This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.
<xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for this Indicator.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation></xs:annotation></xs:element>
Specifies the type for this Indicator.This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the type for this Indicator. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
Diagram
Type
xs:string
Source
<xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a description for this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation></xs:annotation></xs:element>
If not present, then client should assume infinity (i.e., temporal window is only bounded by the end-time).
Diagram
Type
xs:dateTime
Source
<xs:element name="Start_Time" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation>If not present, then client should assume infinity (i.e., temporal window is only bounded by the end-time).</xs:documentation></xs:annotation></xs:element>
If not present, then client should assume infinity (i.e., temporal window is only bounded by the start-time).
Diagram
Type
xs:dateTime
Source
<xs:element name="End_Time" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation>If not present, then client should assume infinity (i.e., temporal window is only bounded by the start-time).</xs:documentation></xs:annotation></xs:element>
The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0"><xs:annotation><xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
Source
<xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation></xs:annotation></xs:element>
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
<xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation></xs:annotation></xs:element>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0"><xs:annotation><xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation></xs:annotation></xs:element>
The total number of times this Indicator was reported as sighted.
Source
<xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0"><xs:annotation><xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation></xs:annotation></xs:element>
This field provides the date and time of the Indicator sighting.
Source
<xs:element name="Sighting" type="indicator:SightingType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Source" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a name or description of the sighting source.</xs:documentation></xs:annotation></xs:element>
This field provides a formal reference to the sighting source.
Diagram
Type
xs:anyURI
Source
<xs:element name="Reference" type="xs:anyURI" minOccurs="0"><xs:annotation><xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation></xs:annotation></xs:element>
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Related_Indicators" type="indicator:RelatedIndicatorsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element>
The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
<xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element>
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element>
Complex Type indicator:TestMechanismType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.0/generic.xsd.2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc-1.0.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc-1.0/1.0/openioc-1.0.xsd.3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.0/oval-5.10.1.xsd.4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.0/snort.xsd.5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.0/yara.xsd.
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
Source
<xs:complexType name="TestMechanismType" abstract="true"><xs:annotation><xs:documentation>The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is: 1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.0/generic.xsd. 2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc-1.0.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc-1.0/1.0/openioc-1.0.xsd. 3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.0/oval-5.10.1.xsd. 4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.0/snort.xsd. 5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.0/yara.xsd.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation></xs:annotation></xs:element><xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type indicator:IndicatorType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies the relevant STIX-Indicator schema version for this content.
Source
<xs:complexType name="IndicatorType"><xs:annotation><xs:documentation>The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:IndicatorBaseType"><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the type for this Indicator. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a description for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation></xs:annotation></xs:element><xs:choice><xs:annotation><xs:documentation>Content creators should either create a "simple indicator" containing one observable, or a "composite indicator" containing multiple indicators.</xs:documentation></xs:annotation><xs:element name="Observable" type="cybox:ObservableType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Composite_Indicator_Expression" type="indicator:CompositeIndicatorExpressionType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a multipartite composite Indicator.</xs:documentation></xs:annotation></xs:element></xs:choice><xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies relevant kill chain phases indicated by this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0"><xs:annotation><xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation></xs:annotation></xs:element><xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0"><xs:annotation><xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0"><xs:annotation><xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Indicators" type="indicator:RelatedIndicatorsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element><xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="version" type="indicator:IndicatorVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
Complex Type indicator:ValidTimeType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
A basic representation of a temporal window when the thing (e.g., indicator) is valid.
<xs:complexType name="ValidTimeType"><xs:annotation><!-- NOTE: this is a very simple representation, if desired, the schema could import something more expressive like gml temporal semantics (see gml:timeposition here: http://schemas.opengis.net/gml/3.1.1/base/temporal.xsd). --><xs:documentation>A basic representation of a temporal window when the thing (e.g., indicator) is valid.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Start_Time" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation>If not present, then client should assume infinity (i.e., temporal window is only bounded by the end-time).</xs:documentation></xs:annotation></xs:element><xs:element name="End_Time" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation>If not present, then client should assume infinity (i.e., temporal window is only bounded by the start-time).</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type indicator:CompositeIndicatorExpressionType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
Type for allowing content creators to create composite indicator expressions using basic boolean logic.
Specifies the logical composition operator for this composite cyber threat Indicator.
Source
<xs:complexType name="CompositeIndicatorExpressionType"><xs:annotation><xs:documentation>Type for allowing content creators to create composite indicator expressions using basic boolean logic.</xs:documentation></xs:annotation><xs:sequence><xs:element ref="indicator:Indicator" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The indicator field specifies one cyber threat indicator asserting a relationship between a cyber observable and a TTP.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type indicator:OperatorTypeEnum
Namespace
http://stix.mitre.org/Indicator-2
Annotations
OperatorTypeEnum is an enumeration of valid operators.
<xs:simpleType name="OperatorTypeEnum"><xs:annotation><xs:documentation>OperatorTypeEnum is an enumeration of valid operators.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="AND"/><xs:enumeration value="OR"/></xs:restriction></xs:simpleType>
<xs:complexType name="TestMechanismsType"><xs:sequence><xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="SuggestedCOAsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
The total number of times this Indicator was reported as sighted.
Source
<xs:complexType name="SightingsType"><xs:sequence><xs:element name="Sighting" type="indicator:SightingType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="sightings_count" type="xs:integer"><xs:annotation><xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
This field provides the date and time of the Indicator sighting.
Source
<xs:complexType name="SightingType"><xs:annotation><xs:documentation>Describes a single sighting of an indicator.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Source" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a name or description of the sighting source.</xs:documentation></xs:annotation></xs:element><xs:element name="Reference" type="xs:anyURI" minOccurs="0"><xs:annotation><xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedIndicatorsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Simple Type indicator:IndicatorVersionType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
An enumeration of all versions of the Indicator type valid in the current release of STIX.
<xs:simpleType name="IndicatorVersionType"><xs:annotation><xs:documentation>An enumeration of all versions of the Indicator type valid in the current release of STIX.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="2.0"/><xs:enumeration value="2.0.1"/></xs:restriction></xs:simpleType>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="sightings_count" type="xs:integer"><xs:annotation><xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="version" type="indicator:IndicatorVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern.</xs:documentation></xs:annotation></xs:attribute>
