This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Complex Type stixVocabs:ReportIntentVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="ReportIntentVocab-1.0"><xs:annotation><xs:documentation>The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ReportIntentEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Report Intent Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ReportIntentVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ReportIntentEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for a report intent in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Collective Threat Intelligence
Report is intended to describe a broad characterization of a threat across multiple facets.
enumeration
Threat Report
Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.
enumeration
Indicators
Report is intended to describe mainly indicators.
enumeration
Indicators - Phishing
Report is intended to describe mainly phishing indicators.
enumeration
Indicators - Watchlist
Report is intended to describe mainly network watchlist indicators.
enumeration
Indicators - Malware Artifacts
Report is intended to describe mainly malware artifact indicators.
enumeration
Indicators - Network Activity
Report is intended to describe mainly network activity indicators.
enumeration
Indicators - Endpoint Characteristics
Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
enumeration
Campaign Characterization
Report is intended to describe mainly a characterization of one or more campaigns.
enumeration
Threat Actor Characterization
Report is intended to describe mainly a characterization of one or more threat actors.
enumeration
Exploit Characterization
Report is intended to describe mainly a characterization of one or more exploits.
enumeration
Attack Pattern Characterization
Report is intended to describe mainly a characterization of one or more attack patterns.
enumeration
Malware Characterization
Report is intended to describe mainly a characterization of one or more malware instances.
enumeration
TTP - Infrastructure
Report is intended to describe mainly a characterization of attacker infrastructure.
enumeration
TTP - Tools
Report is intended to describe mainly a characterization of attacker tools.
enumeration
Courses of Action
Report is intended to describe mainly a set of courses of action.
enumeration
Incident
Report is intended to describe mainly information about one or more incidents.
enumeration
Observations
Report is intended to describe mainly information about instantial observations (cyber observables).
enumeration
Observations - Email
Report is intended to describe mainly information about instantial email observations (email cyber observables).
enumeration
Malware Samples
Report is intended to describe a set of malware samples.
Source
<xs:simpleType name="ReportIntentEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for a report intent in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Collective Threat Intelligence"><xs:annotation><xs:documentation>Report is intended to describe a broad characterization of a threat across multiple facets.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Report"><xs:annotation><xs:documentation>Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators"><xs:annotation><xs:documentation>Report is intended to describe mainly indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Phishing"><xs:annotation><xs:documentation>Report is intended to describe mainly phishing indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Watchlist"><xs:annotation><xs:documentation>Report is intended to describe mainly network watchlist indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Malware Artifacts"><xs:annotation><xs:documentation>Report is intended to describe mainly malware artifact indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Network Activity"><xs:annotation><xs:documentation>Report is intended to describe mainly network activity indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Endpoint Characteristics"><xs:annotation><xs:documentation>Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Campaign Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more campaigns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Actor Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more threat actors.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exploit Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more exploits.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Attack Pattern Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more attack patterns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more malware instances.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Infrastructure"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of attacker infrastructure.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Tools"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of attacker tools.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Courses of Action"><xs:annotation><xs:documentation>Report is intended to describe mainly a set of courses of action.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident"><xs:annotation><xs:documentation>Report is intended to describe mainly information about one or more incidents.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations"><xs:annotation><xs:documentation>Report is intended to describe mainly information about instantial observations (cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations - Email"><xs:annotation><xs:documentation>Report is intended to describe mainly information about instantial email observations (email cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Samples"><xs:annotation><xs:documentation>Report is intended to describe a set of malware samples.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PackageIntentVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PackageIntentVocab is the default STIX vocabulary for Package Intent.
NOTE: As of STIX Version 1.2, the PackageIntentVocab is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentVocab-1.0 instead.
<xs:complexType name="PackageIntentVocab-1.0"><xs:annotation><xs:documentation>The PackageIntentVocab is the default STIX vocabulary for Package Intent.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.2, the PackageIntentVocab is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentVocab-1.0 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PackageIntentEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Package Intent Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PackageIntentVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PackageIntentEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for a package intent in STIX.
NOTE: As of STIX Version 1.2, the PackageIntentEnum is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentEnum-1.0 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Collective Threat Intelligence
Package is intended to convey a broad characterization of a threat across multiple facets.
enumeration
Threat Report
Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report.
enumeration
Indicators
Package is intended to convey mainly indicators.
enumeration
Indicators - Phishing
Package is intended to convey mainly phishing indicators.
enumeration
Indicators - Watchlist
Package is intended to convey mainly network watchlist indicators.
enumeration
Indicators - Malware Artifacts
Package is intended to convey mainly malware artifact indicators.
enumeration
Indicators - Network Activity
Package is intended to convey mainly network activity indicators.
enumeration
Indicators - Endpoint Characteristics
Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
enumeration
Campaign Characterization
Package is intended to convey mainly a characterization of one or more campaigns.
enumeration
Threat Actor Characterization
Package is intended to convey mainly a characterization of one or more threat actors.
enumeration
Exploit Characterization
Package is intended to convey mainly a characterization of one or more exploits.
enumeration
Attack Pattern Characterization
Package is intended to convey mainly a characterization of one or more attack patterns.
enumeration
Malware Characterization
Package is intended to convey mainly a characterization of one or more malware instances.
enumeration
TTP - Infrastructure
Package is intended to convey mainly a characterization of attacker infrastructure.
enumeration
TTP - Tools
Package is intended to convey mainly a characterization of attacker tools.
enumeration
Courses of Action
Package is intended to convey mainly a set of courses of action.
enumeration
Incident
Package is intended to convey mainly information about one or more incidents.
enumeration
Observations
Package is intended to convey mainly information about instantial observations (cyber observables).
enumeration
Observations - Email
Package is intended to convey mainly information about instantial email observations (email cyber observables).
enumeration
Malware Samples
Package is intended to convey a set of malware samples.
Source
<xs:simpleType name="PackageIntentEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for a package intent in STIX.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.2, the PackageIntentEnum is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentEnum-1.0 instead.</xs:documentation><xs:appinfo><version>1.0</version><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Collective Threat Intelligence"><xs:annotation><xs:documentation>Package is intended to convey a broad characterization of a threat across multiple facets.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Report"><xs:annotation><xs:documentation>Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators"><xs:annotation><xs:documentation>Package is intended to convey mainly indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Phishing"><xs:annotation><xs:documentation>Package is intended to convey mainly phishing indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Watchlist"><xs:annotation><xs:documentation>Package is intended to convey mainly network watchlist indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Malware Artifacts"><xs:annotation><xs:documentation>Package is intended to convey mainly malware artifact indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Network Activity"><xs:annotation><xs:documentation>Package is intended to convey mainly network activity indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Endpoint Characteristics"><xs:annotation><xs:documentation>Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Campaign Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more campaigns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Actor Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more threat actors.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exploit Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more exploits.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Attack Pattern Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more attack patterns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more malware instances.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Infrastructure"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of attacker infrastructure.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Tools"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of attacker tools.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Courses of Action"><xs:annotation><xs:documentation>Package is intended to convey mainly a set of courses of action.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident"><xs:annotation><xs:documentation>Package is intended to convey mainly information about one or more incidents.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations"><xs:annotation><xs:documentation>Package is intended to convey mainly information about instantial observations (cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations - Email"><xs:annotation><xs:documentation>Package is intended to convey mainly information about instantial email observations (email cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Samples"><xs:annotation><xs:documentation>Package is intended to convey a set of malware samples.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:HighMediumLowVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The HighMediumLowVocab is the default STIX vocabulary for expressing basic values that may be high, medium, low, none, or unknown.
<xs:complexType name="HighMediumLowVocab-1.0"><xs:annotation><xs:documentation>The HighMediumLowVocab is the default STIX vocabulary for expressing basic values that may be high, medium, low, none, or unknown.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:HighMediumLowEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default High/Medium/Low Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#HighMediumLowVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:HighMediumLowEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for expressing a high/medium/low statement in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
High
enumeration
Medium
enumeration
Low
enumeration
None
enumeration
Unknown
Source
<xs:simpleType name="HighMediumLowEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for expressing a high/medium/low statement in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="High"/><xs:enumeration value="Medium"/><xs:enumeration value="Low"/><xs:enumeration value="None"/><xs:enumeration value="Unknown"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MalwareTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MalwareTypeVocab is the default STIX vocabulary for expressing types of malware instances. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="MalwareTypeVocab-1.0"><xs:annotation><xs:documentation>The MalwareTypeVocab is the default STIX vocabulary for expressing types of malware instances. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MalwareTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Malware Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MalwareTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MalwareTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of malware types to use for characterizing a malware instance in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Automated Transfer Scripts
enumeration
Adware
enumeration
Dialer
enumeration
Bot
enumeration
Bot - Credential Theft
enumeration
Bot - DDoS
enumeration
Bot - Loader
enumeration
Bot - Spam
enumeration
DoS / DDoS
enumeration
DoS / DDoS - Participatory
enumeration
DoS / DDoS - Script
enumeration
DoS / DDoS - Stress Test Tools
enumeration
Exploit Kits
enumeration
POS / ATM Malware
enumeration
Ransomware
enumeration
Remote Access Trojan
enumeration
Rogue Antivirus
enumeration
Rootkit
Source
<xs:simpleType name="MalwareTypeEnum-1.0"><xs:annotation><xs:documentation>The default set of malware types to use for characterizing a malware instance in STIX.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Automated Transfer Scripts"/><xs:enumeration value="Adware"/><xs:enumeration value="Dialer"/><xs:enumeration value="Bot"/><xs:enumeration value="Bot - Credential Theft"/><xs:enumeration value="Bot - DDoS"/><xs:enumeration value="Bot - Loader"/><xs:enumeration value="Bot - Spam"/><xs:enumeration value="DoS / DDoS"/><xs:enumeration value="DoS / DDoS - Participatory"/><xs:enumeration value="DoS / DDoS - Script"/><xs:enumeration value="DoS / DDoS - Stress Test Tools"/><xs:enumeration value="Exploit Kits"/><xs:enumeration value="POS / ATM Malware"/><xs:enumeration value="Ransomware"/><xs:enumeration value="Remote Access Trojan"/><xs:enumeration value="Rogue Antivirus"/><xs:enumeration value="Rootkit"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IndicatorTypeVocab-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="IndicatorTypeVocab-1.1"><xs:annotation><xs:documentation>The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IndicatorTypeEnum-1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Indicator Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IndicatorTypeVocab-1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IndicatorTypeEnum-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of Indicator types to use for characterizing Indicators in STIX.
Indicator describes a compromised PKI Certificate.
enumeration
Login Name
Indicator describes a compromised Login Name.
enumeration
IMEI Watchlist
Indicator describes a watchlist for IMEI (handset) identifiers.
enumeration
IMSI Watchlist
Indicator describes a watchlist for IMSI (SIM card) identifiers.
Source
<xs:simpleType name="IndicatorTypeEnum-1.1"><xs:annotation><xs:documentation>The default set of Indicator types to use for characterizing Indicators in STIX.</xs:documentation><xs:appinfo><version>1.1</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Malicious E-mail"><xs:annotation><xs:documentation>Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IP Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious IP addresses or IP blocks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="File Hash Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of hashes for suspected malicious files.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Domain Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious domains.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="URL Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious URLS.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Artifacts"><xs:annotation><xs:documentation>Indicator describes the effects of suspected malware.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="C2"><xs:annotation><xs:documentation>Indicator describes suspected command and control activity or static indications.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Anonymization"><xs:annotation><xs:documentation>Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exfiltration"><xs:annotation><xs:documentation>Indicator describes suspected exfiltration techniques or behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Host Characteristics"><xs:annotation><xs:documentation>Indicator describes suspected malicious host characteristics.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Compromised PKI Certificate"><xs:annotation><xs:documentation>Indicator describes a compromised PKI Certificate.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Login Name"><xs:annotation><xs:documentation>Indicator describes a compromised Login Name.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IMEI Watchlist"><xs:annotation><xs:documentation>Indicator describes a watchlist for IMEI (handset) identifiers.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IMSI Watchlist"><xs:annotation><xs:documentation>Indicator describes a watchlist for IMSI (SIM card) identifiers.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IndicatorTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.
<xs:complexType name="IndicatorTypeVocab-1.0"><xs:annotation><xs:documentation>The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IndicatorTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Indicator Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IndicatorTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IndicatorTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of Indicator types to use for characterizing Indicators in STIX.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeEnum is deprecated. Please use IndicatorTypeEnum-1.1 instead.
<xs:simpleType name="IndicatorTypeEnum-1.0"><xs:annotation><xs:documentation>The default set of Indicator types to use for characterizing Indicators in STIX.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the IndicatorTypeEnum is deprecated. Please use IndicatorTypeEnum-1.1 instead.</xs:documentation><xs:appinfo><version>1.0</version><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Malicious E-mail"><xs:annotation><xs:documentation>Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IP Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious IP addresses or IP blocks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="File Hash Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of hashes for suspected malicious files.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Domain Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious domains.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="URL Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious URLS.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Artifacts"><xs:annotation><xs:documentation>Indicator describes the effects of suspected malware.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="C2"><xs:annotation><xs:documentation>Indicator describes suspected command and control activity or static indications.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Anonymization"><xs:annotation><xs:documentation>Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exfiltration"><xs:annotation><xs:documentation>Indicator describes suspected exfiltration techniques or behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Host Characteristics"><xs:annotation><xs:documentation>Indicator describes suspected malicious host characteristics.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:COAStageVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The COAStageVocab is the default STIX vocabulary for expressing the stages of the threat management lifecycle that a COA is applicable to.
<xs:complexType name="COAStageVocab-1.0"><xs:annotation><xs:documentation>The COAStageVocab is the default STIX vocabulary for expressing the stages of the threat management lifecycle that a COA is applicable to.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:COAStageEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default COA Stages Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#COAStageVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:COAStageEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of stages of the threat management lifecycle that a COA may be applicable to.
Diagram
Type
restriction of xs:string
Facets
enumeration
Remedy
This COA is applicable to the "Remedy" stage of the threat management lifecycle, meaning it may be applied proactively to prevent future threats.
enumeration
Response
This COA is applicable to the "Response" stage of the threat management lifecycle, meaning it may be applied as an immediate reaction to an ongoing threat.
Source
<xs:simpleType name="COAStageEnum-1.0"><xs:annotation><xs:documentation>The default set of stages of the threat management lifecycle that a COA may be applicable to.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Remedy"><xs:annotation><xs:documentation>This COA is applicable to the "Remedy" stage of the threat management lifecycle, meaning it may be applied proactively to prevent future threats.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Response"><xs:annotation><xs:documentation>This COA is applicable to the "Response" stage of the threat management lifecycle, meaning it may be applied as an immediate reaction to an ongoing threat.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:CampaignStatusVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The CampaignStatusVocab is the default STIX vocabulary for expressing the status of a campaign.
<xs:complexType name="CampaignStatusVocab-1.0"><xs:annotation><xs:documentation>The CampaignStatusVocab is the default STIX vocabulary for expressing the status of a campaign.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:CampaignStatusEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Campaign Status Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#CampaignStatusVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:CampaignStatusEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default list of possible statuses that a campaign might have.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ongoing
This campaign is currently taking place.
enumeration
Historic
This campaign occurred in the past and is currently not taking place.
enumeration
Future
This campaign is expected to take place in the future.
Source
<xs:simpleType name="CampaignStatusEnum-1.0"><xs:annotation><xs:documentation>The default list of possible statuses that a campaign might have.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ongoing"><xs:annotation><xs:documentation>This campaign is currently taking place.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Historic"><xs:annotation><xs:documentation>This campaign occurred in the past and is currently not taking place.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Future"><xs:annotation><xs:documentation>This campaign is expected to take place in the future.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IncidentStatusVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IncidentStatusVocab is the default STIX vocabulary for expressing the status of an incident.
<xs:complexType name="IncidentStatusVocab-1.0"><xs:annotation><xs:documentation>The IncidentStatusVocab is the default STIX vocabulary for expressing the status of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IncidentStatusEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Incident Status Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IncidentStatusVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IncidentStatusEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default list of possible statuses that an incident might have.
Diagram
Type
restriction of xs:string
Facets
enumeration
New
enumeration
Open
enumeration
Stalled
enumeration
Containment Achieved
enumeration
Restoration Achieved
enumeration
Incident Reported
enumeration
Closed
enumeration
Rejected
enumeration
Deleted
Source
<xs:simpleType name="IncidentStatusEnum-1.0"><xs:annotation><xs:documentation>The default list of possible statuses that an incident might have.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="New"/><xs:enumeration value="Open"/><xs:enumeration value="Stalled"/><xs:enumeration value="Containment Achieved"/><xs:enumeration value="Restoration Achieved"/><xs:enumeration value="Incident Reported"/><xs:enumeration value="Closed"/><xs:enumeration value="Rejected"/><xs:enumeration value="Deleted"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:SecurityCompromiseVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The SecurityCompromiseVocab is the default STIX vocabulary for expressing whether or not an incident resulted in a security compromise.
<xs:complexType name="SecurityCompromiseVocab-1.0"><xs:annotation><xs:documentation>The SecurityCompromiseVocab is the default STIX vocabulary for expressing whether or not an incident resulted in a security compromise.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:SecurityCompromiseEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Security Compromise Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#SecurityCompromiseVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:SecurityCompromiseEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing whether an incident resulted in a security compromise.
Diagram
Type
restriction of xs:string
Facets
enumeration
Yes
It has been confirmed that this incident resulted in a security compromise.
enumeration
Suspected
It is suspected that this incident resulted in a security compromise.
enumeration
No
It has been confirmed that this incident did not result in a security compromise.
enumeration
Unknown
It is not known whether this incident resulted in a security compromise.
Source
<xs:simpleType name="SecurityCompromiseEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing whether an incident resulted in a security compromise.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Yes"><xs:annotation><xs:documentation>It has been confirmed that this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Suspected"><xs:annotation><xs:documentation>It is suspected that this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="No"><xs:annotation><xs:documentation>It has been confirmed that this incident did not result in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known whether this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:DiscoveryMethodVocab-2.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
<xs:complexType name="DiscoveryMethodVocab-2.0"><xs:annotation><xs:documentation>The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:DiscoveryMethodEnum-2.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Discovery Method Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DiscoveryMethodVocab-2.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:DiscoveryMethodEnum-2.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing how an incident was discovered.
Diagram
Type
restriction of xs:string
Facets
enumeration
Agent Disclosure
This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
enumeration
External - Fraud Detection
This incident was discovered through external fraud detection means (e.g. CPP).
enumeration
Monitoring Service
This incident was reported by a managed security event monitoring service.
enumeration
Law Enforcement
This incident was reported by law enforcement.
enumeration
Customer
This incident was reported by a customer or partner affected by the incident.
enumeration
Unrelated Party
This incident was reported by an unrelated third party.
enumeration
Audit
This incident was discovered during an external security audit or scan.
enumeration
Antivirus
This incident was discovered by an antivirus system.
enumeration
Incident Response
This incident was discovered in the course of investigating a separate incident.
enumeration
Financial Audit
This incident was discovered in the course of a financial audit and/or reconciliation process.
enumeration
Internal - Fraud Detection
This incident was discovered through internal fraud detection means.
enumeration
HIPS
This incident was discovered a host-based IDS or file integrity monitoring.
enumeration
IT Audit
This incident was discovered by an internal IT audit or scan.
enumeration
Log Review
This incident was discovered during a log review process or by a SIEM.
enumeration
NIDS
This incident was discovered by a network-based intrustion detection/prevention system.
enumeration
Security Alarm
This incident was discovered by a physical security alarm.
enumeration
User
This incident was reported by a user.
enumeration
Unknown
It is not known how this incident was discovered.
Source
<xs:simpleType name="DiscoveryMethodEnum-2.0"><xs:annotation><xs:documentation>The possible values for expressing how an incident was discovered.</xs:documentation><xs:appinfo><version>2.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Agent Disclosure"><xs:annotation><xs:documentation>This incident was disclosed by the threat agent (e.g. public brag, private blackmail).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="External - Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through external fraud detection means (e.g. CPP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Monitoring Service"><xs:annotation><xs:documentation>This incident was reported by a managed security event monitoring service.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Law Enforcement"><xs:annotation><xs:documentation>This incident was reported by law enforcement.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer"><xs:annotation><xs:documentation>This incident was reported by a customer or partner affected by the incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unrelated Party"><xs:annotation><xs:documentation>This incident was reported by an unrelated third party.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Audit"><xs:annotation><xs:documentation>This incident was discovered during an external security audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Antivirus"><xs:annotation><xs:documentation>This incident was discovered by an antivirus system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident Response"><xs:annotation><xs:documentation>This incident was discovered in the course of investigating a separate incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Financial Audit"><xs:annotation><xs:documentation>This incident was discovered in the course of a financial audit and/or reconciliation process.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Internal - Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through internal fraud detection means.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="HIPS"><xs:annotation><xs:documentation>This incident was discovered a host-based IDS or file integrity monitoring.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IT Audit"><xs:annotation><xs:documentation>This incident was discovered by an internal IT audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Log Review"><xs:annotation><xs:documentation>This incident was discovered during a log review process or by a SIEM.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="NIDS"><xs:annotation><xs:documentation>This incident was discovered by a network-based intrustion detection/prevention system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Security Alarm"><xs:annotation><xs:documentation>This incident was discovered by a physical security alarm.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="User"><xs:annotation><xs:documentation>This incident was reported by a user.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known how this incident was discovered.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:DiscoveryMethodVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
<xs:complexType name="DiscoveryMethodVocab-1.0"><xs:annotation><xs:documentation>The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:DiscoveryMethodEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Discovery Method Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DiscoveryMethodVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:DiscoveryMethodEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing how an incident was discovered.
Diagram
Type
restriction of xs:string
Facets
enumeration
Agent Disclosure
This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
enumeration
Fraud Detection
This incident was discovered through external fraud detection means (e.g. CPP).
enumeration
Monitoring Service
This incident was reported by a managed security event monitoring service.
enumeration
Law Enforcement
This incident was reported by law enforcement.
enumeration
Customer
This incident was reported by a customer or partner affected by the incident.
enumeration
Unrelated Party
This incident was reported by an unrelated third party.
enumeration
Audit
This incident was discovered during an external security audit or scan.
enumeration
Antivirus
This incident was discovered by an antivirus system.
enumeration
Incident Response
This incident was discovered in the course of investigating a separate incident.
enumeration
Financial Audit
This incident was discovered in the course of a financial audit and/or reconciliation process.
enumeration
Fraud Detection
This incident was discovered through internal fraud detection means.
enumeration
HIPS
This incident was discovered a host-based IDS or file integrity monitoring.
enumeration
IT Audit
This incident was discovered by an internal IT audit or scan.
enumeration
Log Review
This incident was discovered during a log review process or by a SIEM.
enumeration
NIDS
This incident was discovered by a network-based intrustion detection/prevention system.
enumeration
Security Alarm
This incident was discovered by a physical security alarm.
enumeration
User
This incident was reported by a user.
enumeration
Unknown
It is not known how this incident was discovered.
Source
<xs:simpleType name="DiscoveryMethodEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing how an incident was discovered.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Agent Disclosure"><xs:annotation><xs:documentation>This incident was disclosed by the threat agent (e.g. public brag, private blackmail).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through external fraud detection means (e.g. CPP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Monitoring Service"><xs:annotation><xs:documentation>This incident was reported by a managed security event monitoring service.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Law Enforcement"><xs:annotation><xs:documentation>This incident was reported by law enforcement.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer"><xs:annotation><xs:documentation>This incident was reported by a customer or partner affected by the incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unrelated Party"><xs:annotation><xs:documentation>This incident was reported by an unrelated third party.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Audit"><xs:annotation><xs:documentation>This incident was discovered during an external security audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Antivirus"><xs:annotation><xs:documentation>This incident was discovered by an antivirus system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident Response"><xs:annotation><xs:documentation>This incident was discovered in the course of investigating a separate incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Financial Audit"><xs:annotation><xs:documentation>This incident was discovered in the course of a financial audit and/or reconciliation process.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through internal fraud detection means.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="HIPS"><xs:annotation><xs:documentation>This incident was discovered a host-based IDS or file integrity monitoring.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IT Audit"><xs:annotation><xs:documentation>This incident was discovered by an internal IT audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Log Review"><xs:annotation><xs:documentation>This incident was discovered during a log review process or by a SIEM.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="NIDS"><xs:annotation><xs:documentation>This incident was discovered by a network-based intrustion detection/prevention system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Security Alarm"><xs:annotation><xs:documentation>This incident was discovered by a physical security alarm.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="User"><xs:annotation><xs:documentation>This incident was reported by a user.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known how this incident was discovered.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AvailabilityLossTypeVocab-1.1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.
<xs:complexType name="AvailabilityLossTypeVocab-1.1.1"><xs:annotation><xs:documentation>The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AvailabilityLossTypeEnum-1.1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Availability Loss Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AvailabilityLossTypeVocab-1.1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AvailabilityLossTypeEnum-1.1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Destruction
The information was destroyed or wiped.
enumeration
Loss
Availability to the information was lost.
enumeration
Interruption
Availability to the information was interrupted.
enumeration
Degradation
Availability to the information was degraded.
enumeration
Acceleration
Availability loss type is acceleration.
enumeration
Obscuration
Availability to the information is obscured.
enumeration
Unknown
The availability loss type is not known.
Source
<xs:simpleType name="AvailabilityLossTypeEnum-1.1.1"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.1.1</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Destruction"><xs:annotation><xs:documentation>The information was destroyed or wiped.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Loss"><xs:annotation><xs:documentation>Availability to the information was lost.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Interruption"><xs:annotation><xs:documentation>Availability to the information was interrupted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Degradation"><xs:annotation><xs:documentation>Availability to the information was degraded.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Acceleration"><xs:annotation><xs:documentation>Availability loss type is acceleration.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Obscuration"><xs:annotation><xs:documentation>Availability to the information is obscured.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The availability loss type is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AvailabilityLossTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.
NOTE: As of STIX Version 1.1.1, this version of the AvailabilityLossTypeVocab is deprecated. Please use AvailabilityLossTypeVocab-1.1.1 instead.
<xs:complexType name="AvailabilityLossTypeVocab-1.0"><xs:annotation><xs:documentation>The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1.1, this version of the AvailabilityLossTypeVocab is deprecated. Please use AvailabilityLossTypeVocab-1.1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AvailabilityLossTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Availability Loss Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AvailabilityLossTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AvailabilityLossTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Destruction
The information was destroyed or wiped.
enumeration
Loss
Availability to the information was lost.
enumeration
Interruption
Availability to the information was interrupted.
enumeration
Degredation
Availability to the information was degraded.
enumeration
Acceleration
Availability loss type is acceleration.
enumeration
Obscuration
Availability to the information is obscured.
enumeration
Unknown
The availability loss type is not known.
Source
<xs:simpleType name="AvailabilityLossTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Destruction"><xs:annotation><xs:documentation>The information was destroyed or wiped.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Loss"><xs:annotation><xs:documentation>Availability to the information was lost.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Interruption"><xs:annotation><xs:documentation>Availability to the information was interrupted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Degredation"><xs:annotation><xs:documentation>Availability to the information was degraded.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Acceleration"><xs:annotation><xs:documentation>Availability loss type is acceleration.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Obscuration"><xs:annotation><xs:documentation>Availability to the information is obscured.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The availability loss type is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:LossDurationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The LossDurationVocab is the default STIX vocabulary for expressing the approximate length of time of a loss due to an incident.
<xs:complexType name="LossDurationVocab-1.0"><xs:annotation><xs:documentation>The LossDurationVocab is the default STIX vocabulary for expressing the approximate length of time of a loss due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:LossDurationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Loss Duration Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#LossDurationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:LossDurationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Permanent
The loss is permanent.
enumeration
Weeks
The loss lasted for weeks.
enumeration
Days
The loss lasted for days.
enumeration
Hours
The loss lasted for hours.
enumeration
Minutes
The loss lasted for minutes.
enumeration
Seconds
The loss lasted for seconds.
enumeration
Unknown
The loss duration is not known.
Source
<xs:simpleType name="LossDurationEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Permanent"><xs:annotation><xs:documentation>The loss is permanent.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Weeks"><xs:annotation><xs:documentation>The loss lasted for weeks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Days"><xs:annotation><xs:documentation>The loss lasted for days.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Hours"><xs:annotation><xs:documentation>The loss lasted for hours.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Minutes"><xs:annotation><xs:documentation>The loss lasted for minutes.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Seconds"><xs:annotation><xs:documentation>The loss lasted for seconds.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The loss duration is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:OwnershipClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The OwnershipClassVocab is the default STIX vocabulary for expressing the type of ownership of an asset.
<xs:complexType name="OwnershipClassVocab-1.0"><xs:annotation><xs:documentation>The OwnershipClassVocab is the default STIX vocabulary for expressing the type of ownership of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:OwnershipClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Ownership Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#OwnershipClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:OwnershipClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the ownership class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Owned
The asset is owned internally.
enumeration
Employee-Owned
The asset is owned by an employee.
enumeration
Partner-Owned
The asset is owned by a partner.
enumeration
Customer-Owned
The asset is owned by a customer.
enumeration
Unknown
The asset ownership class is unknown.
Source
<xs:simpleType name="OwnershipClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the ownership class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Owned"><xs:annotation><xs:documentation>The asset is owned internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Employee-Owned"><xs:annotation><xs:documentation>The asset is owned by an employee.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Partner-Owned"><xs:annotation><xs:documentation>The asset is owned by a partner.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer-Owned"><xs:annotation><xs:documentation>The asset is owned by a customer.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset ownership class is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ManagementClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ManagementClassVocab is the default STIX vocabulary for expressing the type of management of an asset.
<xs:complexType name="ManagementClassVocab-1.0"><xs:annotation><xs:documentation>The ManagementClassVocab is the default STIX vocabulary for expressing the type of management of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ManagementClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Management Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ManagementClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ManagementClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the management class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Managed
The asset is managed internally.
enumeration
Externally-Management
The asset is managed externally.
enumeration
Co-Management
The asset is co-managed.
enumeration
Unknown
The asset management class is unknown.
Source
<xs:simpleType name="ManagementClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the management class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Managed"><xs:annotation><xs:documentation>The asset is managed internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Externally-Management"><xs:annotation><xs:documentation>The asset is managed externally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Co-Management"><xs:annotation><xs:documentation>The asset is co-managed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset management class is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:LocationClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The LocationClassVocab is the default STIX vocabulary for expressing the location of an asset.
<xs:complexType name="LocationClassVocab-1.0"><xs:annotation><xs:documentation>The LocationClassVocab is the default STIX vocabulary for expressing the location of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:LocationClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Location Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#LocationClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:LocationClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the location class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Located
The asset is located internally.
enumeration
Externally-Located
The asset is located externally.
enumeration
Co-Located
The asset is co-located.
enumeration
Mobile
The asset is mobile.
enumeration
Unknown
The asset location is unknown.
Source
<xs:simpleType name="LocationClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the location class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Located"><xs:annotation><xs:documentation>The asset is located internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Externally-Located"><xs:annotation><xs:documentation>The asset is located externally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Co-Located"><xs:annotation><xs:documentation>The asset is co-located.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Mobile"><xs:annotation><xs:documentation>The asset is mobile.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset location is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ImpactQualificationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ImpactQualificationVocab is the default STIX vocabulary for expressing the subjective level of impact of an incident.
<xs:complexType name="ImpactQualificationVocab-1.0"><xs:annotation><xs:documentation>The ImpactQualificationVocab is the default STIX vocabulary for expressing the subjective level of impact of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ImpactQualificationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Impact Qualification Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ImpactQualificationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ImpactQualificationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the impact level of an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Insignificant
The impact is absorbed by normal activities.
enumeration
Distracting
There are limited “hard costs”, but the impact is felt through having to deal with the incident rather than conducting normal duties.
enumeration
Painful
Real, somewhat serious effect on the "bottom line".
enumeration
Damaging
Real and serious effect on the “bottom line” and/or long-term ability to generate revenue.
enumeration
Catastrophic
A business-ending event.
enumeration
Unknown
The impact qualification is unknown.
Source
<xs:simpleType name="ImpactQualificationEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the impact level of an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Insignificant"><xs:annotation><xs:documentation>The impact is absorbed by normal activities.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Distracting"><xs:annotation><xs:documentation>There are limited “hard costs”, but the impact is felt through having to deal with the incident rather than conducting normal duties.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Painful"><xs:annotation><xs:documentation>Real, somewhat serious effect on the "bottom line".</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Damaging"><xs:annotation><xs:documentation>Real and serious effect on the “bottom line” and/or long-term ability to generate revenue.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Catastrophic"><xs:annotation><xs:documentation>A business-ending event.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The impact qualification is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ImpactRatingVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ImpactRatingVocab is the default STIX vocabulary for expressing the level of impact due to an incident.
<xs:complexType name="ImpactRatingVocab-1.0"><xs:annotation><xs:documentation>The ImpactRatingVocab is the default STIX vocabulary for expressing the level of impact due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ImpactRatingEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Impact Rating Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ImpactRatingVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ImpactRatingEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the level of impact due to a loss.
Diagram
Type
restriction of xs:string
Facets
enumeration
None
There was no impact.
enumeration
Minor
There was a minor impact.
enumeration
Moderate
There was a moderate impact.
enumeration
Major
There was a major impact.
enumeration
Unknown
The impact is not known.
Source
<xs:simpleType name="ImpactRatingEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the level of impact due to a loss.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="None"><xs:annotation><xs:documentation>There was no impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Minor"><xs:annotation><xs:documentation>There was a minor impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Moderate"><xs:annotation><xs:documentation>There was a moderate impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Major"><xs:annotation><xs:documentation>There was a major impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The impact is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AssetTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AssetTypeVocab is the default STIX vocabulary for expressing the type of an asset.
<xs:complexType name="AssetTypeVocab-1.0"><xs:annotation><xs:documentation>The AssetTypeVocab is the default STIX vocabulary for expressing the type of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AssetTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Asset Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AssetTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AssetTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of assets.
Diagram
Type
restriction of xs:string
Facets
enumeration
Backup
enumeration
Database
enumeration
DHCP
enumeration
Directory
enumeration
DCS
enumeration
DNS
enumeration
File
enumeration
Log
enumeration
Mail
enumeration
Mainframe
enumeration
Payment switch
enumeration
POS controller
enumeration
Print
enumeration
Proxy
enumeration
Remote access
enumeration
SCADA
enumeration
Web application
enumeration
Server
enumeration
Access reader
enumeration
Camera
enumeration
Firewall
enumeration
HSM
enumeration
IDS
enumeration
Broadband
enumeration
PBX
enumeration
Private WAN
enumeration
PLC
enumeration
Public WAN
enumeration
RTU
enumeration
Router or switch
enumeration
SAN
enumeration
Telephone
enumeration
VoIP adapter
enumeration
LAN
enumeration
WLAN
enumeration
Network
enumeration
Auth token
enumeration
ATM
enumeration
Desktop
enumeration
PED pad
enumeration
Gas terminal
enumeration
Laptop
enumeration
Media
enumeration
Mobile phone
enumeration
Peripheral
enumeration
POS terminal
enumeration
Kiosk
enumeration
Tablet
enumeration
VoIP phone
enumeration
User Device
enumeration
Tapes
enumeration
Disk media
enumeration
Documents
enumeration
Flash drive
enumeration
Disk drive
enumeration
Smart card
enumeration
Payment card
enumeration
Administrator
enumeration
Auditor
enumeration
Call center
enumeration
Cashier
enumeration
Customer
enumeration
Developer
enumeration
End-user
enumeration
Executive
enumeration
Finance
enumeration
Former employee
enumeration
Guard
enumeration
Helpdesk
enumeration
Human resources
enumeration
Maintenance
enumeration
Manager
enumeration
Partner
enumeration
Person
enumeration
Unknown
Source
<xs:simpleType name="AssetTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of assets.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Backup"/><xs:enumeration value="Database"/><xs:enumeration value="DHCP"/><xs:enumeration value="Directory"/><xs:enumeration value="DCS"/><xs:enumeration value="DNS"/><xs:enumeration value="File"/><xs:enumeration value="Log"/><xs:enumeration value="Mail"/><xs:enumeration value="Mainframe"/><xs:enumeration value="Payment switch"/><xs:enumeration value="POS controller"/><xs:enumeration value="Print"/><xs:enumeration value="Proxy"/><xs:enumeration value="Remote access"/><xs:enumeration value="SCADA"/><xs:enumeration value="Web application"/><xs:enumeration value="Server"/><xs:enumeration value="Access reader"/><xs:enumeration value="Camera"/><xs:enumeration value="Firewall"/><xs:enumeration value="HSM"/><xs:enumeration value="IDS"/><xs:enumeration value="Broadband"/><xs:enumeration value="PBX"/><xs:enumeration value="Private WAN"/><xs:enumeration value="PLC"/><xs:enumeration value="Public WAN"/><xs:enumeration value="RTU"/><xs:enumeration value="Router or switch"/><xs:enumeration value="SAN"/><xs:enumeration value="Telephone"/><xs:enumeration value="VoIP adapter"/><xs:enumeration value="LAN"/><xs:enumeration value="WLAN"/><xs:enumeration value="Network"/><xs:enumeration value="Auth token"/><xs:enumeration value="ATM"/><xs:enumeration value="Desktop"/><xs:enumeration value="PED pad"/><xs:enumeration value="Gas terminal"/><xs:enumeration value="Laptop"/><xs:enumeration value="Media"/><xs:enumeration value="Mobile phone"/><xs:enumeration value="Peripheral"/><xs:enumeration value="POS terminal"/><xs:enumeration value="Kiosk"/><xs:enumeration value="Tablet"/><xs:enumeration value="VoIP phone"/><xs:enumeration value="User Device"/><xs:enumeration value="Tapes"/><xs:enumeration value="Disk media"/><xs:enumeration value="Documents"/><xs:enumeration value="Flash drive"/><xs:enumeration value="Disk drive"/><xs:enumeration value="Smart card"/><xs:enumeration value="Payment card"/><xs:enumeration value="Administrator"/><xs:enumeration value="Auditor"/><xs:enumeration value="Call center"/><xs:enumeration value="Cashier"/><xs:enumeration value="Customer"/><xs:enumeration value="Developer"/><xs:enumeration value="End-user"/><xs:enumeration value="Executive"/><xs:enumeration value="Finance"/><xs:enumeration value="Former employee"/><xs:enumeration value="Guard"/><xs:enumeration value="Helpdesk"/><xs:enumeration value="Human resources"/><xs:enumeration value="Maintenance"/><xs:enumeration value="Manager"/><xs:enumeration value="Partner"/><xs:enumeration value="Person"/><xs:enumeration value="Unknown"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AttackerInfrastructureTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AttackerInfrastructureTypeVocab is the default STIX vocabulary for expressing the type of infrastructure an attacker uses.
<xs:complexType name="AttackerInfrastructureTypeVocab-1.0"><xs:annotation><xs:documentation>The AttackerInfrastructureTypeVocab is the default STIX vocabulary for expressing the type of infrastructure an attacker uses.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AttackerInfrastructureTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Attacker Infastructure Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AttackerInfrastructureTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AttackerInfrastructureTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of attacker infrastructure.
<xs:complexType name="SystemTypeVocab-1.0"><xs:annotation><xs:documentation>The SystemTypeVocab is the default STIX vocabulary for expressing the type of a system.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:SystemTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default System Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#SystemTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:SystemTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of systems.
Diagram
Type
restriction of xs:string
Facets
enumeration
Enterprise Systems
enumeration
Enterprise Systems - Application Layer
enumeration
Enterprise Systems - Database Layer
enumeration
Enterprise Systems - Enterprise Technologies and Support Infrastructure
enumeration
Enterprise Systems - Network Systems
enumeration
Enterprise Systems - Networking Devices
enumeration
Enterprise Systems - Web Layer
enumeration
Enterprise Systems - VoIP
enumeration
Industrial Control Systems
enumeration
Industrial Control Systems - Equipment Under Control
enumeration
Industrial Control Systems - Operations Management
enumeration
Industrial Control Systems - Safety, Protection and Local Control
enumeration
Industrial Control Systems - Supervisory Control
enumeration
Mobile Systems
enumeration
Mobile Systems - Mobile Operating Systems
enumeration
Mobile Systems - Near Field Communications
enumeration
Mobile Systems - Mobile Devices
enumeration
Third-Party Services
enumeration
Third-Party Services - Application Stores
enumeration
Third-Party Services - Cloud Services
enumeration
Third-Party Services - Security Vendors
enumeration
Third-Party Services - Social Media
enumeration
Third-Party Services - Software Update
enumeration
Users
enumeration
Users - Application And Software
enumeration
Users - Workstation
enumeration
Users - Removable Media
Source
<xs:simpleType name="SystemTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of systems.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Enterprise Systems"/><xs:enumeration value="Enterprise Systems - Application Layer"/><xs:enumeration value="Enterprise Systems - Database Layer"/><xs:enumeration value="Enterprise Systems - Enterprise Technologies and Support Infrastructure"/><xs:enumeration value="Enterprise Systems - Network Systems"/><xs:enumeration value="Enterprise Systems - Networking Devices"/><xs:enumeration value="Enterprise Systems - Web Layer"/><xs:enumeration value="Enterprise Systems - VoIP"/><xs:enumeration value="Industrial Control Systems"/><xs:enumeration value="Industrial Control Systems - Equipment Under Control"/><xs:enumeration value="Industrial Control Systems - Operations Management"/><xs:enumeration value="Industrial Control Systems - Safety, Protection and Local Control"/><xs:enumeration value="Industrial Control Systems - Supervisory Control"/><xs:enumeration value="Mobile Systems"/><xs:enumeration value="Mobile Systems - Mobile Operating Systems"/><xs:enumeration value="Mobile Systems - Near Field Communications"/><xs:enumeration value="Mobile Systems - Mobile Devices"/><xs:enumeration value="Third-Party Services"/><xs:enumeration value="Third-Party Services - Application Stores"/><xs:enumeration value="Third-Party Services - Cloud Services"/><xs:enumeration value="Third-Party Services - Security Vendors"/><xs:enumeration value="Third-Party Services - Social Media"/><xs:enumeration value="Third-Party Services - Software Update"/><xs:enumeration value="Users"/><xs:enumeration value="Users - Application And Software"/><xs:enumeration value="Users - Workstation"/><xs:enumeration value="Users - Removable Media"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:InformationTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The InformationTypeVocab is the default STIX vocabulary for expressing the type of information.
<xs:complexType name="InformationTypeVocab-1.0"><xs:annotation><xs:documentation>The InformationTypeVocab is the default STIX vocabulary for expressing the type of information.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:InformationTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Information Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#InformationTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:InformationTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of information.
Diagram
Type
restriction of xs:string
Facets
enumeration
Information Assets
enumeration
Information Assets - Corporate Employee Information
enumeration
Information Assets - Customer PII
enumeration
Information Assets - Email Lists / Archives
enumeration
Information Assets - Financial Data
enumeration
Information Assets - Intellectual Property
enumeration
Information Assets - Mobile Phone Contacts
enumeration
Information Assets - User Credentials
enumeration
Authentication Cookies
Source
<xs:simpleType name="InformationTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of information.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Information Assets"/><xs:enumeration value="Information Assets - Corporate Employee Information"/><xs:enumeration value="Information Assets - Customer PII"/><xs:enumeration value="Information Assets - Email Lists / Archives"/><xs:enumeration value="Information Assets - Financial Data"/><xs:enumeration value="Information Assets - Intellectual Property"/><xs:enumeration value="Information Assets - Mobile Phone Contacts"/><xs:enumeration value="Information Assets - User Credentials"/><xs:enumeration value="Authentication Cookies"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ThreatActorTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.
<xs:complexType name="ThreatActorTypeVocab-1.0"><xs:annotation><xs:documentation>The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ThreatActorTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Threat Actor Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ThreatActorTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ThreatActorTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of threat actors.
Diagram
Type
restriction of xs:string
Facets
enumeration
Cyber Espionage Operations
enumeration
Hacker
enumeration
Hacker - White hat
enumeration
Hacker - Gray hat
enumeration
Hacker - Black hat
enumeration
Hacktivist
enumeration
State Actor / Agency
enumeration
eCrime Actor - Credential Theft Botnet Operator
enumeration
eCrime Actor - Credential Theft Botnet Service
enumeration
eCrime Actor - Malware Developer
enumeration
eCrime Actor - Money Laundering Network
enumeration
eCrime Actor - Organized Crime Actor
enumeration
eCrime Actor - Spam Service
enumeration
eCrime Actor - Traffic Service
enumeration
eCrime Actor - Underground Call Service
enumeration
Insider Threat
enumeration
Disgruntled Customer / User
Source
<xs:simpleType name="ThreatActorTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of threat actors.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Cyber Espionage Operations"/><xs:enumeration value="Hacker"/><xs:enumeration value="Hacker - White hat"/><xs:enumeration value="Hacker - Gray hat"/><xs:enumeration value="Hacker - Black hat"/><xs:enumeration value="Hacktivist"/><xs:enumeration value="State Actor / Agency"/><xs:enumeration value="eCrime Actor - Credential Theft Botnet Operator"/><xs:enumeration value="eCrime Actor - Credential Theft Botnet Service"/><xs:enumeration value="eCrime Actor - Malware Developer"/><xs:enumeration value="eCrime Actor - Money Laundering Network"/><xs:enumeration value="eCrime Actor - Organized Crime Actor"/><xs:enumeration value="eCrime Actor - Spam Service"/><xs:enumeration value="eCrime Actor - Traffic Service"/><xs:enumeration value="eCrime Actor - Underground Call Service"/><xs:enumeration value="Insider Threat"/><xs:enumeration value="Disgruntled Customer / User"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
<xs:complexType name="MotivationVocab-1.1"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establishment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Political
Source
<xs:simpleType name="MotivationEnum-1.1"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:appinfo><version>1.1</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establishment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Political"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
NOTE: As of STIX Version 1.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.1 instead.
<xs:complexType name="MotivationVocab-1.0.1"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.0.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.0.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
NOTE: As of STIX Version 1.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establishment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Policital
Source
<xs:simpleType name="MotivationEnum-1.0.1"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.1 instead.</xs:documentation><xs:appinfo><version>1.0.1</version><deprecated>true</deprecated><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establishment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Policital"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.0.1 instead.
<xs:complexType name="MotivationVocab-1.0"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.0.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.0.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establisment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Policital
Source
<xs:simpleType name="MotivationEnum-1.0"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.0.1 instead.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establisment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Policital"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IntendedEffectVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor.
<xs:complexType name="IntendedEffectVocab-1.0"><xs:annotation><xs:documentation>The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IntendedEffectEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Intended Effect Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IntendedEffectVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IntendedEffectEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for effects intended by a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Advantage
enumeration
Advantage - Economic
enumeration
Advantage - Military
enumeration
Advantage - Political
enumeration
Theft
enumeration
Theft - Intellectual Property
enumeration
Theft - Credential Theft
enumeration
Theft - Identity Theft
enumeration
Theft - Theft of Proprietary Information
enumeration
Account Takeover
enumeration
Brand Damage
enumeration
Competitive Advantage
enumeration
Degradation of Service
enumeration
Denial and Deception
enumeration
Destruction
enumeration
Disruption
enumeration
Embarrassment
enumeration
Exposure
enumeration
Extortion
enumeration
Fraud
enumeration
Harassment
enumeration
ICS Control
enumeration
Traffic Diversion
enumeration
Unauthorized Access
Source
<xs:simpleType name="IntendedEffectEnum-1.0"><xs:annotation><xs:documentation>The possible values for effects intended by a threat actor.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Advantage"/><xs:enumeration value="Advantage - Economic"/><xs:enumeration value="Advantage - Military"/><xs:enumeration value="Advantage - Political"/><xs:enumeration value="Theft"/><xs:enumeration value="Theft - Intellectual Property"/><xs:enumeration value="Theft - Credential Theft"/><xs:enumeration value="Theft - Identity Theft"/><xs:enumeration value="Theft - Theft of Proprietary Information"/><xs:enumeration value="Account Takeover"/><xs:enumeration value="Brand Damage"/><xs:enumeration value="Competitive Advantage"/><xs:enumeration value="Degradation of Service"/><xs:enumeration value="Denial and Deception"/><xs:enumeration value="Destruction"/><xs:enumeration value="Disruption"/><xs:enumeration value="Embarrassment"/><xs:enumeration value="Exposure"/><xs:enumeration value="Extortion"/><xs:enumeration value="Fraud"/><xs:enumeration value="Harassment"/><xs:enumeration value="ICS Control"/><xs:enumeration value="Traffic Diversion"/><xs:enumeration value="Unauthorized Access"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PlanningAndOperationalSupportVocab-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.
<xs:complexType name="PlanningAndOperationalSupportVocab-1.0.1"><xs:annotation><xs:documentation>The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PlanningAndOperationalSupportEnum-1.0.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Planning and Operational Support Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PlanningAndOperationalSupportVocab-1.0.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PlanningAndOperationalSupportEnum-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of planning and operational support functions of a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Data Exploitation
enumeration
Data Exploitation - Analytic Support
enumeration
Data Exploitation - Translation Support
enumeration
Financial Resources
enumeration
Financial Resources - Academic
enumeration
Financial Resources - Commercial
enumeration
Financial Resources - Government
enumeration
Financial Resources - Hacktivist or Grassroot
enumeration
Financial Resources - Non-Attributable Finance
enumeration
Skill Development / Recruitment
enumeration
Skill Development / Recruitment - Contracting and Hiring
enumeration
Skill Development / Recruitment - Document Exploitation (DOCEX) Training
enumeration
Skill Development / Recruitment - Internal Training
enumeration
Skill Development / Recruitment - Military Programs
enumeration
Skill Development / Recruitment - Security / Hacker Conferences
enumeration
Skill Development / Recruitment - Underground Forums
enumeration
Skill Development / Recruitment - University Programs
Planning - Pre-Operational Surveillance and Reconnaissance
enumeration
Planning - Target Selection
Source
<xs:simpleType name="PlanningAndOperationalSupportEnum-1.0.1"><xs:annotation><xs:documentation>The possible values for types of planning and operational support functions of a threat actor.</xs:documentation><xs:appinfo><version>1.0.1</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Data Exploitation"/><xs:enumeration value="Data Exploitation - Analytic Support"/><xs:enumeration value="Data Exploitation - Translation Support"/><xs:enumeration value="Financial Resources"/><xs:enumeration value="Financial Resources - Academic"/><xs:enumeration value="Financial Resources - Commercial"/><xs:enumeration value="Financial Resources - Government"/><xs:enumeration value="Financial Resources - Hacktivist or Grassroot"/><xs:enumeration value="Financial Resources - Non-Attributable Finance"/><xs:enumeration value="Skill Development / Recruitment"/><xs:enumeration value="Skill Development / Recruitment - Contracting and Hiring"/><xs:enumeration value="Skill Development / Recruitment - Document Exploitation (DOCEX) Training"/><xs:enumeration value="Skill Development / Recruitment - Internal Training"/><xs:enumeration value="Skill Development / Recruitment - Military Programs"/><xs:enumeration value="Skill Development / Recruitment - Security / Hacker Conferences"/><xs:enumeration value="Skill Development / Recruitment - Underground Forums"/><xs:enumeration value="Skill Development / Recruitment - University Programs"/><xs:enumeration value="Planning"/><xs:enumeration value="Planning - Operational Cover Plan"/><xs:enumeration value="Planning - Open-Source Intelligence (OSINT) Gathering"/><xs:enumeration value="Planning - Pre-Operational Surveillance and Reconnaissance"/><xs:enumeration value="Planning - Target Selection"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PlanningAndOperationalSupportVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportVocab is deprecated. Please use PlanningAndOperationalSupportVocab-1.0.1 instead.
<xs:complexType name="PlanningAndOperationalSupportVocab-1.0"><xs:annotation><xs:documentation>The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportVocab is deprecated. Please use PlanningAndOperationalSupportVocab-1.0.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PlanningAndOperationalSupportEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Planning and Operational Support Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PlanningAndOperationalSupportVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PlanningAndOperationalSupportEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of planning and operational support functions of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportEnumType is deprecated. Please use PlanningAndOperationalSupportEnum-1.0.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Data Exploitation
enumeration
Data Exploitation - Analytic Support
enumeration
Data Exploitation - Translation Support
enumeration
Financial Resources
enumeration
Financial Resources - Academic
enumeration
Financial Resources - Commercial
enumeration
Financial Resources - Government
enumeration
Financial Resources - Hacktivist or Grassroot
enumeration
Financial Resources - Non-Attributable Finance
enumeration
Skill Development / Recruitment
enumeration
Skill Development / Recruitment - Contracting and Hiring
enumeration
Skill Development / Recruitment - Document Exploitation (DOCEX) Training
enumeration
Skill Development / Recruitment - Internal Training
enumeration
Skill Development / Recruitment - Military Programs
enumeration
Skill Development / Recruitment - Security / Hacker Conferences
enumeration
Skill Development / Recruitment - Underground Forums
enumeration
Skill Development / Recruitment - University Programs
Planning - Pre-Operational Surveillance and Reconnaissance
enumeration
Planning - Target Selection
Source
<xs:simpleType name="PlanningAndOperationalSupportEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of planning and operational support functions of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportEnumType is deprecated. Please use PlanningAndOperationalSupportEnum-1.0.1 instead.</xs:documentation>