Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Main schema incident.xsd
Namespace http://stix.mitre.org/Incident-1
Annotations
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element incident:Incident
Namespace http://stix.mitre.org/Incident-1
Annotations
This field characterizes a single cyber threat Incident.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType_timestamp stix_common_xsd.tmp#IncidentBaseType incident_xsd.tmp#IncidentType_version incident_xsd.tmp#IncidentType_URL incident_xsd.tmp#IncidentType_Title incident_xsd.tmp#IncidentType_External_ID incident_xsd.tmp#IncidentType_Time incident_xsd.tmp#IncidentType_Description incident_xsd.tmp#IncidentType_Short_Description incident_xsd.tmp#IncidentType_Categories incident_xsd.tmp#IncidentType_Reporter incident_xsd.tmp#IncidentType_Responder incident_xsd.tmp#IncidentType_Coordinator incident_xsd.tmp#IncidentType_Victim incident_xsd.tmp#IncidentType_Affected_Assets incident_xsd.tmp#IncidentType_Impact_Assessment incident_xsd.tmp#IncidentType_Status incident_xsd.tmp#IncidentType_Related_Indicators incident_xsd.tmp#IncidentType_Related_Observables incident_xsd.tmp#IncidentType_Leveraged_TTPs incident_xsd.tmp#IncidentType_Attributed_Threat_Actors incident_xsd.tmp#IncidentType_Intended_Effect incident_xsd.tmp#IncidentType_Security_Compromise incident_xsd.tmp#IncidentType_Discovery_Method incident_xsd.tmp#IncidentType_Related_Incidents incident_xsd.tmp#IncidentType_COA_Requested incident_xsd.tmp#IncidentType_COA_Taken incident_xsd.tmp#IncidentType_Confidence incident_xsd.tmp#IncidentType_Contact incident_xsd.tmp#IncidentType_History incident_xsd.tmp#IncidentType_Information_Source incident_xsd.tmp#IncidentType_Handling incident_xsd.tmp#IncidentType_Related_Packages incident_xsd.tmp#IncidentType
Type incident:IncidentType
Type hierarchy
Children incident:Affected_Assets, incident:Attributed_Threat_Actors, incident:COA_Requested, incident:COA_Taken, incident:Categories, incident:Confidence, incident:Contact, incident:Coordinator, incident:Description, incident:Discovery_Method, incident:External_ID, incident:Handling, incident:History, incident:Impact_Assessment, incident:Information_Source, incident:Intended_Effect, incident:Leveraged_TTPs, incident:Related_Incidents, incident:Related_Indicators, incident:Related_Observables, incident:Related_Packages, incident:Reporter, incident:Responder, incident:Security_Compromise, incident:Short_Description, incident:Status, incident:Time, incident:Title, incident:Victim
Attributes
QName Type Use Annotation
URL optional
Specifies a URL referencing the location for the Incident specification.
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
version incident:IncidentVersionType optional
Specifies the relevant STIX-Incident schema version for this content.
Source
<xs:element name="Incident" type="incident:IncidentType">
  <xs:annotation>
    <xs:documentation>This field characterizes a single cyber threat Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Title
Namespace http://stix.mitre.org/Incident-1
Annotations
The Title field provides a simple title for this Incident.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:External_ID
Namespace http://stix.mitre.org/Incident-1
Annotations
The External_ID field provides a reference to an ID of an incident in a remote system.
Diagram
Diagram incident_xsd.tmp#ExternalIDType_source incident_xsd.tmp#ExternalIDType
Type incident:ExternalIDType
Attributes
QName Type Use Annotation
source xs:string optional
Specifies the source of the External ID.
Source
<xs:element name="External_ID" type="incident:ExternalIDType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The External_ID field provides a reference to an ID of an incident in a remote system.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Time
Namespace http://stix.mitre.org/Incident-1
Annotations
The Time field specifies relevant time values associated with this Incident.
Diagram
Diagram incident_xsd.tmp#TimeType_First_Malicious_Action incident_xsd.tmp#TimeType_Initial_Compromise incident_xsd.tmp#TimeType_First_Data_Exfiltration incident_xsd.tmp#TimeType_Incident_Discovery incident_xsd.tmp#TimeType_Incident_Opened incident_xsd.tmp#TimeType_Containment_Achieved incident_xsd.tmp#TimeType_Restoration_Achieved incident_xsd.tmp#TimeType_Incident_Reported incident_xsd.tmp#TimeType_Incident_Closed incident_xsd.tmp#TimeType
Type incident:TimeType
Children incident:Containment_Achieved, incident:First_Data_Exfiltration, incident:First_Malicious_Action, incident:Incident_Closed, incident:Incident_Discovery, incident:Incident_Opened, incident:Incident_Reported, incident:Initial_Compromise, incident:Restoration_Achieved
Source
<xs:element name="Time" type="incident:TimeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Time field specifies relevant time values associated with this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:First_Malicious_Action
Namespace http://stix.mitre.org/Incident-1
Annotations
The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="First_Malicious_Action" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Initial_Compromise
Namespace http://stix.mitre.org/Incident-1
Annotations
The Initial_Compromise field specifies the time that the initial compromise occured for this Incident.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Initial_Compromise" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Initial_Compromise field specifies the time that the initial compromise occured for this Incident.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:First_Data_Exfiltration
Namespace http://stix.mitre.org/Incident-1
Annotations
The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="First_Data_Exfiltration" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Incident_Discovery
Namespace http://stix.mitre.org/Incident-1
Annotations
The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Incident_Discovery" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Incident_Opened
Namespace http://stix.mitre.org/Incident-1
Annotations
The Incident_Opened field specifies the time at which the Incident was officially opened.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Incident_Opened" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Incident_Opened field specifies the time at which the Incident was officially opened.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Containment_Achieved
Namespace http://stix.mitre.org/Incident-1
Annotations
The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Containment_Achieved" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”).</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Restoration_Achieved
Namespace http://stix.mitre.org/Incident-1
Annotations
The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Restoration_Achieved" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Incident_Reported
Namespace http://stix.mitre.org/Incident-1
Annotations
The Incident_Reported field specifies the time at which the Incident was reported.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Incident_Reported" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Incident_Reported field specifies the time at which the Incident was reported.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TimeType / incident:Incident_Closed
Namespace http://stix.mitre.org/Incident-1
Annotations
The Incident_Closed field specifies the time at which the Incident was officially closed.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Incident_Closed" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Incident_Closed field specifies the time at which the Incident was officially closed.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Description
Namespace http://stix.mitre.org/Incident-1
Annotations
The Description field is optional and provides an unstructured, text description of this Incident.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Description field is optional and provides an unstructured, text description of this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Short_Description
Namespace http://stix.mitre.org/Incident-1
Annotations
The Short_Description field is optional and provides a short, unstructured, text description of this Incident.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Categories
Namespace http://stix.mitre.org/Incident-1
Annotations
The Categories field provides a set of categories for this incident.
Diagram
Diagram incident_xsd.tmp#CategoriesType_Category incident_xsd.tmp#CategoriesType
Type incident:CategoriesType
Children incident:Category
Source
<xs:element name="Categories" type="incident:CategoriesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Categories field provides a set of categories for this incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:CategoriesType / incident:Category
Namespace http://stix.mitre.org/Incident-1
Annotations
Represents a single category that this incident is tagged with.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentCategoryVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Category" type="stixCommon:ControlledVocabularyStringType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Represents a single category that this incident is tagged with.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentCategoryVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Reporter
Namespace http://stix.mitre.org/Incident-1
Annotations
The Reporter field details information about the reporting source of this Incident.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Reporter" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Reporter field details information about the reporting source of this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Responder
Namespace http://stix.mitre.org/Incident-1
Annotations
The Responder field is optional and details information about the assigned responder for this Incident.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Responder" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Responder field is optional and details information about the assigned responder for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Coordinator
Namespace http://stix.mitre.org/Incident-1
Annotations
The Coordinator field is optional and details information about the assigned coordinator for this Incident.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Coordinator" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Coordinator field is optional and details information about the assigned coordinator for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Victim
Namespace http://stix.mitre.org/Incident-1
Annotations
The Victim field is optional and details information about a victim of this Incident.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities stix_common_xsd.tmp#IdentityType
Type stixCommon:IdentityType
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Identity.
idref xs:QName optional
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Victim" type="stixCommon:IdentityType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Victim field is optional and details information about a victim of this Incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Affected_Assets
Namespace http://stix.mitre.org/Incident-1
Annotations
The Affected_Assets field is optional and characterizes the particular assets affected during the Incident.
Diagram
Diagram incident_xsd.tmp#AffectedAssetsType_Affected_Asset incident_xsd.tmp#AffectedAssetsType
Type incident:AffectedAssetsType
Children incident:Affected_Asset
Source
<xs:element name="Affected_Assets" type="incident:AffectedAssetsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Affected_Assets field is optional and characterizes the particular assets affected during the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetsType / incident:Affected_Asset
Namespace http://stix.mitre.org/Incident-1
Annotations
The Affected_Asset field is optional and characterizes a particular asset affected during the Incident.
Diagram
Diagram incident_xsd.tmp#AffectedAssetType_Type incident_xsd.tmp#AffectedAssetType_Description incident_xsd.tmp#AffectedAssetType_Business_Function_Or_Role incident_xsd.tmp#AffectedAssetType_Ownership_Class incident_xsd.tmp#AffectedAssetType_Management_Class incident_xsd.tmp#AffectedAssetType_Location_Class incident_xsd.tmp#AffectedAssetType_Location incident_xsd.tmp#AffectedAssetType_Nature_Of_Security_Effect incident_xsd.tmp#AffectedAssetType_Structured_Description incident_xsd.tmp#AffectedAssetType
Type incident:AffectedAssetType
Children incident:Business_Function_Or_Role, incident:Description, incident:Location, incident:Location_Class, incident:Management_Class, incident:Nature_Of_Security_Effect, incident:Ownership_Class, incident:Structured_Description, incident:Type
Source
<xs:element name="Affected_Asset" type="incident:AffectedAssetType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Affected_Asset field is optional and characterizes a particular asset affected during the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Type
Namespace http://stix.mitre.org/Incident-1
Annotations
The Type field is optional and specifies the type of the asset impacted by the incident (a security attribute was negatively affected).
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType incident_xsd.tmp#AssetTypeType_count_affected incident_xsd.tmp#AssetTypeType
Type incident:AssetTypeType
Type hierarchy
Attributes
QName Type Use Annotation
count_affected optional
This field specifies the number of assets of this type affected.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="incident:AssetTypeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Type field is optional and specifies the type of the asset impacted by the incident (a security attribute was negatively affected).</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Description
Namespace http://stix.mitre.org/Incident-1
Annotations
The Description field is optional and provides an unstructured, text description of the asset.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Description field is optional and provides an unstructured, text description of the asset.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Business_Function_Or_Role
Namespace http://stix.mitre.org/Incident-1
Annotations
The Business_Function_Or_Role field is optional and provides a brief description of the asset's role, mission, and importance within the organization.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Business_Function_Or_Role" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Business_Function_Or_Role field is optional and provides a brief description of the asset's role, mission, and importance within the organization.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Ownership_Class
Namespace http://stix.mitre.org/Incident-1
Annotations
The Ownership_Class field is optional and gives a high-level characterization of who owns (or controls) this asset (e.g. Internally-owned, Employee-owned, Partner-owned, Customer-owned).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is OwnershipClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Ownership_Class" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Ownership_Class field is optional and gives a high-level characterization of who owns (or controls) this asset (e.g. Internally-owned, Employee-owned, Partner-owned, Customer-owned).</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is OwnershipClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Management_Class
Namespace http://stix.mitre.org/Incident-1
Annotations
The Management_Class field is optional and gives a high-level characterization of who is responsible for the day-to-day management and administration of this asset (e.g. Managed Internally, Managed by External Party, Co-managed).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ManagementClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Management_Class" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Management_Class field is optional and gives a high-level characterization of who is responsible for the day-to-day management and administration of this asset (e.g. Managed Internally, Managed by External Party, Co-managed).</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ManagementClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Location_Class
Namespace http://stix.mitre.org/Incident-1
Annotations
The Location_Class field is optional and gives a high-level characterization of where this asset is physically located (e.g. Internal location, External location, Co-located, Mobile).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LocationClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Location_Class" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Location_Class field is optional and gives a high-level characterization of where this asset is physically located (e.g. Internal location, External location, Co-located, Mobile).</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LocationClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Location
Namespace http://stix.mitre.org/Incident-1
Annotations
The Location field specifies the physical location of the affected asset.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://stix.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/address/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq/1.1/ciq_3.0_address.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Diagram
Diagram stix_common_xsd.tmp#AddressAbstractType
Type stixCommon:AddressAbstractType
Source
<xs:element name="Location" type="stixCommon:AddressAbstractType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Location field specifies the physical location of the affected asset.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://stix.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/address/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq/1.1/ciq_3.0_address.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Nature_Of_Security_Effect
Namespace http://stix.mitre.org/Incident-1
Annotations
The Nature_Of_Security_Effect field is optional and characterizes how the security properties of the Asset were affected.
Diagram
Diagram incident_xsd.tmp#NatureOfSecurityEffectType_Property_Affected incident_xsd.tmp#NatureOfSecurityEffectType
Type incident:NatureOfSecurityEffectType
Children incident:Property_Affected
Source
<xs:element name="Nature_Of_Security_Effect" type="incident:NatureOfSecurityEffectType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Nature_Of_Security_Effect field is optional and characterizes how the security properties of the Asset were affected.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:NatureOfSecurityEffectType / incident:Property_Affected
Namespace http://stix.mitre.org/Incident-1
Annotations
The Property_Affected field is optional and characterizes how a particular security property of the Asset was affected.
Diagram
Diagram incident_xsd.tmp#PropertyAffectedType_Property incident_xsd.tmp#PropertyAffectedType_Description_Of_Effect incident_xsd.tmp#PropertyAffectedType_Type_Of_Availability_Loss incident_xsd.tmp#PropertyAffectedType_Duration_Of_Availability_Loss incident_xsd.tmp#PropertyAffectedType_Non_Public_Data_Compromised incident_xsd.tmp#PropertyAffectedType
Type incident:PropertyAffectedType
Children incident:Description_Of_Effect, incident:Duration_Of_Availability_Loss, incident:Non_Public_Data_Compromised, incident:Property, incident:Type_Of_Availability_Loss
Source
<xs:element name="Property_Affected" type="incident:PropertyAffectedType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Property_Affected field is optional and characterizes how a particular security property of the Asset was affected.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:PropertyAffectedType / incident:Property
Namespace http://stix.mitre.org/Incident-1
Annotations
The security property that was affected by the incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossPropertyVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Property" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The security property that was affected by the incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossPropertyVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:PropertyAffectedType / incident:Description_Of_Effect
Namespace http://stix.mitre.org/Incident-1
Annotations
The Description_Of_Effect field is optional and provides a brief prose description of how the security property was affected.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_id stix_common_xsd.tmp#StructuredTextType_ordinality stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this Description.
ordinality xs:positiveInteger optional
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description_Of_Effect" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Description_Of_Effect field is optional and provides a brief prose description of how the security property was affected.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:PropertyAffectedType / incident:Type_Of_Availability_Loss
Namespace http://stix.mitre.org/Incident-1
Annotations
The Type_Of_Availability_Loss field is optional and characterizes in what manner the availability of this asset was affected (e.g. Destruction, Deletion, Interruption).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AvailabilityLossTypeVocab-1.1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type_Of_Availability_Loss" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Type_Of_Availability_Loss field is optional and characterizes in what manner the availability of this asset was affected (e.g. Destruction, Deletion, Interruption).</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AvailabilityLossTypeVocab-1.1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:PropertyAffectedType / incident:Duration_Of_Availability_Loss
Namespace http://stix.mitre.org/Incident-1
Annotations
The Duration_Of_Availability_Loss field is optional and specifies the approximate length of time availability was affected (e.g. Permanent, Seconds, Minutes, Hours, Days).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossDurationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Duration_Of_Availability_Loss" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Duration_Of_Availability_Loss field is optional and specifies the approximate length of time availability was affected (e.g. Permanent, Seconds, Minutes, Hours, Days).</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossDurationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:PropertyAffectedType / incident:Non_Public_Data_Compromised
Namespace http://stix.mitre.org/Incident-1
Annotations
This field specifies whether non-public data was compromised or exposed and whether that data was encrypted or not.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType incident_xsd.tmp#NonPublicDataCompromisedType_data_encrypted incident_xsd.tmp#NonPublicDataCompromisedType
Type incident:NonPublicDataCompromisedType
Type hierarchy
Attributes
QName Type Use Annotation
data_encrypted xs:boolean optional
Indicates whether the data that was compromised was encrypted or not.
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Non_Public_Data_Compromised" type="incident:NonPublicDataCompromisedType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>This field specifies whether non-public data was compromised or exposed and whether that data was encrypted or not.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AffectedAssetType / incident:Structured_Description
Namespace http://stix.mitre.org/Incident-1
Annotations
The Structured_Description field is optional and provides a structured description of the asset.
Diagram
Diagram cybox_core_xsd.tmp#ObservablesType_cybox_major_version cybox_core_xsd.tmp#ObservablesType_cybox_minor_version cybox_core_xsd.tmp#ObservablesType_cybox_update_version cybox_core_xsd.tmp#ObservablesType_Observable_Package_Source cybox_core_xsd.tmp#Observable cybox_core_xsd.tmp#ObservablesType_Pools cybox_core_xsd.tmp#ObservablesType
Type cybox:ObservablesType
Children cybox:Observable, cybox:Observable_Package_Source, cybox:Pools
Attributes
QName Type Use Annotation
cybox_major_version xs:string required
The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.
cybox_minor_version xs:string required
The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.
cybox_update_version xs:string optional
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:element name="Structured_Description" type="cybox:ObservablesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Structured_Description field is optional and provides a structured description of the asset.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Impact_Assessment
Namespace http://stix.mitre.org/Incident-1
Annotations
The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident.
Diagram
Diagram incident_xsd.tmp#ImpactAssessmentType_Direct_Impact_Summary incident_xsd.tmp#ImpactAssessmentType_Indirect_Impact_Summary incident_xsd.tmp#ImpactAssessmentType_Total_Loss_Estimation incident_xsd.tmp#ImpactAssessmentType_Impact_Qualification incident_xsd.tmp#ImpactAssessmentType_Effects incident_xsd.tmp#ImpactAssessmentType_External_Impact_Assessment_Model incident_xsd.tmp#ImpactAssessmentType
Type incident:ImpactAssessmentType
Children incident:Direct_Impact_Summary, incident:Effects, incident:External_Impact_Assessment_Model, incident:Impact_Qualification, incident:Indirect_Impact_Summary, incident:Total_Loss_Estimation
Source
<xs:element name="Impact_Assessment" type="incident:ImpactAssessmentType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ImpactAssessmentType / incident:Direct_Impact_Summary
Namespace http://stix.mitre.org/Incident-1
Annotations
The Direct_Impact_Summary field is optional and characterizes (at a high level) losses directly resulting from the ThreatActor's actions against organizational assets within the Incident.
Diagram
Diagram incident_xsd.tmp#DirectImpactSummaryType_Asset_Losses incident_xsd.tmp#DirectImpactSummaryType_Business-Mission_Disruption incident_xsd.tmp#DirectImpactSummaryType_Response_And_Recovery_Costs incident_xsd.tmp#DirectImpactSummaryType
Type incident:DirectImpactSummaryType
Children incident:Asset_Losses, incident:Business-Mission_Disruption, incident:Response_And_Recovery_Costs
Source
<xs:element name="Direct_Impact_Summary" type="incident:DirectImpactSummaryType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Direct_Impact_Summary field is optional and characterizes (at a high level) losses directly resulting from the ThreatActor's actions against organizational assets within the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:DirectImpactSummaryType / incident:Asset_Losses
Namespace http://stix.mitre.org/Incident-1
Annotations
The Asset_Losses field is optional and characterizes (at a high level) the level of asset-related losses that occured in the Incident, including lost or damaged assets, stolen funds, cash outlays, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Asset_Losses" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Asset_Losses field is optional and characterizes (at a high level) the level of asset-related losses that occured in the Incident, including lost or damaged assets, stolen funds, cash outlays, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:DirectImpactSummaryType / incident:Business-Mission_Disruption
Namespace http://stix.mitre.org/Incident-1
Annotations
The Business-Mission_Disruption field is optional and characterizes (at a high level) the level of business or mission disruption impact that occured in the Incident including unproductive man-hours, lost revenue from system downtime, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Business-Mission_Disruption" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Business-Mission_Disruption field is optional and characterizes (at a high level) the level of business or mission disruption impact that occured in the Incident including unproductive man-hours, lost revenue from system downtime, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:DirectImpactSummaryType / incident:Response_And_Recovery_Costs
Namespace http://stix.mitre.org/Incident-1
Annotations
The Response_And_Recovery_Costs field is optional and characterizes (at a high level) the level of response and recovery related costs that occured in the Incident including cost of response, investigation, remediation, restoration, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Response_And_Recovery_Costs" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Response_And_Recovery_Costs field is optional and characterizes (at a high level) the level of response and recovery related costs that occured in the Incident including cost of response, investigation, remediation, restoration, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ImpactAssessmentType / incident:Indirect_Impact_Summary
Namespace http://stix.mitre.org/Incident-1
Annotations
The Indirect_Impact_Summary field is optional and characterizes (at a high level) losses from other stakeholder reactions to the Incident.
Diagram
Diagram incident_xsd.tmp#IndirectImpactSummaryType_Loss_Of_Competitive_Advantage incident_xsd.tmp#IndirectImpactSummaryType_Brand_And_Market_Damage incident_xsd.tmp#IndirectImpactSummaryType_Increased_Operating_Costs incident_xsd.tmp#IndirectImpactSummaryType_Legal_And_Regulatory_Costs incident_xsd.tmp#IndirectImpactSummaryType
Type incident:IndirectImpactSummaryType
Children incident:Brand_And_Market_Damage, incident:Increased_Operating_Costs, incident:Legal_And_Regulatory_Costs, incident:Loss_Of_Competitive_Advantage
Source
<xs:element name="Indirect_Impact_Summary" type="incident:IndirectImpactSummaryType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Indirect_Impact_Summary field is optional and characterizes (at a high level) losses from other stakeholder reactions to the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IndirectImpactSummaryType / incident:Loss_Of_Competitive_Advantage
Namespace http://stix.mitre.org/Incident-1
Annotations
The Loss_Of_Competitive_Advantage field is optional and characterizes (at a high level) the level of impact based on loss of competitive advantage that occured in the Incident including loss/damage/exposure of IP, corporate wisdom, ability to compete, key personnel, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Loss_Of_Competitive_Advantage" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Loss_Of_Competitive_Advantage field is optional and characterizes (at a high level) the level of impact based on loss of competitive advantage that occured in the Incident including loss/damage/exposure of IP, corporate wisdom, ability to compete, key personnel, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IndirectImpactSummaryType / incident:Brand_And_Market_Damage
Namespace http://stix.mitre.org/Incident-1
Annotations
The Brand_And_Market_Damage field is optional and characterizes (at a high level) the level of impact based on brand or market damage that occured in the Incident including lost customers or partners, decrease in market value or share, advertising, rebranding, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Brand_And_Market_Damage" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Brand_And_Market_Damage field is optional and characterizes (at a high level) the level of impact based on brand or market damage that occured in the Incident including lost customers or partners, decrease in market value or share, advertising, rebranding, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IndirectImpactSummaryType / incident:Increased_Operating_Costs
Namespace http://stix.mitre.org/Incident-1
Annotations
The Increased_Operating_Costs field is optional and characterizes (at a high level) the level of impact based on increased operating costs that occured in the Incident including cost of additional audits, new hires or training, mandatory action, higher insurance, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Increased_Operating_Costs" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Increased_Operating_Costs field is optional and characterizes (at a high level) the level of impact based on increased operating costs that occured in the Incident including cost of additional audits, new hires or training, mandatory action, higher insurance, etc.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IndirectImpactSummaryType / incident:Legal_And_Regulatory_Costs
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type stixCommon:ControlledVocabularyStringType
Attributes
Source
Element incident:ImpactAssessmentType / incident:Total_Loss_Estimation
Namespace http://stix.mitre.org/Incident-1
Annotations
The Total_Loss_Estimation field is optional and specifies the total estimated financial loss for the Incident.
Diagram
Diagram incident_xsd.tmp#TotalLossEstimationType_Initial_Reported_Total_Loss_Estimation incident_xsd.tmp#TotalLossEstimationType_Actual_Total_Loss_Estimation incident_xsd.tmp#TotalLossEstimationType
Type incident:TotalLossEstimationType
Children incident:Actual_Total_Loss_Estimation, incident:Initial_Reported_Total_Loss_Estimation
Source
<xs:element name="Total_Loss_Estimation" type="incident:TotalLossEstimationType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Total_Loss_Estimation field is optional and specifies the total estimated financial loss for the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TotalLossEstimationType / incident:Initial_Reported_Total_Loss_Estimation
Namespace http://stix.mitre.org/Incident-1
Annotations
The Initial_Reported_Total_Loss_Estimation field is optional and specifies the initially reported level of total estimated financial loss for the Incident.
Diagram
Diagram incident_xsd.tmp#LossEstimationType_amount incident_xsd.tmp#LossEstimationType_iso_currency_code incident_xsd.tmp#LossEstimationType
Type incident:LossEstimationType
Attributes
QName Type Use Annotation
amount optional
Specifies the estimated financial loss for the Incident.
iso_currency_code optional
Specifies the ISO 4217 currency code if other than USD
Source
<xs:element name="Initial_Reported_Total_Loss_Estimation" type="incident:LossEstimationType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Initial_Reported_Total_Loss_Estimation field is optional and specifies the initially reported level of total estimated financial loss for the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:TotalLossEstimationType / incident:Actual_Total_Loss_Estimation
Namespace http://stix.mitre.org/Incident-1
Annotations
The Actual_Total_Loss_Estimation field is optional and specifies the actual level of total estimated financial loss for the Incident.
Diagram
Diagram incident_xsd.tmp#LossEstimationType_amount incident_xsd.tmp#LossEstimationType_iso_currency_code incident_xsd.tmp#LossEstimationType
Type incident:LossEstimationType
Attributes
QName Type Use Annotation
amount optional
Specifies the estimated financial loss for the Incident.
iso_currency_code optional
Specifies the ISO 4217 currency code if other than USD
Source
<xs:element name="Actual_Total_Loss_Estimation" type="incident:LossEstimationType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Actual_Total_Loss_Estimation field is optional and specifies the actual level of total estimated financial loss for the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ImpactAssessmentType / incident:Impact_Qualification
Namespace http://stix.mitre.org/Incident-1
Annotations
The Impact_Qualification field is optional and summarizes the subjective level of impact of the Incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactQualificationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Impact_Qualification" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Impact_Qualification field is optional and summarizes the subjective level of impact of the Incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactQualificationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ImpactAssessmentType / incident:Effects
Namespace http://stix.mitre.org/Incident-1
Annotations
The Effects field captures a list of effects of this incident from a controlled vocabulary.
Diagram
Diagram incident_xsd.tmp#EffectsType_Effect incident_xsd.tmp#EffectsType
Type incident:EffectsType
Children incident:Effect
Source
<xs:element name="Effects" type="incident:EffectsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Effects field captures a list of effects of this incident from a controlled vocabulary.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:EffectsType / incident:Effect
Namespace http://stix.mitre.org/Incident-1
Annotations
Represents a single effect that this incident is tagged with.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Effect" type="stixCommon:ControlledVocabularyStringType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Represents a single effect that this incident is tagged with.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ImpactAssessmentType / incident:External_Impact_Assessment_Model
Namespace http://stix.mitre.org/Incident-1
Annotations
The External_Impact_Assessment_Model field is optional and characterizes impact assessment details utilizing impact assessment characterization models defined external to STIX. It is defined utilizing an abstract type enabling the definition through extension of incident impact assessment models external to STIX.
Diagram
Diagram incident_xsd.tmp#ExternalImpactAssessmentModelType_model_name incident_xsd.tmp#ExternalImpactAssessmentModelType_model_reference incident_xsd.tmp#ExternalImpactAssessmentModelType
Type incident:ExternalImpactAssessmentModelType
Attributes
QName Type Use Annotation
model_name xs:string optional
Specifies the name of the externally defined impact assessment model.
model_reference xs:anyURI optional
Specifies a URL reference for the externally defined impact assessment model.
Source
<xs:element name="External_Impact_Assessment_Model" type="incident:ExternalImpactAssessmentModelType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The External_Impact_Assessment_Model field is optional and characterizes impact assessment details utilizing impact assessment characterization models defined external to STIX. It is defined utilizing an abstract type enabling the definition through extension of incident impact assessment models external to STIX.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Status
Namespace http://stix.mitre.org/Incident-1
Annotations
Status describes the current status (sometimes called "state" or "disposition") of the incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Status" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Status describes the current status (sometimes called "state" or "disposition") of the incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Related_Indicators
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type incident:RelatedIndicatorsType
Type hierarchy
Children incident:Related_Indicator
Attributes
Source
Element incident:RelatedIndicatorsType / incident:Related_Indicator
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type stixCommon:RelatedIndicatorType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Indicator, stixCommon:Information_Source, stixCommon:Relationship
Source
Element incident:IncidentType / incident:Related_Observables
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type incident:RelatedObservablesType
Type hierarchy
Children incident:Related_Observable
Attributes
Source
Element incident:RelatedObservablesType / incident:Related_Observable
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type stixCommon:RelatedObservableType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Observable, stixCommon:Relationship
Source
Element incident:IncidentType / incident:Leveraged_TTPs
Namespace http://stix.mitre.org/Incident-1
Annotations
The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType incident_xsd.tmp#LeveragedTTPsType_Leveraged_TTP incident_xsd.tmp#LeveragedTTPsType
Type incident:LeveragedTTPsType
Type hierarchy
Children incident:Leveraged_TTP
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Leveraged_TTPs" type="incident:LeveragedTTPsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:LeveragedTTPsType / incident:Leveraged_TTP
Namespace http://stix.mitre.org/Incident-1
Annotations
The Leveraged_TTP field specifies a single TTP asserted to be related to this cyber threat Incident.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedTTPType_TTP stix_common_xsd.tmp#RelatedTTPType
Type stixCommon:RelatedTTPType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:TTP
Source
<xs:element name="Leveraged_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Leveraged_TTP field specifies a single TTP asserted to be related to this cyber threat Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Attributed_Threat_Actors
Namespace http://stix.mitre.org/Incident-1
Annotations
The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType incident_xsd.tmp#AttributedThreatActorsType_Threat_Actor incident_xsd.tmp#AttributedThreatActorsType
Type incident:AttributedThreatActorsType
Type hierarchy
Children incident:Threat_Actor
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Attributed_Threat_Actors" type="incident:AttributedThreatActorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:AttributedThreatActorsType / incident:Threat_Actor
Namespace http://stix.mitre.org/Incident-1
Annotations
The Threat_Actor field specifies details of a Threat Actor asserted to be attributed for this Incident.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedThreatActorType_Threat_Actor stix_common_xsd.tmp#RelatedThreatActorType
Type stixCommon:RelatedThreatActorType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:Threat_Actor
Source
<xs:element name="Threat_Actor" type="stixCommon:RelatedThreatActorType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Threat_Actor field specifies details of a Threat Actor asserted to be attributed for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Intended_Effect
Namespace http://stix.mitre.org/Incident-1
Annotations
The Intended_Effect field specifies the suspected intended effect of this incident.
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Intended_Effect field specifies the suspected intended effect of this incident.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Security_Compromise
Namespace http://stix.mitre.org/Incident-1
Annotations
Specifies knowledge of whether the Incident involved a compromise of security properties.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Security_Compromise" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies knowledge of whether the Incident involved a compromise of security properties.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Discovery_Method
Namespace http://stix.mitre.org/Incident-1
Annotations
The Discovery_Method field identifies how the incident was discovered.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Discovery_Method" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Discovery_Method field identifies how the incident was discovered.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Related_Incidents
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type incident:RelatedIncidentsType
Type hierarchy
Children incident:Related_Incident
Attributes
Source
Element incident:RelatedIncidentsType / incident:Related_Incident
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type stixCommon:RelatedIncidentType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Incident, stixCommon:Information_Source, stixCommon:Relationship
Source
Element incident:IncidentType / incident:COA_Requested
Namespace http://stix.mitre.org/Incident-1
Annotations
The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report
Diagram
Diagram incident_xsd.tmp#COATakenType_Time incident_xsd.tmp#COATakenType_Contributors incident_xsd.tmp#COATakenType_Course_Of_Action incident_xsd.tmp#COATakenType incident_xsd.tmp#COARequestedType_priority incident_xsd.tmp#COARequestedType
Type incident:COARequestedType
Type hierarchy
Children incident:Contributors, incident:Course_Of_Action, incident:Time
Attributes
QName Type Use Annotation
priority optional
Specifies a suggested level of priority to be applied to this requested COA.
Source
<xs:element name="COA_Requested" type="incident:COARequestedType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:COATakenType / incident:Time
Namespace http://stix.mitre.org/Incident-1
Annotations
The Time field specifies the relative time criteria for this taken CourseOfAction.
Diagram
Diagram incident_xsd.tmp#COATimeType_Start incident_xsd.tmp#COATimeType_End incident_xsd.tmp#COATimeType
Type incident:COATimeType
Children incident:End, incident:Start
Source
<xs:element name="Time" type="incident:COATimeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Time field specifies the relative time criteria for this taken CourseOfAction.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:COATimeType / incident:Start
Namespace http://stix.mitre.org/Incident-1
Annotations
The Start field specifies the time at which the CourseOfAction was begun.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Start" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Start field specifies the time at which the CourseOfAction was begun.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:COATimeType / incident:End
Namespace http://stix.mitre.org/Incident-1
Annotations
The End field specifies the time at which the CourseOfAction was completed.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="End" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The End field specifies the time at which the CourseOfAction was completed.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:COATakenType / incident:Contributors
Namespace http://stix.mitre.org/Incident-1
Annotations
The Contributors field specifies contributing actors for the CourseOfAction taken.
Diagram
Diagram incident_xsd.tmp#ContributorsType_Contributor incident_xsd.tmp#ContributorsType
Type incident:ContributorsType
Children incident:Contributor
Source
<xs:element name="Contributors" type="incident:ContributorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Contributors field specifies contributing actors for the CourseOfAction taken.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:ContributorsType / incident:Contributor
Namespace http://stix.mitre.org/Incident-1
Diagram
Diagram cybox_common_xsd.tmp#ContributorType_Role cybox_common_xsd.tmp#ContributorType_Name cybox_common_xsd.tmp#ContributorType_Email cybox_common_xsd.tmp#ContributorType_Phone cybox_common_xsd.tmp#ContributorType_Organization cybox_common_xsd.tmp#ContributorType_Date cybox_common_xsd.tmp#ContributorType_Contribution_Location cybox_common_xsd.tmp#ContributorType
Type cyboxCommon:ContributorType
Children cyboxCommon:Contribution_Location, cyboxCommon:Date, cyboxCommon:Email, cyboxCommon:Name, cyboxCommon:Organization, cyboxCommon:Phone, cyboxCommon:Role
Source
<xs:element name="Contributor" type="cyboxCommon:ContributorType" maxOccurs="unbounded"/>
Element incident:COATakenType / incident:Course_Of_Action
Namespace http://stix.mitre.org/Incident-1
Annotations
The Course_Of_Action field specifies the actual CourseOfAction taken.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1/course_of_action.xsd.
Diagram
Diagram stix_common_xsd.tmp#CourseOfActionBaseType_id stix_common_xsd.tmp#CourseOfActionBaseType_idref stix_common_xsd.tmp#CourseOfActionBaseType_timestamp stix_common_xsd.tmp#CourseOfActionBaseType
Type stixCommon:CourseOfActionBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this COA.
idref xs:QName optional
Specifies a globally unique identifier of a COA specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Course_Of_Action field specifies the actual CourseOfAction taken.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1/course_of_action.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:COA_Taken
Namespace http://stix.mitre.org/Incident-1
Annotations
The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident.
Diagram
Diagram incident_xsd.tmp#COATakenType_Time incident_xsd.tmp#COATakenType_Contributors incident_xsd.tmp#COATakenType_Course_Of_Action incident_xsd.tmp#COATakenType
Type incident:COATakenType
Children incident:Contributors, incident:Course_Of_Action, incident:Time
Source
<xs:element name="COA_Taken" type="incident:COATakenType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Confidence
Namespace http://stix.mitre.org/Incident-1
Annotations
The Confidence field characterizes the level of confidence held in the characterization of this Incident.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Confidence field characterizes the level of confidence held in the characterization of this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Contact
Namespace http://stix.mitre.org/Incident-1
Annotations
The Contact field identifies and characterizes organizations or personnel involved in this Incident.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Contact" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Contact field identifies and characterizes organizations or personnel involved in this Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:History
Namespace http://stix.mitre.org/Incident-1
Annotations
The History field provides a log of events or actions taken during the handling of the Incident.
Diagram
Diagram incident_xsd.tmp#HistoryType_History_Item incident_xsd.tmp#HistoryType
Type incident:HistoryType
Children incident:History_Item
Source
<xs:element name="History" type="incident:HistoryType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The History field provides a log of events or actions taken during the handling of the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:HistoryType / incident:History_Item
Namespace http://stix.mitre.org/Incident-1
Annotations
The History_Item field provides a log entry of an event or action taken during the handling of the Incident.
Diagram
Diagram incident_xsd.tmp#HistoryItemType_Action_Entry incident_xsd.tmp#HistoryItemType_Journal_Entry incident_xsd.tmp#HistoryItemType
Type incident:HistoryItemType
Children incident:Action_Entry, incident:Journal_Entry
Source
<xs:element name="History_Item" type="incident:HistoryItemType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The History_Item field provides a log entry of an event or action taken during the handling of the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:HistoryItemType / incident:Action_Entry
Namespace http://stix.mitre.org/Incident-1
Annotations
The Action_Entry field is optional and provides a record of actions taken during the handling of the Incident.
Diagram
Diagram incident_xsd.tmp#COATakenType_Time incident_xsd.tmp#COATakenType_Contributors incident_xsd.tmp#COATakenType_Course_Of_Action incident_xsd.tmp#COATakenType
Type incident:COATakenType
Children incident:Contributors, incident:Course_Of_Action, incident:Time
Source
<xs:element name="Action_Entry" type="incident:COATakenType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Action_Entry field is optional and provides a record of actions taken during the handling of the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:HistoryItemType / incident:Journal_Entry
Namespace http://stix.mitre.org/Incident-1
Annotations
The Journal_Entry field is optional and provides journal notes for information discovered during the handling of the Incident.
Diagram
Diagram incident_xsd.tmp#JournalEntryType_author incident_xsd.tmp#JournalEntryType_time incident_xsd.tmp#JournalEntryType_time_precision incident_xsd.tmp#JournalEntryType
Type incident:JournalEntryType
Attributes
QName Type Default Use Annotation
author xs:string optional
Specifies the author of the JournalEntry note.
time xs:dateTime optional
Specifies the date and time that the JournalEntry note was written.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
time_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated time value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Journal_Entry" type="incident:JournalEntryType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Journal_Entry field is optional and provides journal notes for information discovered during the handling of the Incident.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Information_Source
Namespace http://stix.mitre.org/Incident-1
Annotations
The Information_Source field details the source of this entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Handling
Namespace http://stix.mitre.org/Incident-1
Annotations
The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Element incident:IncidentType / incident:Related_Packages
Namespace http://stix.mitre.org/Incident-1
Annotations
Diagram
Type stixCommon:RelatedPackageRefsType
Children stixCommon:Package_Reference
Source
Complex Type incident:IncidentType
Namespace http://stix.mitre.org/Incident-1
Annotations
Represents a single STIX Incident.
Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType_timestamp stix_common_xsd.tmp#IncidentBaseType incident_xsd.tmp#IncidentType_version incident_xsd.tmp#IncidentType_URL incident_xsd.tmp#IncidentType_Title incident_xsd.tmp#IncidentType_External_ID incident_xsd.tmp#IncidentType_Time incident_xsd.tmp#IncidentType_Description incident_xsd.tmp#IncidentType_Short_Description incident_xsd.tmp#IncidentType_Categories incident_xsd.tmp#IncidentType_Reporter incident_xsd.tmp#IncidentType_Responder incident_xsd.tmp#IncidentType_Coordinator incident_xsd.tmp#IncidentType_Victim incident_xsd.tmp#IncidentType_Affected_Assets incident_xsd.tmp#IncidentType_Impact_Assessment incident_xsd.tmp#IncidentType_Status incident_xsd.tmp#IncidentType_Related_Indicators incident_xsd.tmp#IncidentType_Related_Observables incident_xsd.tmp#IncidentType_Leveraged_TTPs incident_xsd.tmp#IncidentType_Attributed_Threat_Actors incident_xsd.tmp#IncidentType_Intended_Effect incident_xsd.tmp#IncidentType_Security_Compromise incident_xsd.tmp#IncidentType_Discovery_Method incident_xsd.tmp#IncidentType_Related_Incidents incident_xsd.tmp#IncidentType_COA_Requested incident_xsd.tmp#IncidentType_COA_Taken incident_xsd.tmp#IncidentType_Confidence incident_xsd.tmp#IncidentType_Contact incident_xsd.tmp#IncidentType_History incident_xsd.tmp#IncidentType_Information_Source incident_xsd.tmp#IncidentType_Handling incident_xsd.tmp#IncidentType_Related_Packages
Type extension of stixCommon:IncidentBaseType
Type hierarchy
Used by
Children incident:Affected_Assets, incident:Attributed_Threat_Actors, incident:COA_Requested, incident:COA_Taken, incident:Categories, incident:Confidence, incident:Contact, incident:Coordinator, incident:Description, incident:Discovery_Method, incident:External_ID, incident:Handling, incident:History, incident:Impact_Assessment, incident:Information_Source, incident:Intended_Effect, incident:Leveraged_TTPs, incident:Related_Incidents, incident:Related_Indicators, incident:Related_Observables, incident:Related_Packages, incident:Reporter, incident:Responder, incident:Security_Compromise, incident:Short_Description, incident:Status, incident:Time, incident:Title, incident:Victim
Attributes
QName Type Use Annotation
URL optional
Specifies a URL referencing the location for the Incident specification.
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
version incident:IncidentVersionType optional
Specifies the relevant STIX-Incident schema version for this content.
Source
<xs:complexType name="IncidentType">
  <xs:annotation>
    <xs:documentation>Represents a single STIX Incident.</xs:documentation>
    <xs:documentation>Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:IncidentBaseType">
      <xs:sequence>
        <xs:element name="Title" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Title field provides a simple title for this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="External_ID" type="incident:ExternalIDType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The External_ID field provides a reference to an ID of an incident in a remote system.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Time" type="incident:TimeType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Time field specifies relevant time values associated with this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Description field is optional and provides an unstructured, text description of this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Categories" type="incident:CategoriesType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Categories field provides a set of categories for this incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Reporter" type="stixCommon:InformationSourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Reporter field details information about the reporting source of this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Responder" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Responder field is optional and details information about the assigned responder for this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Coordinator" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Coordinator field is optional and details information about the assigned coordinator for this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Victim" type="stixCommon:IdentityType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Victim field is optional and details information about a victim of this Incident.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.</xs:documentation>
            <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Affected_Assets" type="incident:AffectedAssetsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Affected_Assets field is optional and characterizes the particular assets affected during the Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Impact_Assessment" type="incident:ImpactAssessmentType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Status" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Status describes the current status (sometimes called "state" or "disposition") of the incident.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Indicators" type="incident:RelatedIndicatorsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Observables" type="incident:RelatedObservablesType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Observables field identifies or characterizes one or more cyber observables related to this cyber threat incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Leveraged_TTPs" type="incident:LeveragedTTPsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Attributed_Threat_Actors" type="incident:AttributedThreatActorsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Intended_Effect field specifies the suspected intended effect of this incident.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Security_Compromise" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies knowledge of whether the Incident involved a compromise of security properties.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Discovery_Method" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Discovery_Method field identifies how the incident was discovered.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Incidents" type="incident:RelatedIncidentsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Incidents field identifies or characterizes one or more other Incidents related to this cyber threat Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="COA_Requested" type="incident:COARequestedType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="COA_Taken" type="incident:COATakenType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Confidence field characterizes the level of confidence held in the characterization of this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Contact" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Contact field identifies and characterizes organizations or personnel involved in this Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="History" type="incident:HistoryType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The History field provides a log of events or actions taken during the handling of the Incident.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation>
            <xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
            <xs:appinfo>
              <deprecated>true</deprecated>
            </xs:appinfo>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="version" type="incident:IncidentVersionType">
        <xs:annotation>
          <xs:documentation>Specifies the relevant STIX-Incident schema version for this content.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="URL">
        <xs:annotation>
          <xs:documentation>Specifies a URL referencing the location for the Incident specification.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type incident:ExternalIDType
Namespace http://stix.mitre.org/Incident-1
Annotations
The ExternalIDType provides a reference to an ID of an incident in a remote system.
Diagram
Diagram incident_xsd.tmp#ExternalIDType_source
Type extension of xs:string
Used by
Attributes
QName Type Use Annotation
source xs:string optional
Specifies the source of the External ID.
Source
<xs:complexType name="ExternalIDType">
  <xs:annotation>
    <xs:documentation>The ExternalIDType provides a reference to an ID of an incident in a remote system.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:extension base="xs:string">
      <xs:attribute name="source" type="xs:string">
        <xs:annotation>
          <xs:documentation>Specifies the source of the External ID.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>
Complex Type incident:TimeType
Namespace http://stix.mitre.org/Incident-1
Diagram
Diagram incident_xsd.tmp#TimeType_First_Malicious_Action incident_xsd.tmp#TimeType_Initial_Compromise incident_xsd.tmp#TimeType_First_Data_Exfiltration incident_xsd.tmp#TimeType_Incident_Discovery incident_xsd.tmp#TimeType_Incident_Opened incident_xsd.tmp#TimeType_Containment_Achieved incident_xsd.tmp#TimeType_Restoration_Achieved incident_xsd.tmp#TimeType_Incident_Reported incident_xsd.tmp#TimeType_Incident_Closed
Used by
Children incident:Containment_Achieved, incident:First_Data_Exfiltration, incident:First_Malicious_Action, incident:Incident_Closed, incident:Incident_Discovery, incident:Incident_Opened, incident:Incident_Reported, incident:Initial_Compromise, incident:Restoration_Achieved
Source
<xs:complexType name="TimeType">
  <xs:sequence>
    <xs:element name="First_Malicious_Action" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Initial_Compromise" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Initial_Compromise field specifies the time that the initial compromise occured for this Incident.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="First_Data_Exfiltration" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incident_Discovery" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incident_Opened" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Incident_Opened field specifies the time at which the Incident was officially opened.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Containment_Achieved" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”).</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Restoration_Achieved" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incident_Reported" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Incident_Reported field specifies the time at which the Incident was reported.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Incident_Closed" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Incident_Closed field specifies the time at which the Incident was officially closed.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type incident:CategoriesType
Namespace http://stix.mitre.org/Incident-1
Annotations
Represents a list of incident categories that an incident is tagged with.
Diagram
Diagram incident_xsd.tmp#CategoriesType_Category
Used by
Children incident:Category
Source
<xs:complexType name="CategoriesType">
  <xs:annotation>
    <xs:documentation>Represents a list of incident categories that an incident is tagged with.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Category" type="stixCommon:ControlledVocabularyStringType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Represents a single category that this incident is tagged with.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentCategoryVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
        <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type incident:AffectedAssetsType
Namespace http://stix.mitre.org/Incident-1
Diagram
Diagram incident_xsd.tmp#AffectedAssetsType_Affected_Asset
Used by
Children incident:Affected_Asset
Source
<xs:complexType name="AffectedAssetsType">
  <xs:sequence>
    <xs:element name="Affected_Asset" type="incident:AffectedAssetType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Affected_Asset field is optional and characterizes a particular asset affected during the Incident.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type incident:AffectedAssetType
Namespace http://stix.mitre.org/Incident-1
Diagram
Diagram incident_xsd.tmp#AffectedAssetType_Type incident_xsd.tmp#AffectedAssetType_Description incident_xsd.tmp#AffectedAssetType_Business_Function_Or_Role incident_xsd.tmp#AffectedAssetType_Ownership_Class incident_xsd.tmp#AffectedAssetType_Management_Class incident_xsd.tmp#AffectedAssetType_Location_Class incident_xsd.tmp#AffectedAssetType_Location incident_xsd.tmp#AffectedAssetType_Nature_Of_Security_Effect incident_xsd.tmp#AffectedAssetType_Structured_Description
Used by
Children incident:Business_Function_Or_Role, incident:Description, incident:Location, incident:Location_Class, incident:Management_Class, incident:Nature_Of_Security_Effect, incident:Ownership_Class, incident:Structured_Description, incident:Type
Source
<xs:complexType name="AffectedAssetType">
  <xs:sequence>
    <xs:element name="Type" type="incident:AssetTypeType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Type field is optional and specifies the type of the asset impacted by the incident (a security attribute was negatively affected).</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Description field is optional and provides an unstructured, text description of the asset.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Business_Function_Or_Role" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Business_Function_Or_Role field is optional and provides a brief description of the asset's role, mission, and importance within the organization.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Ownership_Class" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
      <xs:annotation>