors at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Threat actors in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Reports" type="stix:ReportsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more cyber threat Reports.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on reports at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Reports in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Related_Packages" type="stix:RelatedPackagesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Characterizes one or more relationships to other Packages.</xs:documentation>
        <xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on related packages is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Related packages in this list should only be embedded, not referenced.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this STIX Package.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.</xs:documentation>
      <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
      <xs:appinfo>
        <deprecated>true</deprecated>
      </xs:appinfo>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
      <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
      <xs:appinfo>
        <deprecated>true</deprecated>
      </xs:appinfo>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="version" type="stix:STIXPackageVersionEnum">
    <xs:annotation>
      <xs:documentation>Specifies the relevant STIX schema version for this content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stix:STIXHeaderType
Namespace http://stix.mitre.org/stix-1
Annotations
 
The STIXHeaderType provides a structure for characterizing a package of STIX content.
Diagram
Diagram stix_core_xsd.tmp#STIXHeaderType_Title stix_core_xsd.tmp#STIXHeaderType_Package_Intent stix_core_xsd.tmp#STIXHeaderType_Description stix_core_xsd.tmp#STIXHeaderType_Short_Description stix_core_xsd.tmp#STIXHeaderType_Profiles stix_core_xsd.tmp#STIXHeaderType_Handling stix_core_xsd.tmp#STIXHeaderType_Information_Source
Used by
Children stix:Description, stix:Handling, stix:Information_Source, stix:Package_Intent, stix:Profiles, stix:Short_Description, stix:Title
Source
 
<xs:complexType name="STIXHeaderType">
  <xs:annotation>
    <xs:documentation>The STIXHeaderType provides a structure for characterizing a package of STIX content.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Title" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Title field provides a simple title for this STIX Package.</xs:documentation>
        <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
        <xs:appinfo>
          <deprecated>true</deprecated>
        </xs:appinfo>
      </xs:annotation>
    </xs:element>
    <xs:element name="Package_Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Package_Intent field characterizes the intended purpose(s) or use(s) for this package of STIX content.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
        <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
        <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
        <xs:appinfo>
          <deprecated>true</deprecated>
        </xs:appinfo>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Description field provides a description of this package of STIX content.</xs:documentation>
        <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
        <xs:appinfo>
          <deprecated>true</deprecated>
        </xs:appinfo>
      </xs:annotation>
    </xs:element>
    <xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Short_Description field provides a short description of this package of STIX content.</xs:documentation>
        <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
        <xs:appinfo>
          <deprecated>true</deprecated>
        </xs:appinfo>
      </xs:annotation>
    </xs:element>
    <xs:element name="Profiles" type="stixCommon:ProfilesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Profiles field provides a list of profiles that the STIX_Package conforms to.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.</xs:documentation>
        <xs:documentation>This Information_Source field applies both to the package metadata in the STIX_Header as well as individually to the contents of the STIX_Package (unless overriden by their own Information_Source field).</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:IndicatorsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#IndicatorsType_Indicator
Used by
Children stix:Indicator
Source
 
<xs:complexType name="IndicatorsType">
  <xs:sequence>
    <xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat Indicator.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:TTPsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#TTPsType_TTP stix_core_xsd.tmp#TTPsType_Kill_Chains
Used by
Children stix:Kill_Chains, stix:TTP
Source
 
<xs:complexType name="TTPsType">
  <xs:sequence>
    <xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat adversary Tactic, Technique or Procedure.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:IncidentsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#IncidentsType_Incident
Used by
Children stix:Incident
Source
 
<xs:complexType name="IncidentsType">
  <xs:sequence>
    <xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Identifies or characterizes a single cyber threat Incident.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:CoursesOfActionType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#CoursesOfActionType_Course_Of_Action
Used by
Children stix:Course_Of_Action
Source
 
<xs:complexType name="CoursesOfActionType">
  <xs:sequence>
    <xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:CampaignsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#CampaignsType_Campaign
Used by
Children stix:Campaign
Source
 
<xs:complexType name="CampaignsType">
  <xs:sequence>
    <xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat Campaign.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:ThreatActorsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#ThreatActorsType_Threat_Actor
Used by
Children stix:Threat_Actor
Source
 
<xs:complexType name="ThreatActorsType">
  <xs:sequence>
    <xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber Threat Actor.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:ReportsType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_core_xsd.tmp#ReportsType_Report
Used by
Children stix:Report
Source
 
<xs:complexType name="ReportsType">
  <xs:sequence>
    <xs:element name="Report" type="stixCommon:ReportBaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Characterizes a single cyber threat Report.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stix:RelatedPackagesType
Namespace http://stix.mitre.org/stix-1
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType stix_core_xsd.tmp#RelatedPackagesType_Related_Package
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children stix:Related_Package
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:complexType name="RelatedPackagesType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Related_Package" type="stix:RelatedPackageType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Characterizes a single relationship to another Package.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stix:RelatedPackageType
Namespace http://stix.mitre.org/stix-1
Annotations
 
Identifies or characterizes a relationship to a Package.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_core_xsd.tmp#RelatedPackageType_Package
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stix:Package, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
 
<xs:complexType name="RelatedPackageType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a Package.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Package" type="stix:STIXType">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related Package.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Simple Type stix:STIXPackageVersionEnum
Namespace http://stix.mitre.org/stix-1
Annotations
 
An enumeration of all versions of STIX package types valid in the current release of STIX.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration 1.0
enumeration 1.0.1
enumeration 1.1
enumeration 1.1.1
enumeration 1.2
Used by
Source
 
<xs:simpleType name="STIXPackageVersionEnum">
  <xs:annotation>
    <xs:documentation>An enumeration of all versions of STIX package types valid in the current release of STIX.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="1.0"/>
    <xs:enumeration value="1.0.1"/>
    <xs:enumeration value="1.1"/>
    <xs:enumeration value="1.1.1"/>
    <xs:enumeration value="1.2"/>
  </xs:restriction>
</xs:simpleType>
Attribute stix:STIXType / @id
Namespace No namespace
Annotations
 
Specifies a globally unique identifier for this STIX Package.
Type xs:QName
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this STIX Package.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stix:STIXType / @idref
Namespace No namespace
Annotations
 
Specifies a globally unique identifier of a STIX Package specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Type xs:QName
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:attribute>
Attribute stix:STIXType / @timestamp
Namespace No namespace
Annotations
 
Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
Type xs:dateTime
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
    <xs:appinfo>
      <deprecated>true</deprecated>
    </xs:appinfo>
  </xs:annotation>
</xs:attribute>
Attribute stix:STIXType / @version
Namespace No namespace
Annotations
 
Specifies the relevant STIX schema version for this content.
Type stix:STIXPackageVersionEnum
Facets
enumeration 1.0
enumeration 1.0.1
enumeration 1.1
enumeration 1.1.1
enumeration 1.2
Used by
Complex Type stix:STIXType
Source
 
<xs:attribute name="version" type="stix:STIXPackageVersionEnum">
  <xs:annotation>
    <xs:documentation>Specifies the relevant STIX schema version for this content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.