This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Complex Type stixVocabs:ReportIntentVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="ReportIntentVocab-1.0"><xs:annotation><xs:documentation>The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ReportIntentEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Report Intent Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ReportIntentVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ReportIntentEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for a report intent in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Collective Threat Intelligence
Report is intended to describe a broad characterization of a threat across multiple facets.
enumeration
Threat Report
Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.
enumeration
Indicators
Report is intended to describe mainly indicators.
enumeration
Indicators - Phishing
Report is intended to describe mainly phishing indicators.
enumeration
Indicators - Watchlist
Report is intended to describe mainly network watchlist indicators.
enumeration
Indicators - Malware Artifacts
Report is intended to describe mainly malware artifact indicators.
enumeration
Indicators - Network Activity
Report is intended to describe mainly network activity indicators.
enumeration
Indicators - Endpoint Characteristics
Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
enumeration
Campaign Characterization
Report is intended to describe mainly a characterization of one or more campaigns.
enumeration
Threat Actor Characterization
Report is intended to describe mainly a characterization of one or more threat actors.
enumeration
Exploit Characterization
Report is intended to describe mainly a characterization of one or more exploits.
enumeration
Attack Pattern Characterization
Report is intended to describe mainly a characterization of one or more attack patterns.
enumeration
Malware Characterization
Report is intended to describe mainly a characterization of one or more malware instances.
enumeration
TTP - Infrastructure
Report is intended to describe mainly a characterization of attacker infrastructure.
enumeration
TTP - Tools
Report is intended to describe mainly a characterization of attacker tools.
enumeration
Courses of Action
Report is intended to describe mainly a set of courses of action.
enumeration
Incident
Report is intended to describe mainly information about one or more incidents.
enumeration
Observations
Report is intended to describe mainly information about instantial observations (cyber observables).
enumeration
Observations - Email
Report is intended to describe mainly information about instantial email observations (email cyber observables).
enumeration
Malware Samples
Report is intended to describe a set of malware samples.
Source
<xs:simpleType name="ReportIntentEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for a report intent in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Collective Threat Intelligence"><xs:annotation><xs:documentation>Report is intended to describe a broad characterization of a threat across multiple facets.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Report"><xs:annotation><xs:documentation>Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators"><xs:annotation><xs:documentation>Report is intended to describe mainly indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Phishing"><xs:annotation><xs:documentation>Report is intended to describe mainly phishing indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Watchlist"><xs:annotation><xs:documentation>Report is intended to describe mainly network watchlist indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Malware Artifacts"><xs:annotation><xs:documentation>Report is intended to describe mainly malware artifact indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Network Activity"><xs:annotation><xs:documentation>Report is intended to describe mainly network activity indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Endpoint Characteristics"><xs:annotation><xs:documentation>Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Campaign Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more campaigns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Actor Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more threat actors.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exploit Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more exploits.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Attack Pattern Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more attack patterns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Characterization"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of one or more malware instances.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Infrastructure"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of attacker infrastructure.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Tools"><xs:annotation><xs:documentation>Report is intended to describe mainly a characterization of attacker tools.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Courses of Action"><xs:annotation><xs:documentation>Report is intended to describe mainly a set of courses of action.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident"><xs:annotation><xs:documentation>Report is intended to describe mainly information about one or more incidents.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations"><xs:annotation><xs:documentation>Report is intended to describe mainly information about instantial observations (cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations - Email"><xs:annotation><xs:documentation>Report is intended to describe mainly information about instantial email observations (email cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Samples"><xs:annotation><xs:documentation>Report is intended to describe a set of malware samples.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PackageIntentVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PackageIntentVocab is the default STIX vocabulary for Package Intent.
NOTE: As of STIX Version 1.2, the PackageIntentVocab is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentVocab-1.0 instead.
<xs:complexType name="PackageIntentVocab-1.0"><xs:annotation><xs:documentation>The PackageIntentVocab is the default STIX vocabulary for Package Intent.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.2, the PackageIntentVocab is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentVocab-1.0 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PackageIntentEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Package Intent Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PackageIntentVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PackageIntentEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for a package intent in STIX.
NOTE: As of STIX Version 1.2, the PackageIntentEnum is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentEnum-1.0 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Collective Threat Intelligence
Package is intended to convey a broad characterization of a threat across multiple facets.
enumeration
Threat Report
Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report.
enumeration
Indicators
Package is intended to convey mainly indicators.
enumeration
Indicators - Phishing
Package is intended to convey mainly phishing indicators.
enumeration
Indicators - Watchlist
Package is intended to convey mainly network watchlist indicators.
enumeration
Indicators - Malware Artifacts
Package is intended to convey mainly malware artifact indicators.
enumeration
Indicators - Network Activity
Package is intended to convey mainly network activity indicators.
enumeration
Indicators - Endpoint Characteristics
Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
enumeration
Campaign Characterization
Package is intended to convey mainly a characterization of one or more campaigns.
enumeration
Threat Actor Characterization
Package is intended to convey mainly a characterization of one or more threat actors.
enumeration
Exploit Characterization
Package is intended to convey mainly a characterization of one or more exploits.
enumeration
Attack Pattern Characterization
Package is intended to convey mainly a characterization of one or more attack patterns.
enumeration
Malware Characterization
Package is intended to convey mainly a characterization of one or more malware instances.
enumeration
TTP - Infrastructure
Package is intended to convey mainly a characterization of attacker infrastructure.
enumeration
TTP - Tools
Package is intended to convey mainly a characterization of attacker tools.
enumeration
Courses of Action
Package is intended to convey mainly a set of courses of action.
enumeration
Incident
Package is intended to convey mainly information about one or more incidents.
enumeration
Observations
Package is intended to convey mainly information about instantial observations (cyber observables).
enumeration
Observations - Email
Package is intended to convey mainly information about instantial email observations (email cyber observables).
enumeration
Malware Samples
Package is intended to convey a set of malware samples.
Source
<xs:simpleType name="PackageIntentEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for a package intent in STIX.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.2, the PackageIntentEnum is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentEnum-1.0 instead.</xs:documentation><xs:appinfo><version>1.0</version><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Collective Threat Intelligence"><xs:annotation><xs:documentation>Package is intended to convey a broad characterization of a threat across multiple facets.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Report"><xs:annotation><xs:documentation>Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators"><xs:annotation><xs:documentation>Package is intended to convey mainly indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Phishing"><xs:annotation><xs:documentation>Package is intended to convey mainly phishing indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Watchlist"><xs:annotation><xs:documentation>Package is intended to convey mainly network watchlist indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Malware Artifacts"><xs:annotation><xs:documentation>Package is intended to convey mainly malware artifact indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Network Activity"><xs:annotation><xs:documentation>Package is intended to convey mainly network activity indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Indicators - Endpoint Characteristics"><xs:annotation><xs:documentation>Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Campaign Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more campaigns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Threat Actor Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more threat actors.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exploit Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more exploits.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Attack Pattern Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more attack patterns.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Characterization"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of one or more malware instances.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Infrastructure"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of attacker infrastructure.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="TTP - Tools"><xs:annotation><xs:documentation>Package is intended to convey mainly a characterization of attacker tools.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Courses of Action"><xs:annotation><xs:documentation>Package is intended to convey mainly a set of courses of action.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident"><xs:annotation><xs:documentation>Package is intended to convey mainly information about one or more incidents.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations"><xs:annotation><xs:documentation>Package is intended to convey mainly information about instantial observations (cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Observations - Email"><xs:annotation><xs:documentation>Package is intended to convey mainly information about instantial email observations (email cyber observables).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Samples"><xs:annotation><xs:documentation>Package is intended to convey a set of malware samples.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:HighMediumLowVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The HighMediumLowVocab is the default STIX vocabulary for expressing basic values that may be high, medium, low, none, or unknown.
<xs:complexType name="HighMediumLowVocab-1.0"><xs:annotation><xs:documentation>The HighMediumLowVocab is the default STIX vocabulary for expressing basic values that may be high, medium, low, none, or unknown.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:HighMediumLowEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default High/Medium/Low Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#HighMediumLowVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:HighMediumLowEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for expressing a high/medium/low statement in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
High
enumeration
Medium
enumeration
Low
enumeration
None
enumeration
Unknown
Source
<xs:simpleType name="HighMediumLowEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for expressing a high/medium/low statement in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="High"/><xs:enumeration value="Medium"/><xs:enumeration value="Low"/><xs:enumeration value="None"/><xs:enumeration value="Unknown"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MalwareTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MalwareTypeVocab is the default STIX vocabulary for expressing types of malware instances. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="MalwareTypeVocab-1.0"><xs:annotation><xs:documentation>The MalwareTypeVocab is the default STIX vocabulary for expressing types of malware instances. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MalwareTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Malware Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MalwareTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MalwareTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of malware types to use for characterizing a malware instance in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Automated Transfer Scripts
enumeration
Adware
enumeration
Dialer
enumeration
Bot
enumeration
Bot - Credential Theft
enumeration
Bot - DDoS
enumeration
Bot - Loader
enumeration
Bot - Spam
enumeration
DoS / DDoS
enumeration
DoS / DDoS - Participatory
enumeration
DoS / DDoS - Script
enumeration
DoS / DDoS - Stress Test Tools
enumeration
Exploit Kits
enumeration
POS / ATM Malware
enumeration
Ransomware
enumeration
Remote Access Trojan
enumeration
Rogue Antivirus
enumeration
Rootkit
Source
<xs:simpleType name="MalwareTypeEnum-1.0"><xs:annotation><xs:documentation>The default set of malware types to use for characterizing a malware instance in STIX.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Automated Transfer Scripts"/><xs:enumeration value="Adware"/><xs:enumeration value="Dialer"/><xs:enumeration value="Bot"/><xs:enumeration value="Bot - Credential Theft"/><xs:enumeration value="Bot - DDoS"/><xs:enumeration value="Bot - Loader"/><xs:enumeration value="Bot - Spam"/><xs:enumeration value="DoS / DDoS"/><xs:enumeration value="DoS / DDoS - Participatory"/><xs:enumeration value="DoS / DDoS - Script"/><xs:enumeration value="DoS / DDoS - Stress Test Tools"/><xs:enumeration value="Exploit Kits"/><xs:enumeration value="POS / ATM Malware"/><xs:enumeration value="Ransomware"/><xs:enumeration value="Remote Access Trojan"/><xs:enumeration value="Rogue Antivirus"/><xs:enumeration value="Rootkit"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IndicatorTypeVocab-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
<xs:complexType name="IndicatorTypeVocab-1.1"><xs:annotation><xs:documentation>The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types. Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IndicatorTypeEnum-1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Indicator Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IndicatorTypeVocab-1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IndicatorTypeEnum-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of Indicator types to use for characterizing Indicators in STIX.
Indicator describes a compromised PKI Certificate.
enumeration
Login Name
Indicator describes a compromised Login Name.
enumeration
IMEI Watchlist
Indicator describes a watchlist for IMEI (handset) identifiers.
enumeration
IMSI Watchlist
Indicator describes a watchlist for IMSI (SIM card) identifiers.
Source
<xs:simpleType name="IndicatorTypeEnum-1.1"><xs:annotation><xs:documentation>The default set of Indicator types to use for characterizing Indicators in STIX.</xs:documentation><xs:appinfo><version>1.1</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Malicious E-mail"><xs:annotation><xs:documentation>Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IP Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious IP addresses or IP blocks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="File Hash Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of hashes for suspected malicious files.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Domain Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious domains.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="URL Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious URLS.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Artifacts"><xs:annotation><xs:documentation>Indicator describes the effects of suspected malware.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="C2"><xs:annotation><xs:documentation>Indicator describes suspected command and control activity or static indications.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Anonymization"><xs:annotation><xs:documentation>Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exfiltration"><xs:annotation><xs:documentation>Indicator describes suspected exfiltration techniques or behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Host Characteristics"><xs:annotation><xs:documentation>Indicator describes suspected malicious host characteristics.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Compromised PKI Certificate"><xs:annotation><xs:documentation>Indicator describes a compromised PKI Certificate.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Login Name"><xs:annotation><xs:documentation>Indicator describes a compromised Login Name.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IMEI Watchlist"><xs:annotation><xs:documentation>Indicator describes a watchlist for IMEI (handset) identifiers.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IMSI Watchlist"><xs:annotation><xs:documentation>Indicator describes a watchlist for IMSI (SIM card) identifiers.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IndicatorTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.
<xs:complexType name="IndicatorTypeVocab-1.0"><xs:annotation><xs:documentation>The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IndicatorTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Indicator Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IndicatorTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IndicatorTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of Indicator types to use for characterizing Indicators in STIX.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeEnum is deprecated. Please use IndicatorTypeEnum-1.1 instead.
<xs:simpleType name="IndicatorTypeEnum-1.0"><xs:annotation><xs:documentation>The default set of Indicator types to use for characterizing Indicators in STIX.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the IndicatorTypeEnum is deprecated. Please use IndicatorTypeEnum-1.1 instead.</xs:documentation><xs:appinfo><version>1.0</version><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Malicious E-mail"><xs:annotation><xs:documentation>Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IP Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious IP addresses or IP blocks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="File Hash Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of hashes for suspected malicious files.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Domain Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious domains.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="URL Watchlist"><xs:annotation><xs:documentation>Indicator describes a set of suspected malicious URLS.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malware Artifacts"><xs:annotation><xs:documentation>Indicator describes the effects of suspected malware.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="C2"><xs:annotation><xs:documentation>Indicator describes suspected command and control activity or static indications.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Anonymization"><xs:annotation><xs:documentation>Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Exfiltration"><xs:annotation><xs:documentation>Indicator describes suspected exfiltration techniques or behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Host Characteristics"><xs:annotation><xs:documentation>Indicator describes suspected malicious host characteristics.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:COAStageVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The COAStageVocab is the default STIX vocabulary for expressing the stages of the threat management lifecycle that a COA is applicable to.
<xs:complexType name="COAStageVocab-1.0"><xs:annotation><xs:documentation>The COAStageVocab is the default STIX vocabulary for expressing the stages of the threat management lifecycle that a COA is applicable to.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:COAStageEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default COA Stages Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#COAStageVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:COAStageEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of stages of the threat management lifecycle that a COA may be applicable to.
Diagram
Type
restriction of xs:string
Facets
enumeration
Remedy
This COA is applicable to the "Remedy" stage of the threat management lifecycle, meaning it may be applied proactively to prevent future threats.
enumeration
Response
This COA is applicable to the "Response" stage of the threat management lifecycle, meaning it may be applied as an immediate reaction to an ongoing threat.
Source
<xs:simpleType name="COAStageEnum-1.0"><xs:annotation><xs:documentation>The default set of stages of the threat management lifecycle that a COA may be applicable to.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Remedy"><xs:annotation><xs:documentation>This COA is applicable to the "Remedy" stage of the threat management lifecycle, meaning it may be applied proactively to prevent future threats.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Response"><xs:annotation><xs:documentation>This COA is applicable to the "Response" stage of the threat management lifecycle, meaning it may be applied as an immediate reaction to an ongoing threat.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:CampaignStatusVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The CampaignStatusVocab is the default STIX vocabulary for expressing the status of a campaign.
<xs:complexType name="CampaignStatusVocab-1.0"><xs:annotation><xs:documentation>The CampaignStatusVocab is the default STIX vocabulary for expressing the status of a campaign.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:CampaignStatusEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Campaign Status Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#CampaignStatusVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:CampaignStatusEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default list of possible statuses that a campaign might have.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ongoing
This campaign is currently taking place.
enumeration
Historic
This campaign occurred in the past and is currently not taking place.
enumeration
Future
This campaign is expected to take place in the future.
Source
<xs:simpleType name="CampaignStatusEnum-1.0"><xs:annotation><xs:documentation>The default list of possible statuses that a campaign might have.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ongoing"><xs:annotation><xs:documentation>This campaign is currently taking place.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Historic"><xs:annotation><xs:documentation>This campaign occurred in the past and is currently not taking place.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Future"><xs:annotation><xs:documentation>This campaign is expected to take place in the future.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IncidentStatusVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IncidentStatusVocab is the default STIX vocabulary for expressing the status of an incident.
<xs:complexType name="IncidentStatusVocab-1.0"><xs:annotation><xs:documentation>The IncidentStatusVocab is the default STIX vocabulary for expressing the status of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IncidentStatusEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Incident Status Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IncidentStatusVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IncidentStatusEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default list of possible statuses that an incident might have.
Diagram
Type
restriction of xs:string
Facets
enumeration
New
enumeration
Open
enumeration
Stalled
enumeration
Containment Achieved
enumeration
Restoration Achieved
enumeration
Incident Reported
enumeration
Closed
enumeration
Rejected
enumeration
Deleted
Source
<xs:simpleType name="IncidentStatusEnum-1.0"><xs:annotation><xs:documentation>The default list of possible statuses that an incident might have.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="New"/><xs:enumeration value="Open"/><xs:enumeration value="Stalled"/><xs:enumeration value="Containment Achieved"/><xs:enumeration value="Restoration Achieved"/><xs:enumeration value="Incident Reported"/><xs:enumeration value="Closed"/><xs:enumeration value="Rejected"/><xs:enumeration value="Deleted"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:SecurityCompromiseVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The SecurityCompromiseVocab is the default STIX vocabulary for expressing whether or not an incident resulted in a security compromise.
<xs:complexType name="SecurityCompromiseVocab-1.0"><xs:annotation><xs:documentation>The SecurityCompromiseVocab is the default STIX vocabulary for expressing whether or not an incident resulted in a security compromise.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:SecurityCompromiseEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Security Compromise Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#SecurityCompromiseVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:SecurityCompromiseEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing whether an incident resulted in a security compromise.
Diagram
Type
restriction of xs:string
Facets
enumeration
Yes
It has been confirmed that this incident resulted in a security compromise.
enumeration
Suspected
It is suspected that this incident resulted in a security compromise.
enumeration
No
It has been confirmed that this incident did not result in a security compromise.
enumeration
Unknown
It is not known whether this incident resulted in a security compromise.
Source
<xs:simpleType name="SecurityCompromiseEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing whether an incident resulted in a security compromise.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Yes"><xs:annotation><xs:documentation>It has been confirmed that this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Suspected"><xs:annotation><xs:documentation>It is suspected that this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="No"><xs:annotation><xs:documentation>It has been confirmed that this incident did not result in a security compromise.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known whether this incident resulted in a security compromise.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:DiscoveryMethodVocab-2.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
<xs:complexType name="DiscoveryMethodVocab-2.0"><xs:annotation><xs:documentation>The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:DiscoveryMethodEnum-2.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Discovery Method Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DiscoveryMethodVocab-2.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:DiscoveryMethodEnum-2.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing how an incident was discovered.
Diagram
Type
restriction of xs:string
Facets
enumeration
Agent Disclosure
This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
enumeration
External - Fraud Detection
This incident was discovered through external fraud detection means (e.g. CPP).
enumeration
Monitoring Service
This incident was reported by a managed security event monitoring service.
enumeration
Law Enforcement
This incident was reported by law enforcement.
enumeration
Customer
This incident was reported by a customer or partner affected by the incident.
enumeration
Unrelated Party
This incident was reported by an unrelated third party.
enumeration
Audit
This incident was discovered during an external security audit or scan.
enumeration
Antivirus
This incident was discovered by an antivirus system.
enumeration
Incident Response
This incident was discovered in the course of investigating a separate incident.
enumeration
Financial Audit
This incident was discovered in the course of a financial audit and/or reconciliation process.
enumeration
Internal - Fraud Detection
This incident was discovered through internal fraud detection means.
enumeration
HIPS
This incident was discovered a host-based IDS or file integrity monitoring.
enumeration
IT Audit
This incident was discovered by an internal IT audit or scan.
enumeration
Log Review
This incident was discovered during a log review process or by a SIEM.
enumeration
NIDS
This incident was discovered by a network-based intrustion detection/prevention system.
enumeration
Security Alarm
This incident was discovered by a physical security alarm.
enumeration
User
This incident was reported by a user.
enumeration
Unknown
It is not known how this incident was discovered.
Source
<xs:simpleType name="DiscoveryMethodEnum-2.0"><xs:annotation><xs:documentation>The possible values for expressing how an incident was discovered.</xs:documentation><xs:appinfo><version>2.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Agent Disclosure"><xs:annotation><xs:documentation>This incident was disclosed by the threat agent (e.g. public brag, private blackmail).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="External - Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through external fraud detection means (e.g. CPP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Monitoring Service"><xs:annotation><xs:documentation>This incident was reported by a managed security event monitoring service.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Law Enforcement"><xs:annotation><xs:documentation>This incident was reported by law enforcement.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer"><xs:annotation><xs:documentation>This incident was reported by a customer or partner affected by the incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unrelated Party"><xs:annotation><xs:documentation>This incident was reported by an unrelated third party.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Audit"><xs:annotation><xs:documentation>This incident was discovered during an external security audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Antivirus"><xs:annotation><xs:documentation>This incident was discovered by an antivirus system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident Response"><xs:annotation><xs:documentation>This incident was discovered in the course of investigating a separate incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Financial Audit"><xs:annotation><xs:documentation>This incident was discovered in the course of a financial audit and/or reconciliation process.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Internal - Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through internal fraud detection means.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="HIPS"><xs:annotation><xs:documentation>This incident was discovered a host-based IDS or file integrity monitoring.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IT Audit"><xs:annotation><xs:documentation>This incident was discovered by an internal IT audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Log Review"><xs:annotation><xs:documentation>This incident was discovered during a log review process or by a SIEM.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="NIDS"><xs:annotation><xs:documentation>This incident was discovered by a network-based intrustion detection/prevention system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Security Alarm"><xs:annotation><xs:documentation>This incident was discovered by a physical security alarm.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="User"><xs:annotation><xs:documentation>This incident was reported by a user.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known how this incident was discovered.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:DiscoveryMethodVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
<xs:complexType name="DiscoveryMethodVocab-1.0"><xs:annotation><xs:documentation>The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:DiscoveryMethodEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Discovery Method Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DiscoveryMethodVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:DiscoveryMethodEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing how an incident was discovered.
Diagram
Type
restriction of xs:string
Facets
enumeration
Agent Disclosure
This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
enumeration
Fraud Detection
This incident was discovered through external fraud detection means (e.g. CPP).
enumeration
Monitoring Service
This incident was reported by a managed security event monitoring service.
enumeration
Law Enforcement
This incident was reported by law enforcement.
enumeration
Customer
This incident was reported by a customer or partner affected by the incident.
enumeration
Unrelated Party
This incident was reported by an unrelated third party.
enumeration
Audit
This incident was discovered during an external security audit or scan.
enumeration
Antivirus
This incident was discovered by an antivirus system.
enumeration
Incident Response
This incident was discovered in the course of investigating a separate incident.
enumeration
Financial Audit
This incident was discovered in the course of a financial audit and/or reconciliation process.
enumeration
Fraud Detection
This incident was discovered through internal fraud detection means.
enumeration
HIPS
This incident was discovered a host-based IDS or file integrity monitoring.
enumeration
IT Audit
This incident was discovered by an internal IT audit or scan.
enumeration
Log Review
This incident was discovered during a log review process or by a SIEM.
enumeration
NIDS
This incident was discovered by a network-based intrustion detection/prevention system.
enumeration
Security Alarm
This incident was discovered by a physical security alarm.
enumeration
User
This incident was reported by a user.
enumeration
Unknown
It is not known how this incident was discovered.
Source
<xs:simpleType name="DiscoveryMethodEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing how an incident was discovered.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Agent Disclosure"><xs:annotation><xs:documentation>This incident was disclosed by the threat agent (e.g. public brag, private blackmail).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through external fraud detection means (e.g. CPP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Monitoring Service"><xs:annotation><xs:documentation>This incident was reported by a managed security event monitoring service.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Law Enforcement"><xs:annotation><xs:documentation>This incident was reported by law enforcement.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer"><xs:annotation><xs:documentation>This incident was reported by a customer or partner affected by the incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unrelated Party"><xs:annotation><xs:documentation>This incident was reported by an unrelated third party.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Audit"><xs:annotation><xs:documentation>This incident was discovered during an external security audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Antivirus"><xs:annotation><xs:documentation>This incident was discovered by an antivirus system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Incident Response"><xs:annotation><xs:documentation>This incident was discovered in the course of investigating a separate incident.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Financial Audit"><xs:annotation><xs:documentation>This incident was discovered in the course of a financial audit and/or reconciliation process.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Fraud Detection"><xs:annotation><xs:documentation>This incident was discovered through internal fraud detection means.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="HIPS"><xs:annotation><xs:documentation>This incident was discovered a host-based IDS or file integrity monitoring.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="IT Audit"><xs:annotation><xs:documentation>This incident was discovered by an internal IT audit or scan.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Log Review"><xs:annotation><xs:documentation>This incident was discovered during a log review process or by a SIEM.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="NIDS"><xs:annotation><xs:documentation>This incident was discovered by a network-based intrustion detection/prevention system.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Security Alarm"><xs:annotation><xs:documentation>This incident was discovered by a physical security alarm.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="User"><xs:annotation><xs:documentation>This incident was reported by a user.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>It is not known how this incident was discovered.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AvailabilityLossTypeVocab-1.1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.
<xs:complexType name="AvailabilityLossTypeVocab-1.1.1"><xs:annotation><xs:documentation>The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AvailabilityLossTypeEnum-1.1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Availability Loss Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AvailabilityLossTypeVocab-1.1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AvailabilityLossTypeEnum-1.1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Destruction
The information was destroyed or wiped.
enumeration
Loss
Availability to the information was lost.
enumeration
Interruption
Availability to the information was interrupted.
enumeration
Degradation
Availability to the information was degraded.
enumeration
Acceleration
Availability loss type is acceleration.
enumeration
Obscuration
Availability to the information is obscured.
enumeration
Unknown
The availability loss type is not known.
Source
<xs:simpleType name="AvailabilityLossTypeEnum-1.1.1"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.1.1</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Destruction"><xs:annotation><xs:documentation>The information was destroyed or wiped.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Loss"><xs:annotation><xs:documentation>Availability to the information was lost.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Interruption"><xs:annotation><xs:documentation>Availability to the information was interrupted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Degradation"><xs:annotation><xs:documentation>Availability to the information was degraded.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Acceleration"><xs:annotation><xs:documentation>Availability loss type is acceleration.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Obscuration"><xs:annotation><xs:documentation>Availability to the information is obscured.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The availability loss type is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AvailabilityLossTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.
NOTE: As of STIX Version 1.1.1, this version of the AvailabilityLossTypeVocab is deprecated. Please use AvailabilityLossTypeVocab-1.1.1 instead.
<xs:complexType name="AvailabilityLossTypeVocab-1.0"><xs:annotation><xs:documentation>The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1.1, this version of the AvailabilityLossTypeVocab is deprecated. Please use AvailabilityLossTypeVocab-1.1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AvailabilityLossTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Availability Loss Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AvailabilityLossTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AvailabilityLossTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Destruction
The information was destroyed or wiped.
enumeration
Loss
Availability to the information was lost.
enumeration
Interruption
Availability to the information was interrupted.
enumeration
Degredation
Availability to the information was degraded.
enumeration
Acceleration
Availability loss type is acceleration.
enumeration
Obscuration
Availability to the information is obscured.
enumeration
Unknown
The availability loss type is not known.
Source
<xs:simpleType name="AvailabilityLossTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Destruction"><xs:annotation><xs:documentation>The information was destroyed or wiped.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Loss"><xs:annotation><xs:documentation>Availability to the information was lost.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Interruption"><xs:annotation><xs:documentation>Availability to the information was interrupted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Degredation"><xs:annotation><xs:documentation>Availability to the information was degraded.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Acceleration"><xs:annotation><xs:documentation>Availability loss type is acceleration.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Obscuration"><xs:annotation><xs:documentation>Availability to the information is obscured.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The availability loss type is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:LossDurationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The LossDurationVocab is the default STIX vocabulary for expressing the approximate length of time of a loss due to an incident.
<xs:complexType name="LossDurationVocab-1.0"><xs:annotation><xs:documentation>The LossDurationVocab is the default STIX vocabulary for expressing the approximate length of time of a loss due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:LossDurationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Loss Duration Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#LossDurationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:LossDurationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the type of availability that was lost due to an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Permanent
The loss is permanent.
enumeration
Weeks
The loss lasted for weeks.
enumeration
Days
The loss lasted for days.
enumeration
Hours
The loss lasted for hours.
enumeration
Minutes
The loss lasted for minutes.
enumeration
Seconds
The loss lasted for seconds.
enumeration
Unknown
The loss duration is not known.
Source
<xs:simpleType name="LossDurationEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the type of availability that was lost due to an incident.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Permanent"><xs:annotation><xs:documentation>The loss is permanent.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Weeks"><xs:annotation><xs:documentation>The loss lasted for weeks.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Days"><xs:annotation><xs:documentation>The loss lasted for days.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Hours"><xs:annotation><xs:documentation>The loss lasted for hours.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Minutes"><xs:annotation><xs:documentation>The loss lasted for minutes.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Seconds"><xs:annotation><xs:documentation>The loss lasted for seconds.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The loss duration is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:OwnershipClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The OwnershipClassVocab is the default STIX vocabulary for expressing the type of ownership of an asset.
<xs:complexType name="OwnershipClassVocab-1.0"><xs:annotation><xs:documentation>The OwnershipClassVocab is the default STIX vocabulary for expressing the type of ownership of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:OwnershipClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Ownership Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#OwnershipClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:OwnershipClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the ownership class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Owned
The asset is owned internally.
enumeration
Employee-Owned
The asset is owned by an employee.
enumeration
Partner-Owned
The asset is owned by a partner.
enumeration
Customer-Owned
The asset is owned by a customer.
enumeration
Unknown
The asset ownership class is unknown.
Source
<xs:simpleType name="OwnershipClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the ownership class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Owned"><xs:annotation><xs:documentation>The asset is owned internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Employee-Owned"><xs:annotation><xs:documentation>The asset is owned by an employee.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Partner-Owned"><xs:annotation><xs:documentation>The asset is owned by a partner.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Customer-Owned"><xs:annotation><xs:documentation>The asset is owned by a customer.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset ownership class is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ManagementClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ManagementClassVocab is the default STIX vocabulary for expressing the type of management of an asset.
<xs:complexType name="ManagementClassVocab-1.0"><xs:annotation><xs:documentation>The ManagementClassVocab is the default STIX vocabulary for expressing the type of management of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ManagementClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Management Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ManagementClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ManagementClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the management class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Managed
The asset is managed internally.
enumeration
Externally-Management
The asset is managed externally.
enumeration
Co-Management
The asset is co-managed.
enumeration
Unknown
The asset management class is unknown.
Source
<xs:simpleType name="ManagementClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the management class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Managed"><xs:annotation><xs:documentation>The asset is managed internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Externally-Management"><xs:annotation><xs:documentation>The asset is managed externally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Co-Management"><xs:annotation><xs:documentation>The asset is co-managed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset management class is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:LocationClassVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The LocationClassVocab is the default STIX vocabulary for expressing the location of an asset.
<xs:complexType name="LocationClassVocab-1.0"><xs:annotation><xs:documentation>The LocationClassVocab is the default STIX vocabulary for expressing the location of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:LocationClassEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Location Class Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#LocationClassVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:LocationClassEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the location class of an object.
Diagram
Type
restriction of xs:string
Facets
enumeration
Internally-Located
The asset is located internally.
enumeration
Externally-Located
The asset is located externally.
enumeration
Co-Located
The asset is co-located.
enumeration
Mobile
The asset is mobile.
enumeration
Unknown
The asset location is unknown.
Source
<xs:simpleType name="LocationClassEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the location class of an object.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Internally-Located"><xs:annotation><xs:documentation>The asset is located internally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Externally-Located"><xs:annotation><xs:documentation>The asset is located externally.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Co-Located"><xs:annotation><xs:documentation>The asset is co-located.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Mobile"><xs:annotation><xs:documentation>The asset is mobile.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The asset location is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ImpactQualificationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ImpactQualificationVocab is the default STIX vocabulary for expressing the subjective level of impact of an incident.
<xs:complexType name="ImpactQualificationVocab-1.0"><xs:annotation><xs:documentation>The ImpactQualificationVocab is the default STIX vocabulary for expressing the subjective level of impact of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ImpactQualificationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Impact Qualification Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ImpactQualificationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ImpactQualificationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the impact level of an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Insignificant
The impact is absorbed by normal activities.
enumeration
Distracting
There are limited “hard costs”, but the impact is felt through having to deal with the incident rather than conducting normal duties.
enumeration
Painful
Real, somewhat serious effect on the "bottom line".
enumeration
Damaging
Real and serious effect on the “bottom line” and/or long-term ability to generate revenue.
enumeration
Catastrophic
A business-ending event.
enumeration
Unknown
The impact qualification is unknown.
Source
<xs:simpleType name="ImpactQualificationEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the impact level of an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Insignificant"><xs:annotation><xs:documentation>The impact is absorbed by normal activities.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Distracting"><xs:annotation><xs:documentation>There are limited “hard costs”, but the impact is felt through having to deal with the incident rather than conducting normal duties.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Painful"><xs:annotation><xs:documentation>Real, somewhat serious effect on the "bottom line".</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Damaging"><xs:annotation><xs:documentation>Real and serious effect on the “bottom line” and/or long-term ability to generate revenue.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Catastrophic"><xs:annotation><xs:documentation>A business-ending event.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The impact qualification is unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ImpactRatingVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ImpactRatingVocab is the default STIX vocabulary for expressing the level of impact due to an incident.
<xs:complexType name="ImpactRatingVocab-1.0"><xs:annotation><xs:documentation>The ImpactRatingVocab is the default STIX vocabulary for expressing the level of impact due to an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ImpactRatingEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Impact Rating Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ImpactRatingVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ImpactRatingEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for expressing the level of impact due to a loss.
Diagram
Type
restriction of xs:string
Facets
enumeration
None
There was no impact.
enumeration
Minor
There was a minor impact.
enumeration
Moderate
There was a moderate impact.
enumeration
Major
There was a major impact.
enumeration
Unknown
The impact is not known.
Source
<xs:simpleType name="ImpactRatingEnum-1.0"><xs:annotation><xs:documentation>The possible values for expressing the level of impact due to a loss.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="None"><xs:annotation><xs:documentation>There was no impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Minor"><xs:annotation><xs:documentation>There was a minor impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Moderate"><xs:annotation><xs:documentation>There was a moderate impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Major"><xs:annotation><xs:documentation>There was a major impact.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>The impact is not known.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AssetTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AssetTypeVocab is the default STIX vocabulary for expressing the type of an asset.
<xs:complexType name="AssetTypeVocab-1.0"><xs:annotation><xs:documentation>The AssetTypeVocab is the default STIX vocabulary for expressing the type of an asset.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AssetTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Asset Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AssetTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AssetTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of assets.
Diagram
Type
restriction of xs:string
Facets
enumeration
Backup
enumeration
Database
enumeration
DHCP
enumeration
Directory
enumeration
DCS
enumeration
DNS
enumeration
File
enumeration
Log
enumeration
Mail
enumeration
Mainframe
enumeration
Payment switch
enumeration
POS controller
enumeration
Print
enumeration
Proxy
enumeration
Remote access
enumeration
SCADA
enumeration
Web application
enumeration
Server
enumeration
Access reader
enumeration
Camera
enumeration
Firewall
enumeration
HSM
enumeration
IDS
enumeration
Broadband
enumeration
PBX
enumeration
Private WAN
enumeration
PLC
enumeration
Public WAN
enumeration
RTU
enumeration
Router or switch
enumeration
SAN
enumeration
Telephone
enumeration
VoIP adapter
enumeration
LAN
enumeration
WLAN
enumeration
Network
enumeration
Auth token
enumeration
ATM
enumeration
Desktop
enumeration
PED pad
enumeration
Gas terminal
enumeration
Laptop
enumeration
Media
enumeration
Mobile phone
enumeration
Peripheral
enumeration
POS terminal
enumeration
Kiosk
enumeration
Tablet
enumeration
VoIP phone
enumeration
User Device
enumeration
Tapes
enumeration
Disk media
enumeration
Documents
enumeration
Flash drive
enumeration
Disk drive
enumeration
Smart card
enumeration
Payment card
enumeration
Administrator
enumeration
Auditor
enumeration
Call center
enumeration
Cashier
enumeration
Customer
enumeration
Developer
enumeration
End-user
enumeration
Executive
enumeration
Finance
enumeration
Former employee
enumeration
Guard
enumeration
Helpdesk
enumeration
Human resources
enumeration
Maintenance
enumeration
Manager
enumeration
Partner
enumeration
Person
enumeration
Unknown
Source
<xs:simpleType name="AssetTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of assets.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is a part of the VERIS framework and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Backup"/><xs:enumeration value="Database"/><xs:enumeration value="DHCP"/><xs:enumeration value="Directory"/><xs:enumeration value="DCS"/><xs:enumeration value="DNS"/><xs:enumeration value="File"/><xs:enumeration value="Log"/><xs:enumeration value="Mail"/><xs:enumeration value="Mainframe"/><xs:enumeration value="Payment switch"/><xs:enumeration value="POS controller"/><xs:enumeration value="Print"/><xs:enumeration value="Proxy"/><xs:enumeration value="Remote access"/><xs:enumeration value="SCADA"/><xs:enumeration value="Web application"/><xs:enumeration value="Server"/><xs:enumeration value="Access reader"/><xs:enumeration value="Camera"/><xs:enumeration value="Firewall"/><xs:enumeration value="HSM"/><xs:enumeration value="IDS"/><xs:enumeration value="Broadband"/><xs:enumeration value="PBX"/><xs:enumeration value="Private WAN"/><xs:enumeration value="PLC"/><xs:enumeration value="Public WAN"/><xs:enumeration value="RTU"/><xs:enumeration value="Router or switch"/><xs:enumeration value="SAN"/><xs:enumeration value="Telephone"/><xs:enumeration value="VoIP adapter"/><xs:enumeration value="LAN"/><xs:enumeration value="WLAN"/><xs:enumeration value="Network"/><xs:enumeration value="Auth token"/><xs:enumeration value="ATM"/><xs:enumeration value="Desktop"/><xs:enumeration value="PED pad"/><xs:enumeration value="Gas terminal"/><xs:enumeration value="Laptop"/><xs:enumeration value="Media"/><xs:enumeration value="Mobile phone"/><xs:enumeration value="Peripheral"/><xs:enumeration value="POS terminal"/><xs:enumeration value="Kiosk"/><xs:enumeration value="Tablet"/><xs:enumeration value="VoIP phone"/><xs:enumeration value="User Device"/><xs:enumeration value="Tapes"/><xs:enumeration value="Disk media"/><xs:enumeration value="Documents"/><xs:enumeration value="Flash drive"/><xs:enumeration value="Disk drive"/><xs:enumeration value="Smart card"/><xs:enumeration value="Payment card"/><xs:enumeration value="Administrator"/><xs:enumeration value="Auditor"/><xs:enumeration value="Call center"/><xs:enumeration value="Cashier"/><xs:enumeration value="Customer"/><xs:enumeration value="Developer"/><xs:enumeration value="End-user"/><xs:enumeration value="Executive"/><xs:enumeration value="Finance"/><xs:enumeration value="Former employee"/><xs:enumeration value="Guard"/><xs:enumeration value="Helpdesk"/><xs:enumeration value="Human resources"/><xs:enumeration value="Maintenance"/><xs:enumeration value="Manager"/><xs:enumeration value="Partner"/><xs:enumeration value="Person"/><xs:enumeration value="Unknown"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AttackerInfrastructureTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AttackerInfrastructureTypeVocab is the default STIX vocabulary for expressing the type of infrastructure an attacker uses.
<xs:complexType name="AttackerInfrastructureTypeVocab-1.0"><xs:annotation><xs:documentation>The AttackerInfrastructureTypeVocab is the default STIX vocabulary for expressing the type of infrastructure an attacker uses.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AttackerInfrastructureTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Attacker Infastructure Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AttackerInfrastructureTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AttackerInfrastructureTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of attacker infrastructure.
<xs:complexType name="SystemTypeVocab-1.0"><xs:annotation><xs:documentation>The SystemTypeVocab is the default STIX vocabulary for expressing the type of a system.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:SystemTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default System Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#SystemTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:SystemTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of systems.
Diagram
Type
restriction of xs:string
Facets
enumeration
Enterprise Systems
enumeration
Enterprise Systems - Application Layer
enumeration
Enterprise Systems - Database Layer
enumeration
Enterprise Systems - Enterprise Technologies and Support Infrastructure
enumeration
Enterprise Systems - Network Systems
enumeration
Enterprise Systems - Networking Devices
enumeration
Enterprise Systems - Web Layer
enumeration
Enterprise Systems - VoIP
enumeration
Industrial Control Systems
enumeration
Industrial Control Systems - Equipment Under Control
enumeration
Industrial Control Systems - Operations Management
enumeration
Industrial Control Systems - Safety, Protection and Local Control
enumeration
Industrial Control Systems - Supervisory Control
enumeration
Mobile Systems
enumeration
Mobile Systems - Mobile Operating Systems
enumeration
Mobile Systems - Near Field Communications
enumeration
Mobile Systems - Mobile Devices
enumeration
Third-Party Services
enumeration
Third-Party Services - Application Stores
enumeration
Third-Party Services - Cloud Services
enumeration
Third-Party Services - Security Vendors
enumeration
Third-Party Services - Social Media
enumeration
Third-Party Services - Software Update
enumeration
Users
enumeration
Users - Application And Software
enumeration
Users - Workstation
enumeration
Users - Removable Media
Source
<xs:simpleType name="SystemTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of systems.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Enterprise Systems"/><xs:enumeration value="Enterprise Systems - Application Layer"/><xs:enumeration value="Enterprise Systems - Database Layer"/><xs:enumeration value="Enterprise Systems - Enterprise Technologies and Support Infrastructure"/><xs:enumeration value="Enterprise Systems - Network Systems"/><xs:enumeration value="Enterprise Systems - Networking Devices"/><xs:enumeration value="Enterprise Systems - Web Layer"/><xs:enumeration value="Enterprise Systems - VoIP"/><xs:enumeration value="Industrial Control Systems"/><xs:enumeration value="Industrial Control Systems - Equipment Under Control"/><xs:enumeration value="Industrial Control Systems - Operations Management"/><xs:enumeration value="Industrial Control Systems - Safety, Protection and Local Control"/><xs:enumeration value="Industrial Control Systems - Supervisory Control"/><xs:enumeration value="Mobile Systems"/><xs:enumeration value="Mobile Systems - Mobile Operating Systems"/><xs:enumeration value="Mobile Systems - Near Field Communications"/><xs:enumeration value="Mobile Systems - Mobile Devices"/><xs:enumeration value="Third-Party Services"/><xs:enumeration value="Third-Party Services - Application Stores"/><xs:enumeration value="Third-Party Services - Cloud Services"/><xs:enumeration value="Third-Party Services - Security Vendors"/><xs:enumeration value="Third-Party Services - Social Media"/><xs:enumeration value="Third-Party Services - Software Update"/><xs:enumeration value="Users"/><xs:enumeration value="Users - Application And Software"/><xs:enumeration value="Users - Workstation"/><xs:enumeration value="Users - Removable Media"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:InformationTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The InformationTypeVocab is the default STIX vocabulary for expressing the type of information.
<xs:complexType name="InformationTypeVocab-1.0"><xs:annotation><xs:documentation>The InformationTypeVocab is the default STIX vocabulary for expressing the type of information.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:InformationTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Information Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#InformationTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:InformationTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of information.
Diagram
Type
restriction of xs:string
Facets
enumeration
Information Assets
enumeration
Information Assets - Corporate Employee Information
enumeration
Information Assets - Customer PII
enumeration
Information Assets - Email Lists / Archives
enumeration
Information Assets - Financial Data
enumeration
Information Assets - Intellectual Property
enumeration
Information Assets - Mobile Phone Contacts
enumeration
Information Assets - User Credentials
enumeration
Authentication Cookies
Source
<xs:simpleType name="InformationTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of information.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Information Assets"/><xs:enumeration value="Information Assets - Corporate Employee Information"/><xs:enumeration value="Information Assets - Customer PII"/><xs:enumeration value="Information Assets - Email Lists / Archives"/><xs:enumeration value="Information Assets - Financial Data"/><xs:enumeration value="Information Assets - Intellectual Property"/><xs:enumeration value="Information Assets - Mobile Phone Contacts"/><xs:enumeration value="Information Assets - User Credentials"/><xs:enumeration value="Authentication Cookies"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ThreatActorTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.
<xs:complexType name="ThreatActorTypeVocab-1.0"><xs:annotation><xs:documentation>The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ThreatActorTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Threat Actor Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ThreatActorTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ThreatActorTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of threat actors.
Diagram
Type
restriction of xs:string
Facets
enumeration
Cyber Espionage Operations
enumeration
Hacker
enumeration
Hacker - White hat
enumeration
Hacker - Gray hat
enumeration
Hacker - Black hat
enumeration
Hacktivist
enumeration
State Actor / Agency
enumeration
eCrime Actor - Credential Theft Botnet Operator
enumeration
eCrime Actor - Credential Theft Botnet Service
enumeration
eCrime Actor - Malware Developer
enumeration
eCrime Actor - Money Laundering Network
enumeration
eCrime Actor - Organized Crime Actor
enumeration
eCrime Actor - Spam Service
enumeration
eCrime Actor - Traffic Service
enumeration
eCrime Actor - Underground Call Service
enumeration
Insider Threat
enumeration
Disgruntled Customer / User
Source
<xs:simpleType name="ThreatActorTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of threat actors.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Cyber Espionage Operations"/><xs:enumeration value="Hacker"/><xs:enumeration value="Hacker - White hat"/><xs:enumeration value="Hacker - Gray hat"/><xs:enumeration value="Hacker - Black hat"/><xs:enumeration value="Hacktivist"/><xs:enumeration value="State Actor / Agency"/><xs:enumeration value="eCrime Actor - Credential Theft Botnet Operator"/><xs:enumeration value="eCrime Actor - Credential Theft Botnet Service"/><xs:enumeration value="eCrime Actor - Malware Developer"/><xs:enumeration value="eCrime Actor - Money Laundering Network"/><xs:enumeration value="eCrime Actor - Organized Crime Actor"/><xs:enumeration value="eCrime Actor - Spam Service"/><xs:enumeration value="eCrime Actor - Traffic Service"/><xs:enumeration value="eCrime Actor - Underground Call Service"/><xs:enumeration value="Insider Threat"/><xs:enumeration value="Disgruntled Customer / User"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
<xs:complexType name="MotivationVocab-1.1"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establishment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Political
Source
<xs:simpleType name="MotivationEnum-1.1"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:appinfo><version>1.1</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establishment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Political"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
NOTE: As of STIX Version 1.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.1 instead.
<xs:complexType name="MotivationVocab-1.0.1"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.0.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.0.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
NOTE: As of STIX Version 1.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establishment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Policital
Source
<xs:simpleType name="MotivationEnum-1.0.1"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.1 instead.</xs:documentation><xs:appinfo><version>1.0.1</version><deprecated>true</deprecated><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establishment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Policital"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:MotivationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.0.1 instead.
<xs:complexType name="MotivationVocab-1.0"><xs:annotation><xs:documentation>The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.0.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:MotivationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Motivation Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#MotivationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:MotivationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for motivations of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.0.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Ideological
enumeration
Ideological - Anti-Corruption
enumeration
Ideological - Anti-Establisment
enumeration
Ideological - Environmental
enumeration
Ideological - Ethnic / Nationalist
enumeration
Ideological - Information Freedom
enumeration
Ideological - Religious
enumeration
Ideological - Security Awareness
enumeration
Ideological - Human Rights
enumeration
Ego
enumeration
Financial or Economic
enumeration
Military
enumeration
Opportunistic
enumeration
Policital
Source
<xs:simpleType name="MotivationEnum-1.0"><xs:annotation><xs:documentation>The possible values for motivations of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.0.1 instead.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Ideological"/><xs:enumeration value="Ideological - Anti-Corruption"/><xs:enumeration value="Ideological - Anti-Establisment"/><xs:enumeration value="Ideological - Environmental"/><xs:enumeration value="Ideological - Ethnic / Nationalist"/><xs:enumeration value="Ideological - Information Freedom"/><xs:enumeration value="Ideological - Religious"/><xs:enumeration value="Ideological - Security Awareness"/><xs:enumeration value="Ideological - Human Rights"/><xs:enumeration value="Ego"/><xs:enumeration value="Financial or Economic"/><xs:enumeration value="Military"/><xs:enumeration value="Opportunistic"/><xs:enumeration value="Policital"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IntendedEffectVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor.
<xs:complexType name="IntendedEffectVocab-1.0"><xs:annotation><xs:documentation>The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IntendedEffectEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Intended Effect Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IntendedEffectVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IntendedEffectEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for effects intended by a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Advantage
enumeration
Advantage - Economic
enumeration
Advantage - Military
enumeration
Advantage - Political
enumeration
Theft
enumeration
Theft - Intellectual Property
enumeration
Theft - Credential Theft
enumeration
Theft - Identity Theft
enumeration
Theft - Theft of Proprietary Information
enumeration
Account Takeover
enumeration
Brand Damage
enumeration
Competitive Advantage
enumeration
Degradation of Service
enumeration
Denial and Deception
enumeration
Destruction
enumeration
Disruption
enumeration
Embarrassment
enumeration
Exposure
enumeration
Extortion
enumeration
Fraud
enumeration
Harassment
enumeration
ICS Control
enumeration
Traffic Diversion
enumeration
Unauthorized Access
Source
<xs:simpleType name="IntendedEffectEnum-1.0"><xs:annotation><xs:documentation>The possible values for effects intended by a threat actor.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Advantage"/><xs:enumeration value="Advantage - Economic"/><xs:enumeration value="Advantage - Military"/><xs:enumeration value="Advantage - Political"/><xs:enumeration value="Theft"/><xs:enumeration value="Theft - Intellectual Property"/><xs:enumeration value="Theft - Credential Theft"/><xs:enumeration value="Theft - Identity Theft"/><xs:enumeration value="Theft - Theft of Proprietary Information"/><xs:enumeration value="Account Takeover"/><xs:enumeration value="Brand Damage"/><xs:enumeration value="Competitive Advantage"/><xs:enumeration value="Degradation of Service"/><xs:enumeration value="Denial and Deception"/><xs:enumeration value="Destruction"/><xs:enumeration value="Disruption"/><xs:enumeration value="Embarrassment"/><xs:enumeration value="Exposure"/><xs:enumeration value="Extortion"/><xs:enumeration value="Fraud"/><xs:enumeration value="Harassment"/><xs:enumeration value="ICS Control"/><xs:enumeration value="Traffic Diversion"/><xs:enumeration value="Unauthorized Access"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PlanningAndOperationalSupportVocab-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.
<xs:complexType name="PlanningAndOperationalSupportVocab-1.0.1"><xs:annotation><xs:documentation>The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PlanningAndOperationalSupportEnum-1.0.1"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Planning and Operational Support Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PlanningAndOperationalSupportVocab-1.0.1"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PlanningAndOperationalSupportEnum-1.0.1
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of planning and operational support functions of a threat actor.
Diagram
Type
restriction of xs:string
Facets
enumeration
Data Exploitation
enumeration
Data Exploitation - Analytic Support
enumeration
Data Exploitation - Translation Support
enumeration
Financial Resources
enumeration
Financial Resources - Academic
enumeration
Financial Resources - Commercial
enumeration
Financial Resources - Government
enumeration
Financial Resources - Hacktivist or Grassroot
enumeration
Financial Resources - Non-Attributable Finance
enumeration
Skill Development / Recruitment
enumeration
Skill Development / Recruitment - Contracting and Hiring
enumeration
Skill Development / Recruitment - Document Exploitation (DOCEX) Training
enumeration
Skill Development / Recruitment - Internal Training
enumeration
Skill Development / Recruitment - Military Programs
enumeration
Skill Development / Recruitment - Security / Hacker Conferences
enumeration
Skill Development / Recruitment - Underground Forums
enumeration
Skill Development / Recruitment - University Programs
Planning - Pre-Operational Surveillance and Reconnaissance
enumeration
Planning - Target Selection
Source
<xs:simpleType name="PlanningAndOperationalSupportEnum-1.0.1"><xs:annotation><xs:documentation>The possible values for types of planning and operational support functions of a threat actor.</xs:documentation><xs:appinfo><version>1.0.1</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Data Exploitation"/><xs:enumeration value="Data Exploitation - Analytic Support"/><xs:enumeration value="Data Exploitation - Translation Support"/><xs:enumeration value="Financial Resources"/><xs:enumeration value="Financial Resources - Academic"/><xs:enumeration value="Financial Resources - Commercial"/><xs:enumeration value="Financial Resources - Government"/><xs:enumeration value="Financial Resources - Hacktivist or Grassroot"/><xs:enumeration value="Financial Resources - Non-Attributable Finance"/><xs:enumeration value="Skill Development / Recruitment"/><xs:enumeration value="Skill Development / Recruitment - Contracting and Hiring"/><xs:enumeration value="Skill Development / Recruitment - Document Exploitation (DOCEX) Training"/><xs:enumeration value="Skill Development / Recruitment - Internal Training"/><xs:enumeration value="Skill Development / Recruitment - Military Programs"/><xs:enumeration value="Skill Development / Recruitment - Security / Hacker Conferences"/><xs:enumeration value="Skill Development / Recruitment - Underground Forums"/><xs:enumeration value="Skill Development / Recruitment - University Programs"/><xs:enumeration value="Planning"/><xs:enumeration value="Planning - Operational Cover Plan"/><xs:enumeration value="Planning - Open-Source Intelligence (OSINT) Gathering"/><xs:enumeration value="Planning - Pre-Operational Surveillance and Reconnaissance"/><xs:enumeration value="Planning - Target Selection"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:PlanningAndOperationalSupportVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportVocab is deprecated. Please use PlanningAndOperationalSupportVocab-1.0.1 instead.
<xs:complexType name="PlanningAndOperationalSupportVocab-1.0"><xs:annotation><xs:documentation>The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportVocab is deprecated. Please use PlanningAndOperationalSupportVocab-1.0.1 instead.</xs:documentation><xs:appinfo><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:PlanningAndOperationalSupportEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Planning and Operational Support Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#PlanningAndOperationalSupportVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:PlanningAndOperationalSupportEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of planning and operational support functions of a threat actor.
NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportEnumType is deprecated. Please use PlanningAndOperationalSupportEnum-1.0.1 instead.
Diagram
Type
restriction of xs:string
Facets
enumeration
Data Exploitation
enumeration
Data Exploitation - Analytic Support
enumeration
Data Exploitation - Translation Support
enumeration
Financial Resources
enumeration
Financial Resources - Academic
enumeration
Financial Resources - Commercial
enumeration
Financial Resources - Government
enumeration
Financial Resources - Hacktivist or Grassroot
enumeration
Financial Resources - Non-Attributable Finance
enumeration
Skill Development / Recruitment
enumeration
Skill Development / Recruitment - Contracting and Hiring
enumeration
Skill Development / Recruitment - Document Exploitation (DOCEX) Training
enumeration
Skill Development / Recruitment - Internal Training
enumeration
Skill Development / Recruitment - Military Programs
enumeration
Skill Development / Recruitment - Security / Hacker Conferences
enumeration
Skill Development / Recruitment - Underground Forums
enumeration
Skill Development / Recruitment - University Programs
Planning - Pre-Operational Surveillance and Reconnaissance
enumeration
Planning - Target Selection
Source
<xs:simpleType name="PlanningAndOperationalSupportEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of planning and operational support functions of a threat actor.</xs:documentation><xs:documentation>NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportEnumType is deprecated. Please use PlanningAndOperationalSupportEnum-1.0.1 instead.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source><deprecated>true</deprecated></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Data Exploitation"/><xs:enumeration value="Data Exploitation - Analytic Support"/><xs:enumeration value="Data Exploitation - Translation Support"/><xs:enumeration value="Financial Resources"/><xs:enumeration value="Financial Resources - Academic"/><xs:enumeration value="Financial Resources - Commercial"/><xs:enumeration value="Financial Resources - Government"/><xs:enumeration value="Financial Resources - Hacktivist or Grassroot"/><xs:enumeration value="Financial Resources - Non-Attributable Finance"/><xs:enumeration value="Skill Development / Recruitment"/><xs:enumeration value="Skill Development / Recruitment - Contracting and Hiring"/><xs:enumeration value="Skill Development / Recruitment - Document Exploitation (DOCEX) Training"/><xs:enumeration value="Skill Development / Recruitment - Internal Training"/><xs:enumeration value="Skill Development / Recruitment - Military Programs"/><xs:enumeration value="Skill Development / Recruitment - Security / Hacker Conferences"/><xs:enumeration value="Skill Development / Recruitment - Underground Forums"/><xs:enumeration value="Skill Development / Recruitment - University Programs"/><xs:enumeration value="Planning "/><xs:enumeration value="Planning - Operational Cover Plan"/><xs:enumeration value="Planning - Open-Source Intelligence (OSINT) Gethering"/><xs:enumeration value="Planning - Pre-Operational Surveillance and Reconnaissance"/><xs:enumeration value="Planning - Target Selection"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IncidentEffectVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IncidentEffectVocab is the default STIX vocabulary for expressing the possible effects of an incident.
<xs:complexType name="IncidentEffectVocab-1.0"><xs:annotation><xs:documentation>The IncidentEffectVocab is the default STIX vocabulary for expressing the possible effects of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IncidentEffectEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Incident Effect Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IncidentEffectVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IncidentEffectEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of possible effects of an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Brand or Image Degradation
enumeration
Loss of Competitive Advantage
enumeration
Loss of Competitive Advantage - Economic
enumeration
Loss of Competitive Advantage - Military
enumeration
Loss of Competitive Advantage - Political
enumeration
Data Breach or Compromise
enumeration
Degradation of Service
enumeration
Destruction
enumeration
Disruption of Service / Operations
enumeration
Financial Loss
enumeration
Loss of Confidential / Proprietary Information or Intellectual Property
enumeration
Regulatory, Compliance or Legal Impact
enumeration
Unintended Access
enumeration
User Data Loss
Source
<xs:simpleType name="IncidentEffectEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of possible effects of an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Brand or Image Degradation"/><xs:enumeration value="Loss of Competitive Advantage"/><xs:enumeration value="Loss of Competitive Advantage - Economic"/><xs:enumeration value="Loss of Competitive Advantage - Military"/><xs:enumeration value="Loss of Competitive Advantage - Political"/><xs:enumeration value="Data Breach or Compromise"/><xs:enumeration value="Degradation of Service"/><xs:enumeration value="Destruction"/><xs:enumeration value="Disruption of Service / Operations"/><xs:enumeration value="Financial Loss"/><xs:enumeration value="Loss of Confidential / Proprietary Information or Intellectual Property"/><xs:enumeration value="Regulatory, Compliance or Legal Impact"/><xs:enumeration value="Unintended Access"/><xs:enumeration value="User Data Loss"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:AttackerToolTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The AttackerToolTypeVocab-1.0 is the default STIX vocabulary for expressing types of attacker tools.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
<xs:complexType name="AttackerToolTypeVocab-1.0"><xs:annotation><xs:documentation>The AttackerToolTypeVocab-1.0 is the default STIX vocabulary for expressing types of attacker tools.</xs:documentation><xs:documentation>Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="cyboxCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:AttackerToolTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Attacker Tool Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#AttackerToolTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:AttackerToolTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of attacker tools.
Diagram
Type
restriction of xs:string
Facets
enumeration
Malware
enumeration
Penetration Testing
enumeration
Port Scanner
enumeration
Traffic Scanner
enumeration
Vulnerability Scanner
enumeration
Application Scanner
enumeration
Password Cracking
Source
<xs:simpleType name="AttackerToolTypeEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of attacker tools.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Malware"/><xs:enumeration value="Penetration Testing"/><xs:enumeration value="Port Scanner"/><xs:enumeration value="Traffic Scanner"/><xs:enumeration value="Vulnerability Scanner"/><xs:enumeration value="Application Scanner"/><xs:enumeration value="Password Cracking"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:IncidentCategoryVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.
<xs:complexType name="IncidentCategoryVocab-1.0"><xs:annotation><xs:documentation>The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:IncidentCategoryEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Incident Category Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#IncidentCategoryVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:IncidentCategoryEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for types of possible categories of an incident.
Diagram
Type
restriction of xs:string
Facets
enumeration
Exercise/Network Defense Testing
This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.
enumeration
Unauthorized Access
In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.
enumeration
Denial of Service
An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.
enumeration
Malicious Code
Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.
enumeration
Improper Usage
A person violates acceptable computing use policies.
enumeration
Scans/Probes/Attempted Access
This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.
enumeration
Investigation
Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.
Source
<xs:simpleType name="IncidentCategoryEnum-1.0"><xs:annotation><xs:documentation>The possible values for types of possible categories of an incident.</xs:documentation><xs:appinfo><version>1.0</version><source>This vocabulary is taken from the US-CERT Federal Incident Reporting Guidelines Incident Categories.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Exercise/Network Defense Testing"><xs:annotation><xs:documentation>This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unauthorized Access"><xs:annotation><xs:documentation>In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Denial of Service"><xs:annotation><xs:documentation>An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Malicious Code"><xs:annotation><xs:documentation>Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Improper Usage"><xs:annotation><xs:documentation>A person violates acceptable computing use policies.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Scans/Probes/Attempted Access"><xs:annotation><xs:documentation>This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Investigation"><xs:annotation><xs:documentation>Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:LossPropertyVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The LossPropertyVocab is the default STIX vocabulary for expressing the possible properties of a loss.
<xs:complexType name="LossPropertyVocab-1.0"><xs:annotation><xs:documentation>The LossPropertyVocab is the default STIX vocabulary for expressing the possible properties of a loss.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:LossPropertyEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Loss Property Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#LossPropertyVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:LossPropertyEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for properties of a loss.
Diagram
Type
restriction of xs:string
Facets
enumeration
Confidentiality
enumeration
Integrity
enumeration
Availability
enumeration
Accountability
enumeration
Non-Repudiation
Source
<xs:simpleType name="LossPropertyEnum-1.0"><xs:annotation><xs:documentation>The possible values for properties of a loss.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Confidentiality"/><xs:enumeration value="Integrity"/><xs:enumeration value="Availability"/><xs:enumeration value="Accountability"/><xs:enumeration value="Non-Repudiation"/></xs:restriction></xs:simpleType>
Complex Type stixVocabs:CourseOfActionTypeVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.
<xs:complexType name="CourseOfActionTypeVocab-1.0"><xs:annotation><xs:documentation>The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:CourseOfActionTypeEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Course Of Action Type Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#CourseOfActionTypeVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:CourseOfActionTypeEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for expressing a type of course of action in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Perimeter Blocking
Perimeter-based blocking of traffic from a compromised source.
enumeration
Internal Blocking
Host-based blocking of traffic from an internal compromised source.
enumeration
Redirection
Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.
enumeration
Redirection (Honey Pot)
Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.
enumeration
Hardening
Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.
enumeration
Patching
A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.
enumeration
Eradication
Identifying, locating, and eliminating malware from the network.
enumeration
Rebuilding
Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.
enumeration
Training
Training users and administrators on how to identify and mitigate this type of threat.
enumeration
Monitoring
Setting up network or host-based sensors to detected the presence of this threat.
enumeration
Physical Access Restrictions
Activities associated with restricting physical access to computing resources.
enumeration
Logical Access Restrictions
Activities associated with restricting logical access to computing resources.
enumeration
Public Disclosure
Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.
enumeration
Diplomatic Actions
Engaging in communications and relationship building with threat actors to influence positive changes in behavior.
enumeration
Policy Actions
Modifications to policy that reduce the attack surface or infection vectors of malware.
enumeration
Other
Other actions not covered in this list.
Source
<xs:simpleType name="CourseOfActionTypeEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for expressing a type of course of action in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Perimeter Blocking"><xs:annotation><xs:documentation>Perimeter-based blocking of traffic from a compromised source.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Internal Blocking"><xs:annotation><xs:documentation>Host-based blocking of traffic from an internal compromised source.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Redirection"><xs:annotation><xs:documentation>Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Redirection (Honey Pot)"><xs:annotation><xs:documentation>Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Hardening"><xs:annotation><xs:documentation>Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Patching"><xs:annotation><xs:documentation>A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Eradication"><xs:annotation><xs:documentation>Identifying, locating, and eliminating malware from the network.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Rebuilding"><xs:annotation><xs:documentation>Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Training"><xs:annotation><xs:documentation>Training users and administrators on how to identify and mitigate this type of threat.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Monitoring"><xs:annotation><xs:documentation>Setting up network or host-based sensors to detected the presence of this threat.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Physical Access Restrictions"><xs:annotation><xs:documentation>Activities associated with restricting physical access to computing resources.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Logical Access Restrictions"><xs:annotation><xs:documentation>Activities associated with restricting logical access to computing resources.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Public Disclosure"><xs:annotation><xs:documentation>Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Diplomatic Actions"><xs:annotation><xs:documentation>Engaging in communications and relationship building with threat actors to influence positive changes in behavior.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Policy Actions"><xs:annotation><xs:documentation>Modifications to policy that reduce the attack surface or infection vectors of malware.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Other"><xs:annotation><xs:documentation>Other actions not covered in this list.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:ThreatActorSophisticationVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The ThreatActorSophisticationVocab is the default STIX vocabulary for expressing the level of sophistication of a threat actor.
<xs:complexType name="ThreatActorSophisticationVocab-1.0"><xs:annotation><xs:documentation>The ThreatActorSophisticationVocab is the default STIX vocabulary for expressing the level of sophistication of a threat actor.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:ThreatActorSophisticationEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Threat Actor Sophistication Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#ThreatActorSophisticationVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:ThreatActorSophisticationEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The possible values for threat actor sophistication.
Diagram
Type
restriction of xs:string
Facets
enumeration
Innovator
Demonstrates sophisticated capability. An innovator has the ability to create and script unique programs and codes targeting virtually any form of technology. At this level, this actor has a deep knowledge of networks, operating systems, programming languages, firmware, and infrastructure topologies and will demonstrate operational security when conducting his activities. Innovators are largely responsible for the discovery of 0-day vulnerabilities and the development of new attack techniques.
enumeration
Expert
Demonstrates advanced capability. An actor possessing expert capability has the ability to modify existing programs or codes but does not have the capability to script sophisticated programs from scratch. The expert has a working knowledge of networks, operating systems, and possibly even defensive techniques and will typically exhibit some operational security.
enumeration
Practitioner
Has a demonstrated, albeit low, capability. A practitioner possesses low sophistication capability. He does not have the ability to identify or exploit known vulnerabilities without the use of automated tools. He is proficient in the basic uses of publicly available hacking tools, but is unable to write or alter such programs on his own.
enumeration
Novice
Demonstrates a nascent capability. A novice has basic computer skills and likely requires the assistance of a Practitioner or higher to engage in hacking activity. He uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet and lacks the ability to conduct his own reconnaissance and targeting research.
enumeration
Aspirant
Demonstrates no capability.
Source
<xs:simpleType name="ThreatActorSophisticationEnum-1.0"><xs:annotation><xs:documentation>The possible values for threat actor sophistication.</xs:documentation><xs:appinfo><version>1.0</version><source>The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.</source></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Innovator"><xs:annotation><xs:documentation>Demonstrates sophisticated capability. An innovator has the ability to create and script unique programs and codes targeting virtually any form of technology. At this level, this actor has a deep knowledge of networks, operating systems, programming languages, firmware, and infrastructure topologies and will demonstrate operational security when conducting his activities. Innovators are largely responsible for the discovery of 0-day vulnerabilities and the development of new attack techniques.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Expert"><xs:annotation><xs:documentation>Demonstrates advanced capability. An actor possessing expert capability has the ability to modify existing programs or codes but does not have the capability to script sophisticated programs from scratch. The expert has a working knowledge of networks, operating systems, and possibly even defensive techniques and will typically exhibit some operational security.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Practitioner"><xs:annotation><xs:documentation>Has a demonstrated, albeit low, capability. A practitioner possesses low sophistication capability. He does not have the ability to identify or exploit known vulnerabilities without the use of automated tools. He is proficient in the basic uses of publicly available hacking tools, but is unable to write or alter such programs on his own.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Novice"><xs:annotation><xs:documentation>Demonstrates a nascent capability. A novice has basic computer skills and likely requires the assistance of a Practitioner or higher to engage in hacking activity. He uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet and lacks the ability to conduct his own reconnaissance and targeting research.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Aspirant"><xs:annotation><xs:documentation>Demonstrates no capability.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:InformationSourceRoleVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The InformationSourceRoleVocab is the default STIX vocabulary for characterizing roles played by given entities as information sources.
<xs:complexType name="InformationSourceRoleVocab-1.0"><xs:annotation><xs:documentation>The InformationSourceRoleVocab is the default STIX vocabulary for characterizing roles played by given entities as information sources.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:InformationSourceRoleEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default InformationSourceRole Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#InformationSourceRoleVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:InformationSourceRoleEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for characterizing roles played by given entities as information sources in STIX.
Diagram
Type
restriction of xs:string
Facets
enumeration
Initial Author
A party acting as the initial author/creator of a set of information.
enumeration
Content Enhancer/Refiner
A party that enhances or refines a preexisting set of information.
enumeration
Aggregator
A party that aggregates multiple different sets of information into one new set of information.
enumeration
Transformer/Translator
A party that transforms or translates a preexisting set of information into a different representation (e.g., translating an unstructured prose threat analysis report into STIX).
Source
<xs:simpleType name="InformationSourceRoleEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for characterizing roles played by given entities as information sources in STIX.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Initial Author"><xs:annotation><xs:documentation>A party acting as the initial author/creator of a set of information.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Content Enhancer/Refiner"><xs:annotation><xs:documentation>A party that enhances or refines a preexisting set of information.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Aggregator"><xs:annotation><xs:documentation>A party that aggregates multiple different sets of information into one new set of information.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Transformer/Translator"><xs:annotation><xs:documentation>A party that transforms or translates a preexisting set of information into a different representation (e.g., translating an unstructured prose threat analysis report into STIX).</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixVocabs:VersioningVocab-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The VersioningVocab is the default STIX vocabulary for representing versioning of STIX content.
<xs:complexType name="VersioningVocab-1.0"><xs:annotation><xs:documentation>The VersioningVocab is the default STIX vocabulary for representing versioning of STIX content.</xs:documentation></xs:annotation><xs:simpleContent><xs:restriction base="stixCommon:ControlledVocabularyStringType"><xs:simpleType><xs:union memberTypes="stixVocabs:VersioningEnum-1.0"/></xs:simpleType><xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Default Versioning Vocabulary"/><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#VersioningVocab-1.0"/></xs:restriction></xs:simpleContent></xs:complexType>
Simple Type stixVocabs:VersioningEnum-1.0
Namespace
http://stix.mitre.org/default_vocabularies-1
Annotations
The default set of values to use for representing versioning of STIX content.
Diagram
Type
restriction of xs:string
Facets
enumeration
Updates - Revises
The new content represents a modified or expanded form of the previous content with existing information refined for improved quality or confidence.
enumeration
Updates - Corrects
The new content represents a modified form of the previous content with corrections to errors in the existing information. The previous content should be considered invalid and the new content should be used in its place.
enumeration
Revokes
The previous content is asserted to be invalid and should not be considered for operational purposes.
Source
<xs:simpleType name="VersioningEnum-1.0"><xs:annotation><xs:documentation>The default set of values to use for representing versioning of STIX content.</xs:documentation><xs:appinfo><version>1.0</version></xs:appinfo></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Updates - Revises"><xs:annotation><xs:documentation>The new content represents a modified or expanded form of the previous content with existing information refined for improved quality or confidence.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Updates - Corrects"><xs:annotation><xs:documentation>The new content represents a modified form of the previous content with corrections to errors in the existing information. The previous content should be considered invalid and the new content should be used in its place.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Revokes"><xs:annotation><xs:documentation>The previous content is asserted to be invalid and should not be considered for operational purposes.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
